Skip to main content

Cosafe Support Center


OpenID Connect (OIDC) Configuration

This guide walks you through setting up OpenID Connect Single Sign-On (SSO) with Cosafe using the Authorization Code Flow. Cosafe uses PKCE as an additional security measure alongside the client secret.

Prerequisites

  • Users must exist in Cosafe before they can log in via SSO. Create users manually or set up SCIM provisioning first.
  • You need access to your Identity Provider's (IdP) admin console.
  • You need access to the Cosafe admin panel.

Step 1: Create an OIDC application in your IdP

Create a new application registration in your IdP with the following settings:

  • Application type: Web application
  • Grant type: Authorization Code Flow (PKCE is handled by Cosafe automatically)
  • Redirect URI: https://login.cosafe.com/login/sso
  • Required scopes: openid, email, profile

After creating the application, note down the following values — you will need them in Step 2:

  • Client ID
  • Client Secret
  • Authorization endpoint
  • Token endpoint
  • JWKS URI (JSON Web Key Set endpoint)
  • Issuer
tip

Most IdPs publish these endpoint URLs in a discovery document at https://<your-idp>/.well-known/openid-configuration.

Step 2: Configure the Cosafe admin panel

  1. Navigate to your Account page.
  2. Click on the Integration tab.
  3. Select Sign-On provider (OpenID) from the dropdown menu.
  4. Enter the following details from your IdP:
    • Client ID — the unique identifier for the application you created.
    • Client Secret — the secret associated with your application.
    • Authorization endpoint — the URL where users are redirected to authenticate.
    • Token endpoint — the URL used to exchange the authorization code for tokens.
    • JWKS URI — the URL to retrieve the JSON Web Key Set for token verification.
    • Issuer — the issuer identifier for your IdP.
  5. Add domains — specify the email domains of users who will use SSO.
    • To add multiple domains, click +Add domain and enter each domain.
  6. Save your settings.

Step 3: Test the connection

  1. Open an incognito/private browser window.
  2. Navigate to the Cosafe login page.
  3. Enter the email address of a test user whose domain is configured for SSO.
  4. You should be redirected to your IdP for authentication.
  5. After authenticating, you should be redirected back to Cosafe and logged in.

If the test fails, verify that:

  • The user exists in Cosafe with an email matching a configured domain.
  • The redirect URI in your IdP matches exactly: https://login.cosafe.com/login/sso
  • All endpoint URLs are correct — use your IdP's discovery document (/.well-known/openid-configuration) to confirm.
  • The Client ID and Client Secret are correct.
Strongly recommended: Enable MFA in your Identity Provider

When using SSO, Cosafe delegates all authentication responsibility to your Identity Provider. Cosafe does not enforce its own 2FA for SSO logins.

Please ensure that Multi-Factor Authentication (MFA) is enabled and enforced in your IdP for all users accessing Cosafe. This is the single most effective step you can take to protect your organisation's accounts.

For more details, see our SSO introduction page.