Requirements
✔ SSO URL (Get it here)
✔ SLO URL (Get it here)
Introduction
This guide covers how to setup SSO in Cognigy.AI with OneLogin as the Identity Provider. After completing this guide, your users can login to Cognigy.AI through OneLogin and will automatically get a user in Cognigy.AI complete with access control.
Creating an Application in OneLogin
The first step is to create a new app within OneLogin. To do this, open the Applications panel of OneLogin which will display a list of your existing apps. On this page, you can click on the Add App
button at the top right of the page to create a new app.
Creating a new App
This will open a page with a lot of different application types you can choose to create:
Finding the correct application type
Search for SAML
and choose the SAML Test Connector (Advanced)
application. After choosing the correct application type, input the name and icons (optional) you want to use to represent your Cogngiy.AI SAML application within OneLogin and click on SAVE
.
Creating a custom SAML application
Configuring Single Sign-on for the Application in OneLogin
Configuration
We can now create the SAML configuration for the application. Open the configuration tab and add the Cognigy.AI SSO URL
(See Cognigy.AI SSO documentation) into both of the following fields:
-
ACS (Consumer) URL Validator
ACS (Consumer) URL
OneLogin also requries the Cognigy.AI SLO URL
(See Cognigy.AI SSO documentation) to be entered as the:
-
Single Logout URL
Adding the Cognigy SSO and SLO URLs to the configuration settings
*Please note the current <api-url> for the SSO URL in the Cognigy.AI trial environment is api-trial.cognigy.ai (omits the /new/ as per other API requests)
Parameters
In order to properly implement SSO with Cognigy.AI, you need to configure the parameters assigned to the user during SSO. Navigate to the Parameters tab within your new application and select the "+" in the top right of the page to add a new parameter. It is required that the following parameters are added:
- NameID value: Email
- firstName: First Name
- lastName: Last Name
- role: User Roles
Creating the firstName user parameter
Include in SAML Assertion
It is VERY important that the Include in SAML assertion
checkbox is checked when creating the parameters
The role will be used to grant the user the proper access rights in Cognigy.AI. In a later step, we will add the supported roles to the app.
Correct configuration for user parameters
Configure SSO in Cognigy.AI
After configuring SSO in OneLogin, we are finally ready to create an SSO configuration for your organisation in Cognigy.AI. You do this by sending a POST request to the URL:
https://<api-url>/v2.0/identityprovider/configure
(e.g. https://api-trial.cognigy.ai/new/v2.0/identityprovider/configure) and attach the following JSON payload to the request with your unique values (see below):
{
"idpIssuer": string,
"idpLoginEndpoint": string,
"idpCertificate": string,
"idpLogoutEndpoint": string
}
API Authentication
Read our API reference guide for information about how to send authenticated API requests to Cognigy.AI. You need to create an API-Key for the first user which you need to set up SSO for your organization.
In order to do this, you need some information from OneLogin, which you will find on the SSO page in your application in OneLogin.
SSO configuration in OneLogin
idpIssuer
The idpIssuer is the Issuer URL
in OneLogin.
idpLoginEndpoint
The idpLoginEndpoint is the SAML 2.0 Endpoint (HTTP)
in OneLogin,
idpCertificate
This is the certificate that OneLogin uses to sign the SAML requests. Below the X.509 Certificate
field in OneLogin there is a View Details
button. Click this button and you will be redirected to a page where you can download the certificate.
Click "View Details" to access the certificate
Downloading the IDP certificate
After downloading the certificate, you need to base64 encode it without newlines. In Linux, you can do this by running the following command:
cat ./path-to-file | base64 -w0
The output of the command above should be used as the idpCertificate.
idpLogoutEndpoint
The idpLogoutEndpoint is the SLO Endpoint
in OneLogin.
You can now send the POST request to Cognigy.AI with the information you collected from OneLogin. An example payload is below:
{
"idpLoginEndpoint": "https://cognigy.onelogin.com/trust/saml2/http-post/sso/******",
"idpCertificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzRENDQXNTZ0F3SUJBZ0lVYkhaWElFVzdOZy9FeWVhaUo0eCtJLzdkQWg0d0RRWUpLb1pJaHZjTkFRRUYKQlFBd1JURVFNQTRHQTFVRUNnd0hRMjluYm1sbmVURVZNQk1HQTFVRUN3d01UMjVsVEc5bmFXNGdTV1JRTVJvdwpHQVlEVlFRRERCRlBibVZNYjJkcGJpQkJZMk52ZFc1MElEQWVGdzB4T1RBeE1UY3hPREk0TURKYUZ3MHlOREF4Ck1UY3hPREk0TURKYU1FVXhFREFPQmdOVkJBb01CME52WjI1cFoza3hGVEFUQmdOVkJBc01ERTl1WlV4dloybHUKSUVsa1VERWFNQmdHQTFVRUF3d1JUMjVsVEc5bmFXNGdRV05qYjNWdWRDQXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gvbzNvLzc0S1g1YSsvaVNHbUZHRUM1NDFQUXBpRk56VGZ3bjYvQ1J5CjlXNS94eWRKdlZ3NEk4YkZOZGNmV1hZenJTdVJ5eXdrSDdZcE44U0hjSElyQUJJZmJvOUFXSm0welFTbWZDemkKa1NXOENmdm5MbGJJbjVpSGdtRnVGRFdJUHNKTHdHN1M4M2ZtNnhGUjlRcEV3YmZDNFNVc1ZQdUZIWmczWUU3VQpqS1lreERFOGtmZm01ZG5id201blJNbWlucHlIYmdJZXdhZ1NMRHk5ZmNGZUcza3VOSE0********************************************************************************kcGJpQkpaRkF4R2pBWUJnTlZCQU1NRVU5dVpVeHZaMmx1SUVGagpZMjkxYm5RZ2doUnNkbGNnUmJzMkQ4VEo1cUluakg0ai90MENIakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdEUVlKCktvWklodmNOQVFFRkJRQURnZ0VCQURmYnFsQ1BTRWR4S2I4Q3RwbUllVTJIWjFackp6aG5HSXFsWUNnU1d3TWQKekNOemMrQ2g4UEtCb1dhS2dDUmw2YysySitZL0dZaFEyVW80L3ZwUFdTRGlvSGgwWmVQMkgvK0Z5c1ZHOTBlMwpzWE1MZjVjeHJxdUllUmtBOEk5VnpBdDIxbnBTcjRFUEJjSmZzMkNGSEswRkp3cnZiNElya2FhMHhSMXJ6ZVovCk5NT2FESHBzVDNjQk91UnFxWWNiRVRyRTFIUlg3QlcwK3YxajhtOWh0R283YVozUXo4NmVBZWtNOHZVQkU2clkKZzliM2ZueTdDVnUrQVZEWnE0d0k4N1cwcGRRNjRyajFXUm02MzJvTyt2eFRGdjFKK1Y4cG0wODJ4ZkhXRU5CUAo3c0VqZ2dwZ2hXMG1FeE5PbmJ6cC9YQmtCN1pxc29UdCszck9NL1hTbWJZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgo=",
"idpIssuer": "https://app.onelogin.com/saml/metadata/31beeb04-********-b8aa-b637b4fbfc01",
"idpLogoutEndpoint": "https://cognigy.onelogin.com/trust/saml2/http-redirect/slo/******"
}
Configuring User Roles
In order to configure user roles for the users in Cognigy.AI, you either have to add the supported roles as User Roles
in OneLogin, or assign the role to each user of your app manually. Alternatively, you can also assign one global role to your app by using a Macro so that all users have the same role within Cognigy.AI.
The supported roles within Cognigy.AI are as follows: admin, apiKeys, base_role, livechat, odata, projectManager and userManager. You can read more about user roles here: Access Control
Editing User Roles in OneLogin
To edit the user roles within OneLogin, navigate to Users > Roles and click on New Role
. In the text field that appears, input one of the supported Cognigy.AI roles as listed above and assign your app to the role.
Creating a new role in OneLogin
Adding User Roles Manually
You can also add the roles to each user, who uses the app, manually. To do this, navigate to your app in OneLogin and click on the Users
tab. Here you can click on each user assigned to your app and change their role manually. However, this will display warnings.
Manually editing roles for users in OneLogin
You're now done configuring Single Sign-on for OneLogin, and your users can now login to Cognigy.AI through OneLogin
Comments
0 comments