Jump to: navigation, search

Using Single Sign On (SSO) and Single Log Out (SLO)

  • These features might not be available to all customers.
  • Genesys recommends that you disable the Agents window if you enable Single Sign On (SSO) and Single Log Out (SLO). These features are designed to be used in a Federated Identity Management (FIM) environment, which uses the Users window for managing user accounts. To disable the Agents window, you must remove the Agent Management role privileges from the user accounts and access groups in your environment.

You can set up Genesys Administrator Extension to use Single Sign On (SSO) and Single Log Out (SLO), so that users can use existing credentials (for example, a corporate login and password) to access GAX. When these users log out of GAX, they are simultaneously logged out of other SLO-supported applications.

GAX uses SAML2 to enable SSO and SLO.

When SSO is enabled, the Change Password link in the Preferences menu takes you to a global password-management page.

By default, SSO and SLO are not enabled in GAX. To enable these features, refer to the following procedures.

Enabling SSO


  1. On the host machine, open the GAX_HOME folder (the folder in which you installed GAX) and create a sub-folder called saml.
  2. Open the saml folder and create a sub-folder called sp.
  3. Access the metadata file from the IdP (identity provider). Open the gax.properties file in the GAX_HOME/conf folder and set the saml_idp_metadata option to one of the following:
    • http://location—The web location of the IdP metadata file.
    • filename—The path and file name of the IdP metadata file of the local machine.
  4. Download the Service Provider metadata file from GAX by opening a browser and navigating to the following location: http://host:port/gax/saml/metadata, where host:port is the IP name and port number for the GAX installation.
    You must use the host name or IP address to access the metadata file. You cannot specify localhost.
  5. Copy the downloaded metadata file, sp.xml, to the following folder on the host machine: GAX_HOME\saml\sp.
  6. Upload the sp.xml metadata file to the IdP server. The following is an example of a typical location on the IdP server: /home/ubuntu/idp/metadata/my_sp.xml.
  7. Log in to the IdP server and edit the conf/relying-party.xml file by adding the following metadata provider:
       <metadata:MetadataProvider id="uniqueID" xsi:type="metadata:FilesystemMetadataProvider"  
       maxRefreshDelay="P1D" />
    You must use a unique ID for metadata:MetadataProvider id.
  8. Restart the IdP server.
  9. On the host machine, edit the gax.properties file in the GAX_HOME folder and specify options for the following properties:
    • saml=true
    • saml_entityid—Your unique ID for IdP. This is the same ID specified in relying-party.xml.
    • saml_idp_metadata=saml/idp-metadata.xml
    • saml_landingpage—The SSO landing page.
    • saml_jksfilelocation—The location/path of the custom Java KeyStore (.jks) file. If this is not configured, the JKS file in the classpath is used.
    • saml_jkspassword—The custom KeyStore password. It is required when the saml_jksfilelocation option is set for a custom JKS file.
    • saml_signingkeyname—The custom key file name. It is required when the saml_jksfilelocation option is set for a custom JKS file.
    • saml_signingkeypassword—The custom key file password. It is recommended to set the same password as saml_jkspassword and it is an optional parameter.
  10. Restart GAX.
If SSO is enabled, but the metadata of the Service Provider (GAX) or IdP is incorrect, GAX logs the error and directs the user to the non-SAML login page.

Next Steps

Configure the Single Log Out feature. See the procedure below.

Enabling SLO


You have completed the Enabling SSO procedure.


  1. On the host machine, edit the gax.properties file in the GAX_HOME folder and specify options for the following properties:
    • saml_slo=true
    • saml_sp_activity_reporting_mode=server-base
    • saml_application_name=The name of your GAX Application.
    • saml_sp_slo_registration_endpoint=The registration URL exposed by Activity Monitor.
    • saml_sp_slo_unregistration_endpoint=The unregistration URL exposed by Activity Monitor.
    • saml_sp_heartbeat_handler_endpoint=The Genesys service provider heartbeat reporting endpoint.
    • saml_sp_slo_endpoint=The logout URL exposed by Activity Monitor.
    • saml_sp_return_url=The return URL after Single Log Out is completed. In most cases, this value is set to the GAX login page.
  2. Important
    See Configuring GAX Properties for a complete list of available settings for the gax.properties file.
  3. In the GAX header bar, click Configuration to open Configuration Manager.
  4. Hover the mouse cursor over the Environment icon and select Applications in the pop-up list.
  5. In the Applications list, open the GAX Application object by clicking on its name.
  6. Click the Application Options tab.
  7. Click Add.
  8. Add the configuration options changepasswordurl and logouturl. For more information on how to complete this task, refer to the following pages:
    • The Configuration Options tab on the Configuration Manager page explains how to add, edit, and delete configuration options.
    • The saml Section page describes the configuration options.
  9. Restart GAX.


Comment on this article:

blog comments powered by Disqus
This page was last modified on 7 December 2017, at 00:31.