SSO integrations

What is SSO?

SSO services enable a user to access multiple applications using a single set of credentials (e.g., a name, email address, and password). The end user is only required to authenticate once for each application to which they have been granted access. Subsequently, when the user transitions between applications within the same session, additional authentication prompts are eliminated.
​

Why should we have SSO?

• Improves user management for workspace proprietors across systems.

• Eliminates the necessity for end-users to administer and recall numerous credentials.

• Facilitates the experience of end-users by permitting them to log in at a solitary access point and traverse multiple applications with a seamless transition.

Integrate SSO into a single account.

Step 1: Navigate to the Account & Account Settings page and select the integration tab.

Step2: Select one of the available SSO methods.

Step3: Pass through the relevant configuration stage.

Note:

• Setting up SSO for your organisation is only possible for Account administrators.

• To enable this feature, make sure that the user has the necessary permission role activated for the Admin Panel's Account and subaccount settings.

SAML Settings

How SAML SSO works:

1. A user attempts to log in to Cosafe using SAML SSO.

2. Cosafe sends a SAML request to the identity provider

3. The identity provider checks the credentials of this member.

4. The identity provider sends a response to Cosafe to verify the member's identification.

5. Cosafe acknowledges the response and provides the member with access to their Cosafe account.

SAML setup configuration on your system

• Identifier: https://api.cosafe.se/

• Reply URL: https://api.cosafe.se/api/Account/SamlRedirect

If SAML users will use the Admin panel, a second reply URL has to be added:

• https://admin.cosafe.se/api/account/SamlRedirect

Required SAML attributes:

• name - the user’s full name

• emailaddress - the user’s email address

• identifier - optional. Used to identify the user if the user’s email address has changed. If the identifier attribute is present when using SAML SSO together with SFTP user import, the identifier attribute must match the UniqueID of the user in the SFTP import file.

The attributes have to be added with a namespace.

Set up SAML

You can easily configure your SAML settings in:

1. Navigate to your Account page in the Navigation bar

2. Navigate to the Integration tab

3. Select the Sign-On Provider (SAML) from the drop-down menu “Screen 1”

Screen 1 “Select SAML”
​

Find the details about your SAML Single Sign-On (SSO) configuration in the Cosafe platform “Screen 2”.

You will need the following items to complete the configuration process:

• The Metadata URL Fiel

  URL to the organisation SAML metadata

• The Domain address

  Domains used in email addresses of the users who will use SSO

Screen 2 “View SAML Configurations”
​

Confirm domain address

An account can have multiple domains, including subdomains.

If there are multiple domains used within one SAML SSO provider, you can easily add a new domain by clicking on "+Add Domain." This will create a new line where you can enter the new domain “Screen 3”.

Screen 3 “Add extra domain address”

Add multiple configurations

To add another SAML SSO configuration and use multiple SAML SSO providers within the account, click the "+ Add new" button and provide a new Metadata URL and its corresponding "Domain Address" “Screen 4”.

Screen 4 “Add extra Configurations”
​

Organization administrators can add or remove domains as needed, whenever they choose to do so.

Note:

Only individuals with email addresses from certain domains are allowed to log in using SAML.

OpenID Settings

OpenID setup configuration on your system

Add allowed redirect URL: https://app.cosafe.se
Enable ID tokens
"email" claim has to be allowed to be returned in an ID token. If they are using Azure AD, leaving the default permission "User.Read" enabled should be enough for this to work.

Set up OpenID

You can easily configure your SAML settings in:

1. Navigate to your Account page in the Navigation bar

2. Navigate to the Integration tab

3. Select the Sign-On Provider (OpenID) in the drop-down menu

   

   Screen 5 “Select OpenID”

Access the specific information on your OpenID setup within the Cosafe platform “Screen 6”. The following items are required to complete the configuration process:

Example how to find information below from Azure AD: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

Example how to find information below from other than Azure AD: /issuer1/.well-known/openid-configuration

• The OpenID JWKS endpoint

  • Example from Azure AD: https://login.microsoftonline.com/common/discovery/v2.0/keys

• The OpenID Login URL

  • Example from Azure AD: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

• The OpenID Audience

  • Here we want the userinfo endpoint

  • Example: https://graph.microsoft.com/oidc/userinfo

• The OpenID ClientID

  • ex: 87cc7e2d-6baa-4dc6-240b-250660b25837

• The Domain address

  • A list of domain name that is used in email addresses of the users who will be using SSO

Screen 6 “OpenID configuration”
​

Confirm domain address

An account can have multiple domains, including subdomains.

The user can easily add a new domain by clicking on "Add domain" This will create a new input in which you can enter the new domain “Screen 7”.

Screen 7 “OpenID Add extra domain address”