SAML Configuration
This guide walks you through setting up SAML 2.0 Single Sign-On (SSO) with Cosafe.
Prerequisites
- Users must exist in Cosafe before they can log in via SSO. Create users manually or set up SCIM provisioning first.
- You need access to your Identity Provider's (IdP) admin console.
- You need access to the Cosafe admin panel.
Step 1: Import Cosafe SP metadata into your IdP
Cosafe provides a Service Provider (SP) metadata endpoint that your IdP can import directly. This automatically configures the Entity ID, ACS URL, and signing certificate.
Use the metadata URL for your region:
| Region | SP Metadata URL |
|---|---|
| Europe | https://api.se-sto.prod.cosafe.com/core/saml/sp |
| South America | https://api.sa-east-1.prod.cosafe.com/core/saml/sp |
Most IdPs allow you to import metadata by URL. If your IdP requires manual configuration, the key values are:
| Field | Europe | South America |
|---|---|---|
| Entity ID | https://api.se-sto.prod.cosafe.com/core/saml/sp (same as metadata URL) | https://api.sa-east-1.prod.cosafe.com/core/saml/sp (same as metadata URL) |
| ACS URL | https://api.se-sto.prod.cosafe.com/core/saml/acs | https://api.sa-east-1.prod.cosafe.com/core/saml/acs |
Step 2: Configure your IdP
NameID
Configure your IdP to send a persistent identifier as the NameID:
- NameID format:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - NameID value: an opaque, stable identifier from your IdP (for example, Entra ID's
objectId/ "Object identifier"). The exact attribute name varies by IdP; the requirement is that the value is unique per user, never reassigned, and doesn't change when the user is renamed or their email changes.
Required SAML attribute
Cosafe needs the user's email for domain matching, notifications, and account display. Configure your IdP to send it as a SAML attribute:
| Attribute name | Value |
|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | The user's email address |
Assertion signing
Your IdP must sign the SAML assertion. If your IdP has separate settings for signing the response and the assertion, make sure the assertion is signed. Cosafe requires SHA-256 as the signature algorithm.
Step 3: Configure Cosafe admin panel
- Navigate to your Account page.
- Click on the Integration tab.
- Select Sign-On provider (SAML) from the dropdown menu.
- Enter your IdP metadata URL — Cosafe will automatically fetch the IdP signing certificate, SSO endpoint, and Entity ID from this URL.
- Add domains — specify the email domains of users who will use SSO. The user's email (from the SAML emailaddress attribute) must match a configured domain.
- To add multiple domains, click +Add domain and enter each domain.
- Save your settings.
Step 4: Test the connection
- Open an incognito/private browser window.
- Navigate to the Cosafe login page.
- Enter the email address of a test user whose domain is configured for SSO.
- You should be redirected to your IdP for authentication.
- After authenticating, you should be redirected back to Cosafe and logged in.
If the test fails, verify that:
- The user exists in Cosafe with an email matching a configured domain.
- Your IdP is sending the persistent NameID format and the
emailaddressSAML attribute (see Step 2 for the canonical attribute name). - The IdP metadata URL is accessible and correct.
When using SSO, Cosafe delegates all authentication responsibility to your Identity Provider. Cosafe does not enforce its own 2FA for SSO logins.
Please ensure that Multi-Factor Authentication (MFA) is enabled and enforced in your IdP for all users accessing Cosafe. This is the single most effective step you can take to protect your organisation's accounts.
For more details, see our SSO introduction page.