Skip to main content
NICE CXone Expert

We will be closed on Thursday November 28th & Friday November 29th due to the Thanksgiving Holiday

Expert Success Center

SAML SSO FAQs

Applies to:
All MindTouch Versions
Role required:
N/A
Common questions regarding SAML SSO integrations.

Read about how to set up SAML SSO in addition to this list before submitting a request to Support or your Customer Success Manager.

Where can I access an Expert site's SP metadata?
Expert sites that are SAML SSO enabled publish their metadata at https://example.com/@app/auth/{id}/metadata. The {id} parameter can be located on the Expert site Single Sign-On Configuration dashboard. Depending on your IdP configuration needs, you can either download it as an XML document or poll this endpoint regularly to ensure your IdP has the latest information about the Expert SP.

My IdP complains that Expert SP metadata is invalid, how can I fix this?
Many IdPs require that SPs sign outgoing authentication requests, and Expert highly recommends this practice as well. By default, Expert SP metadata does not include a public x.509 certificate. See our documentation on how to generate a signing public x.509 certificate.

Where can I access an Expert site's SP x.509 public certificate?
Expert sites that are SAML SSO enabled with a configured public x.509 certificate provide the certificate for download at https://example.com/@app/auth/{id}/x509.crt. The {id} parameter can be located on the Expert site Single Sign-On Configuration dashboard.

Can I use SAML SSO with Expert custom SSO APIs?
No. SAML SSO is the only supported method for single sign-on between Expert and your identity provider. Legacy Expert custom SSO APIs are not guaranteed or designed to work alongside SAML SSO scenarios.

Can I use SAML with local accounts?
Yes. Enabling SAML SSO still allows local accounts (those not associated with the SAML SSO identity provider) to sign in by visiting the local sign-in page directly (https://example.com/Special:UserLogin). This allows accounts that should be local-only to access the site.

Can I automatically create groups from a SAML assertion?
No. SAML SSO can sync existing groups but does not create new local groups.

Can I automatically seat users as Seated (Pro( Members?
Users cannot be seated by a SAML assertion. A user must be explicitly seated by an administrator using the control panel. If automatic seating is required, this can be accomplished via our API.

My IdP's public x.509 certificate is going to expire one day, how can I prepare for that?
If your IdP's public x.509 certificate is nearing expiration (within 30 days) expect Expert Support to contact you before the certificate expires.

 

  • Was this article helpful?