Single Sign-on with OneLogin

Requirements
SSO URL (Get it here)
SLO URL (Get it here)

Introduction

This guide covers how to setup SSO in COGNIGY.AI with OneLogin as the Identity Provider. After completing this guide, your users can login to COGNIGY.AI through OneLogin and will automatically get a user in COGNIGY.AI complete with access control.

Creating an Application in OneLogin

The first step is to create a new company app within OneLogin. To do this, open the adminstration panel of OneLogin and navigate to Apps > Company Apps. On this page, you can click on the ADD APP button to create a new app.

Creating a new AppCreating a new App

Creating a new App

This will open a page with a lot of different application types you can choose to create:

Finding the correct application typeFinding the correct application type

Finding the correct application type

Search for SAML and choose the SAML Test Connector (IdP) application. After choosing the correct application type, input the name you want for the SAML connector and click on SAVE.

Creating a custom SAML applicationCreating a custom SAML application

Creating a custom SAML application

Configuring Single Sign-on for the Application in OneLogin

Configuration


We can now create the SAML configuration for the application. Open the Configuration tab and add the SSO URL you have from the previous guide into the ACS Consumer Validator and ACS Consumer URL fields.

Adding the SSO URL to the configurationAdding the SSO URL to the configuration

Adding the SSO URL to the configuration

Afterwards, you should enter the SLO URL you have from the previous guide in the Single Logout URL field

Adding SLO to the configurationAdding SLO to the configuration

Adding SLO to the configuration

Parameters


In order to properly implement SSO with COGNIGY.AI, you need to configure the parameters assigned to the user during SSO. It is required that the following fields are set on the user:

  • NameID: Email
  • firstName: First Name
  • lastName: Last Name
  • role: User Roles
Creating the firstName user parameterCreating the firstName user parameter

Creating the firstName user parameter

๐Ÿšง

Include in SAML Assertion

It is VERY important that the Include in SAML assertion checkbox is checked when creating the parameters

The role will be used to grant the user the proper access rights in COGNIGY.AI. In a later step, we will add the supported roles to the app.

Correct configuration for user parametersCorrect configuration for user parameters

Correct configuration for user parameters

Configure SSO in COGNIGY.AI

After configuring SSO in OneLogin, we are finally ready to create an SSO configuration for your organisation in COGNIGY.AI. You do this by sending a POST request to the URL https:///security/identityprovider (e.g. https://api-demo.cognigy.ai/security/identityprovider) with the following JSON payload:

{
  "idpIssuer": string,
  "idpLoginEndpoint": string,
  "idpCertificate": string,
  "idpLogoutEndpoint": string
}

๐Ÿ“˜

API Authentication

Read our API reference guide for information about how to send authenticated API requests to COGNIGY.AI

In order to do this, you need some information from OneLogin, which you will find on the SSO page in your application in OneLogin.

SSO configuration in OneLoginSSO configuration in OneLogin

SSO configuration in OneLogin

idpIssuer
The idpIssuer is the Issuer URL in OneLogin.

idpLoginEndpoint
The idpLoginEndpoint is the SAML 2.0 Endpoint (HTTP) in OneLogin,

idpCertificate
This is the certificate that OneLogin uses to sign the SAML requests. Below the X.509 Certificate field in OneLogin there is a View Details button. Click this button and you will be redirected to a page where you can download the certificate.

Downloading the IDP certificateDownloading the IDP certificate

Downloading the IDP certificate

After downloading the certificate, you need to base64 encode it without newlines. In Linux, you can do this by running the following command:

cat ./path-to-file | base64 -w0

The output of the command above should be used as the idpCertificate.

idpLogoutEndpoint
The idpLogoutEndpoint is the SLO Endpoint in OneLogin.


You can now send the POST request to COGNIGY.AI with the information you collected from OneLogin. An example payload is below:

{
    "idpLoginEndpoint": "https://cognigy.onelogin.com/trust/saml2/http-post/sso/******",
    "idpCertificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzRENDQXNTZ0F3SUJBZ0lVYkhaWElFVzdOZy9FeWVhaUo0eCtJLzdkQWg0d0RRWUpLb1pJaHZjTkFRRUYKQlFBd1JURVFNQTRHQTFVRUNnd0hRMjluYm1sbmVURVZNQk1HQTFVRUN3d01UMjVsVEc5bmFXNGdTV1JRTVJvdwpHQVlEVlFRRERCRlBibVZNYjJkcGJpQkJZMk52ZFc1MElEQWVGdzB4T1RBeE1UY3hPREk0TURKYUZ3MHlOREF4Ck1UY3hPREk0TURKYU1FVXhFREFPQmdOVkJBb01CME52WjI1cFoza3hGVEFUQmdOVkJBc01ERTl1WlV4dloybHUKSUVsa1VERWFNQmdHQTFVRUF3d1JUMjVsVEc5bmFXNGdRV05qYjNWdWRDQXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gvbzNvLzc0S1g1YSsvaVNHbUZHRUM1NDFQUXBpRk56VGZ3bjYvQ1J5CjlXNS94eWRKdlZ3NEk4YkZOZGNmV1hZenJTdVJ5eXdrSDdZcE44U0hjSElyQUJJZmJvOUFXSm0welFTbWZDemkKa1NXOENmdm5MbGJJbjVpSGdtRnVGRFdJUHNKTHdHN1M4M2ZtNnhGUjlRcEV3YmZDNFNVc1ZQdUZIWmczWUU3VQpqS1lreERFOGtmZm01ZG5id201blJNbWlucHlIYmdJZXdhZ1NMRHk5ZmNGZUcza3VOSE0********************************************************************************kcGJpQkpaRkF4R2pBWUJnTlZCQU1NRVU5dVpVeHZaMmx1SUVGagpZMjkxYm5RZ2doUnNkbGNnUmJzMkQ4VEo1cUluakg0ai90MENIakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdEUVlKCktvWklodmNOQVFFRkJRQURnZ0VCQURmYnFsQ1BTRWR4S2I4Q3RwbUllVTJIWjFackp6aG5HSXFsWUNnU1d3TWQKekNOemMrQ2g4UEtCb1dhS2dDUmw2YysySitZL0dZaFEyVW80L3ZwUFdTRGlvSGgwWmVQMkgvK0Z5c1ZHOTBlMwpzWE1MZjVjeHJxdUllUmtBOEk5VnpBdDIxbnBTcjRFUEJjSmZzMkNGSEswRkp3cnZiNElya2FhMHhSMXJ6ZVovCk5NT2FESHBzVDNjQk91UnFxWWNiRVRyRTFIUlg3QlcwK3YxajhtOWh0R283YVozUXo4NmVBZWtNOHZVQkU2clkKZzliM2ZueTdDVnUrQVZEWnE0d0k4N1cwcGRRNjRyajFXUm02MzJvTyt2eFRGdjFKK1Y4cG0wODJ4ZkhXRU5CUAo3c0VqZ2dwZ2hXMG1FeE5PbmJ6cC9YQmtCN1pxc29UdCszck9NL1hTbWJZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgo=",
    "idpIssuer": "https://app.onelogin.com/saml/metadata/31beeb04-********-b8aa-b637b4fbfc01",
    "idpLogoutEndpoint": "https://cognigy.onelogin.com/trust/saml2/http-redirect/slo/******"
}

Configuring User Roles

In order to configure user roles for the users in COGNIGY.AI, you either have to add the supported roles as User Roles in OneLogin, or assign the role to each user of your app manually. Alternatively, you can also assign one global role to your app by using a Macro so that all users have the same role within COGNIGY.AI.

The supported roles within COGNIGY.AI are as follows: admin, developer, advanced_editor, marketer and basic. You can read more about user roles here: Access Control

Editing User Roles in OneLogin


To edit the user roles within OneLogin, navigate to Users > Roles and click on New Role. In the text field that appears, input one of the supported COGNIGY.AI roles as listed above and assign your app to the role.

Creating a new role in OneLoginCreating a new role in OneLogin

Creating a new role in OneLogin

Adding User Roles Manually


You can also add the roles to each user, who uses the app, manually. To do this, navigate to your app in OneLogin and click on the Users tab. Here you can click on each user assigned to your app and change their role manually. However, this will display warnings.

Manually editing roles for users in OneLoginManually editing roles for users in OneLogin

Manually editing roles for users in OneLogin

You're now done configuring Single Sign-on for OneLogin, and your users can now login to COGNIGY.AI through OneLogin


Did this page help you?