Skip to main content

Cosafe Support Center


SAML Configuration

This guide walks you through setting up SAML 2.0 Single Sign-On (SSO) with Cosafe.

Prerequisites

  • Users must exist in Cosafe before they can log in via SSO. Create users manually or set up SCIM provisioning first.
  • You need access to your Identity Provider's (IdP) admin console.
  • You need access to the Cosafe admin panel.

Step 1: Import Cosafe SP metadata into your IdP

Cosafe provides a Service Provider (SP) metadata endpoint that your IdP can import directly. This automatically configures the Entity ID, ACS URL, and signing certificate.

Use the metadata URL for your region:

RegionSP Metadata URL
Europehttps://api.se-sto.prod.cosafe.com/core/saml/sp
South Americahttps://api.sa-east-1.prod.cosafe.com/core/saml/sp

Most IdPs allow you to import metadata by URL. If your IdP requires manual configuration, the key values are:

FieldEuropeSouth America
Entity IDhttps://api.se-sto.prod.cosafe.com/core/saml/sp (same as metadata URL)https://api.sa-east-1.prod.cosafe.com/core/saml/sp (same as metadata URL)
ACS URLhttps://api.se-sto.prod.cosafe.com/core/saml/acshttps://api.sa-east-1.prod.cosafe.com/core/saml/acs

Step 2: Configure your IdP

NameID

Configure your IdP to send the user's email address as the NameID:

  • NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • NameID value: The user's email address

This is the only attribute Cosafe requires. No additional SAML attributes need to be configured.

Assertion signing

Your IdP must sign the SAML assertion. If your IdP has separate settings for signing the response and the assertion, make sure the assertion is signed. Cosafe requires SHA-256 as the signature algorithm.

Step 3: Configure Cosafe admin panel

  1. Navigate to your Account page.
  2. Click on the Integration tab.
  3. Select Sign-On provider (SAML) from the dropdown menu.
  4. Enter your IdP metadata URL — Cosafe will automatically fetch the IdP signing certificate, SSO endpoint, and Entity ID from this URL.
  5. Add domains — specify the email domains of users who will use SSO. The email domain in the SAML NameID must match a configured domain.
    • To add multiple domains, click +Add domain and enter each domain.
  6. Save your settings.

Step 4: Test the connection

  1. Open an incognito/private browser window.
  2. Navigate to the Cosafe login page.
  3. Enter the email address of a test user whose domain is configured for SSO.
  4. You should be redirected to your IdP for authentication.
  5. After authenticating, you should be redirected back to Cosafe and logged in.

If the test fails, verify that:

  • The user exists in Cosafe with an email matching a configured domain.
  • Your IdP is sending the email address as the NameID.
  • The IdP metadata URL is accessible and correct.
Strongly recommended: Enable MFA in your Identity Provider

When using SSO, Cosafe delegates all authentication responsibility to your Identity Provider. Cosafe does not enforce its own 2FA for SSO logins.

Please ensure that Multi-Factor Authentication (MFA) is enabled and enforced in your IdP for all users accessing Cosafe. This is the single most effective step you can take to protect your organisation's accounts.

For more details, see our SSO introduction page.