Integration Management Section Description Module Context Integration Management covers OAuth Clients, Authorized Applications, and Single Sign-On (SSO) in Genesys Cloud Administration. Admin Location Admin → Integrations Purpose Enables secure API authentication, third-party application connectivity, and enterprise identity federation. OAuth Clients Overview Topic Explanation OAuth Client An application registered in Genesys Cloud that can request access tokens to call Platform APIs. OAuth Standard Genesys Cloud implements the OAuth 2.0 authorization framework for secure API authorization. Access Token Temporary credential used to authenticate API calls. Token Lifetime Configurable between 300 seconds and 172,800 seconds (2 days) . OAuth Scopes Define the level of access an application has to organization data. Role-Based Access OAuth permissions are determined by roles assigned to the OAuth client. Integration Role OAuth clients are commonly used for integrations, data actions, AppFoundry apps, and external systems. OAuth allows organizations to share information with applications without sharing user credentials, and uses scopes and roles to restrict access to resources. Navigation Task Navigation View OAuth Clients Admin → Integrations → OAuth Create OAuth Client Admin → Integrations → OAuth → Add Client Review Authorized Apps Admin → Integrations → Authorized Applications Configuration Fields Field Description Example App Name Name displayed when authorization occurs CRM_Integration_Client Description Brief description of the OAuth client purpose Salesforce Data Sync Token Duration Lifetime of OAuth access tokens (300–172,800 seconds) 3600 Grant Types Defines how an application obtains a token Client Credentials Roles Permissions assigned to the OAuth client Master Admin Client ID Unique identifier generated automatically Generated Client Secret Secret key used to authenticate token requests Generated Authorized Redirect URI Used with Authorization Code or Implicit grants https://app.example.com/callback Grant Types Grant Type Description Typical Use Client Credentials Machine-to-machine authentication; no user context Server integrations, data actions Authorization Code User-delegated access with redirect Web apps requiring user context Implicit Simplified flow for browser-based apps Legacy browser apps SAML2 Bearer SSO-based token exchange Federated identity scenarios ⚠️ After selecting Client Credentials , a Roles tab appears — assign the minimum required role. Use least-privilege roles in production. After selecting Client Credentials, the Roles tab appears — assign Master Admin or a least-privilege role. Implementation Steps Step Action Step 1 Navigate to Admin → Integrations → OAuth Step 2 Click Add Client Step 3 Enter application name and description Step 4 Configure token expiration Step 5 Select OAuth grant type Step 6 Assign roles to the OAuth client Step 7 Save configuration Step 8 Copy generated Client ID and Client Secret — store securely Creating an Integration Using OAuth Credentials After creating an OAuth client, use the credentials to configure an integration: Add the integration using the OAuth credentials: Creating a Data Action After the integration is configured, create a Data Action to call APIs from Architect flows: End-to-End Flow: OAuth → Integration → Data Action → Architect External System ↓ OAuth Client Authentication ↓ Access Token Issued ↓ Integration / Data Action ↓ Architect Flow ↓ Customer Interaction Security Considerations Security Control Description Least Privilege Access Assign minimal permissions to OAuth clients Token Expiration Shorter token lifetimes reduce exposure Secure Storage Store client secrets in secure vaults API Monitoring Track requests via Platform Usage dashboard Credential Protection Client ID + Secret function like a username/password — protect accordingly Troubleshooting Issue Cause Resolution Token request fails Invalid client credentials Verify client ID and secret API access denied Missing role permissions Assign correct roles Token expired Token lifetime exceeded Request new token Authentication errors Incorrect grant type Verify OAuth configuration Integration failure Credentials not configured Update integration credentials Interview Cheat Sheet Question Answer What is OAuth used for in Genesys Cloud? Authenticate applications and authorize API access What is an OAuth access token? Temporary credential used to authenticate API requests What grant types are supported? Client Credentials, Authorization Code, Implicit, SAML2 Bearer What controls API access permissions? OAuth client roles and scopes Maximum token lifetime? 172,800 seconds Authorized Applications Overview Topic Explanation Authorized Application An application that has been granted permission to access Genesys Cloud via OAuth. Application State Applications can be Pending , Approved , or Revoked . Scopes Define the specific permissions granted to an application. Security Importance Allows administrators to control external application access and revoke permissions when necessary. Navigation Task Navigation View Authorized Applications Admin → Integrations → Authorized Applications Edit Application Permissions Click ⋮ (three dots) beside the application Revoke Application Access Select Revoke from application menu Configuration Fields Field Description Example App Name Name of the OAuth client application CRM_Integration_App Scopes Permissions granted to the application analytics:read State Current authorization status Approved Roles Roles assigned to the application Master Admin Actions Menu Options to edit or revoke access Edit / Revoke Application States State Meaning Pending Application has requested access but not yet approved Approved Application is authorized to access Genesys Cloud APIs Revoked Application access has been removed; API calls are immediately blocked ⚠️ Revoking an application immediately blocks all API access. Use with caution for active integrations. Best Practices Practice Reason Regularly review authorized apps Ensure only trusted applications have access Apply least privilege roles Limit application permissions Revoke unused applications Reduce security risk Monitor API activity Detect unusual usage patterns Document integrations Maintain governance over external access Interview Cheat Sheet Question Answer What are Authorized Applications? Applications granted OAuth permission to access Genesys Cloud APIs What controls application permissions? OAuth scopes and assigned roles Where are authorized apps managed? Admin → Integrations → Authorized Applications What happens if an app is revoked? It can no longer access the platform APIs — immediately Single Sign-On (SSO) Overview Topic Explanation Single Sign-On Authentication method allowing users to log into Genesys Cloud using corporate identity provider credentials. Identity Provider (IdP) External authentication service such as Azure AD, Okta, Google Workspace, or OneLogin. Service Provider (SP) Genesys Cloud acts as the service provider in SSO integrations. Protocol SAML 2.0 — the only supported SSO protocol. Authentication Flows Supports Service Provider–initiated and Identity Provider–initiated login flows. User Requirement Users must already exist in Genesys Cloud before SSO authentication will work. Certificate Risk Expired IdP certificates will break authentication for all SSO users. Navigation Task Navigation Configure SSO Admin → Integrations → Single Sign-On Add Identity Provider Admin → Integrations → Single Sign-On → Add Identity Provider Download Genesys Certificate Available within the SSO configuration page Configuration Fields Field Description Example Identity Provider Name Name of the configured SSO provider AzureAD_SSO Display Name Name displayed on login page Company SSO Identity Provider Type External authentication service Azure AD SAML Metadata File XML configuration file provided by IdP idp_metadata.xml Issuer URI Unique identifier of the IdP https://login.microsoftonline.com SSO URL URL used to authenticate users https://login.microsoftonline.com/... Logout URL Optional logout redirect URL https://login.microsoftonline.com/logout Certificate Security certificate for validating SAML responses Base64 certificate SSO Authentication Flow User Login Request ↓ Redirect to Identity Provider ↓ User Authentication (+ MFA if configured in IdP) ↓ SAML Assertion Sent to Genesys Cloud ↓ Genesys Cloud Validates Assertion ↓ User Access Granted Implementation Steps Step Action Step 1 Obtain SAML metadata XML from identity provider Step 2 Navigate to Admin → Integrations → Single Sign-On Step 3 Click Add Identity Provider Step 4 Import SAML metadata file Step 5 Configure login display settings (name, logo) Step 6 Save configuration Step 7 Test authentication before enabling for all users Step 8 Enable SSO for organization users Limitations & Constraints Constraint Description Protocol Support Only SAML 2.0 is supported — no OIDC or WS-Federation User Provisioning Users must exist in Genesys Cloud before they can authenticate via SSO IdP Configuration Requires configuration on both IdP and Genesys Cloud sides Certificate Expiration Expired certificates break authentication for all SSO users — monitor and rotate proactively Troubleshooting Issue Cause Resolution SSO login failure Incorrect SAML configuration Verify metadata configuration Invalid assertion Certificate mismatch Update SAML certificate User cannot authenticate User not provisioned in Genesys Cloud Create the user first Login redirect loop Incorrect IdP URL Verify identity provider configuration SSO test fails Incorrect metadata Re-import metadata file Interview Cheat Sheet Question Answer What is SSO in Genesys Cloud? Authentication using corporate identity providers instead of separate Genesys credentials Which protocol is supported? SAML 2.0 only What must exist before SSO works? The user account must already exist in Genesys Cloud Where is SSO configured? Admin → Integrations → Single Sign-On What breaks SSO? Expired certificates or users not provisioned in Genesys Cloud