Skip to main content

Cosafe Support Center


SAML Configuration

Available in English only

This article is only available in English. Technical documentation and integration guides use industry-standard terminology that does not translate reliably. Providing translations risks introducing inaccuracies that could affect your configuration or security.

This guide walks you through setting up SAML 2.0 Single Sign-On (SSO) with Cosafe.

Prerequisites

  • Users must exist in Cosafe before they can log in via SSO. Create users manually or set up SCIM provisioning first.
  • You need access to your Identity Provider's (IdP) admin console.
  • You need access to the Cosafe admin panel.

Step 1: Import Cosafe SP metadata into your IdP

Cosafe provides a Service Provider (SP) metadata endpoint that your IdP can import directly. This automatically configures the Entity ID, ACS URL, and signing certificate.

Use the metadata URL for your region:

RegionSP Metadata URL
Europehttps://api.se-sto.prod.cosafe.com/core/saml/sp
South Americahttps://api.sa-east-1.prod.cosafe.com/core/saml/sp

Most IdPs allow you to import metadata by URL. If your IdP requires manual configuration, the key values are:

FieldEuropeSouth America
Entity IDhttps://api.se-sto.prod.cosafe.com/core/saml/sp (same as metadata URL)https://api.sa-east-1.prod.cosafe.com/core/saml/sp (same as metadata URL)
ACS URLhttps://api.se-sto.prod.cosafe.com/core/saml/acshttps://api.sa-east-1.prod.cosafe.com/core/saml/acs
Microsoft Entra ID — step by step
  1. Go to the Microsoft Entra admin centerEnterprise applicationsNew application.
  2. Click Create your own application, name the app (e.g. Cosafe), select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
  3. Open the new app → Single sign-on → click SAML.
  4. In the Basic SAML Configuration panel, choose one of:
    • Upload the metadata file — download the SP metadata XML from the URL above and upload it here.
    • Enter manually — fill in the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) from the table above.

Click Save.

Step 2: Configure your IdP

NameID

Configure your IdP to send a persistent identifier as the NameID:

  • NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • NameID value: an opaque, stable identifier from your IdP (for example, Entra ID's objectId / "Object identifier"). The exact attribute name varies by IdP; the requirement is that the value is unique per user, never reassigned, and doesn't change when the user is renamed or their email changes.
Microsoft Entra ID — NameID

Under Attributes & Claims → click the Unique User Identifier (Name ID) row:

  • Name identifier format: Persistent
  • Source: Attribute
  • Source attribute: user.objectid

This maps to Entra's internal Object ID — a unique, permanent identifier that does not change if the user's name or email is updated.

Required SAML attribute

Cosafe needs the user's email for domain matching, notifications, and account display. Configure your IdP to send it as a SAML attribute:

Attribute nameValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressThe user's email address
Microsoft Entra ID — Email attribute

Under Attributes & Claims, Entra includes this claim by default. Verify that a claim with the name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress exists and that its Source attribute is set to user.mail. If your organisation uses the UPN as the primary email address, use user.userprincipalname instead.

Assertion signing

Your IdP must sign the SAML assertion. If your IdP has separate settings for signing the response and the assertion, make sure the assertion is signed. Cosafe requires SHA-256 as the signature algorithm.

Microsoft Entra ID — Assertion signing

Under SAML Signing Certificate → click Edit:

  • Set Signing Option to Sign SAML assertion.
  • Leave Signing Algorithm as SHA-256 (the default).

Step 3: Configure Cosafe admin panel

  1. Navigate to your Account page.

  2. Click on the Integration tab.

  3. Select Sign-On provider (SAML) from the dropdown menu.

  4. Enter your IdP metadata URL — Cosafe will automatically fetch the IdP signing certificate, SSO endpoint, and Entity ID from this URL.

    Microsoft Entra ID — Finding the metadata URL

    Under SAML Signing Certificate, copy the App Federation Metadata URL. This is the URL to paste into Cosafe.

  5. Add domains — specify the email domains of users who will use SSO. The user's email (from the SAML emailaddress attribute) must match a configured domain.

    • To add multiple domains, click +Add domain and enter each domain.

  6. Save your settings.

Step 4: Test the connection

  1. Open an incognito/private browser window.
  2. Navigate to the Cosafe login page.
  3. Enter the email address of a test user whose domain is configured for SSO.
  4. You should be redirected to your IdP for authentication.
  5. After authenticating, you should be redirected back to Cosafe and logged in.

If the test fails, verify that:

  • The user exists in Cosafe with an email matching a configured domain.
  • Your IdP is sending the persistent NameID format and the emailaddress SAML attribute (see Step 2 for the canonical attribute name).
  • The IdP metadata URL is accessible and correct.
Strongly recommended: Enable MFA in your Identity Provider

When using SSO, Cosafe delegates all authentication responsibility to your Identity Provider. Cosafe does not enforce its own 2FA for SSO logins.

Please ensure that Multi-Factor Authentication (MFA) is enabled and enforced in your IdP for all users accessing Cosafe. This is the single most effective step you can take to protect your organisation's accounts.

For more details, see our SSO introduction page.