Requirements
✔ SSO URL (Get it here)
✔ SLO URL (Get it here)

Introduction

This guide covers how to setup SSO in Cognigy.AI with OneLogin as the Identity Provider. After completing this guide, your users can login to Cognigy.AI through OneLogin and will automatically get a user in Cognigy.AI complete with access control.

Creating an Application in OneLogin

The first step is to create a new app within OneLogin. To do this, open the Applications panel of OneLogin which will display a list of your existing apps. On this page, you can click on the Add App button at the top right of the page to create a new app.

0_Addapp.PNG

Creating a new App

This will open a page with a lot of different application types you can choose to create:

1_selectApp.PNG

Finding the correct application type

Search for SAML and choose the SAML Test Connector (Advanced) application. After choosing the correct application type, input the name and icons (optional) you want to use to represent your Cogngiy.AI SAML application within OneLogin and click on SAVE.

2_configApp.PNG

Creating a custom SAML application

Configuring Single Sign-on for the Application in OneLogin

Configuration

We can now create the SAML configuration for the application. Open the configuration tab and add the Cognigy.AI SSO URL (See Cognigy.AI SSO documentation) into both of the following fields:

  • ACS (Consumer) URL Validator 
  • ACS (Consumer) URL

OneLogin also requries the Cognigy.AI SLO URL (See Cognigy.AI SSO documentation) to be entered as the:

  • Single Logout URL


configurationFinal.PNG

Adding the Cognigy SSO and SLO URLs to the configuration settings

*Please note the current <api-url> for the SSO URL in the Cognigy.AI trial environment is api-trial.cognigy.ai (omits the /new/ as per other API requests)

Parameters

In order to properly implement SSO with Cognigy.AI, you need to configure the parameters assigned to the user during SSO. Navigate to the Parameters tab within your new application and select the "+" in the top right of the page to add a new parameter. It is required that the following parameters are added:

  • NameID value: Email
  • firstName: First Name
  • lastName: Last Name
  • role: User Roles

editfield.PNG

Creating the firstName user parameter

Include in SAML Assertion

It is VERY important that the Include in SAML assertion checkbox is checked when creating the parameters

The role will be used to grant the user the proper access rights in Cognigy.AI. In a later step, we will add the supported roles to the app.

3_Parameters.PNG

Correct configuration for user parameters

Configure SSO in Cognigy.AI

After configuring SSO in OneLogin, we are finally ready to create an SSO configuration for your organisation in Cognigy.AI. You do this by sending a POST request to the URL:

https://<api-url>/v2.0/identityprovider/configure

(e.g. https://api-trial.cognigy.ai/new/v2.0/identityprovider/configure) and attach the following JSON payload to the request with your unique values (see below):

{
  "idpIssuer": string,
  "idpLoginEndpoint": string,
  "idpCertificate": string,
  "idpLogoutEndpoint": string
}

API Authentication

Read our API reference guide for information about how to send authenticated API requests to Cognigy.AI. You need to create an API-Key for the first user which you need to set up SSO for your organization.

In order to do this, you need some information from OneLogin, which you will find on the SSO page in your application in OneLogin.

SSO.PNG

SSO configuration in OneLogin

idpIssuer
The idpIssuer is the Issuer URL in OneLogin.

idpLoginEndpoint
The idpLoginEndpoint is the SAML 2.0 Endpoint (HTTP) in OneLogin,

idpCertificate
This is the certificate that OneLogin uses to sign the SAML requests. Below the X.509 Certificate field in OneLogin there is a View Details button. Click this button and you will be redirected to a page where you can download the certificate.

 

 

cert1.PNG

Click "View Details" to access the certificate

certDownload.PNG

Downloading the IDP certificate

After downloading the certificate, you need to base64 encode it without newlines. In Linux, you can do this by running the following command:

cat ./path-to-file | base64 -w0

The output of the command above should be used as the idpCertificate.

idpLogoutEndpoint
The idpLogoutEndpoint is the SLO Endpoint in OneLogin.


You can now send the POST request to Cognigy.AI with the information you collected from OneLogin. An example payload is below:

{
    "idpLoginEndpoint": "https://cognigy.onelogin.com/trust/saml2/http-post/sso/******",
    "idpCertificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzRENDQXNTZ0F3SUJBZ0lVYkhaWElFVzdOZy9FeWVhaUo0eCtJLzdkQWg0d0RRWUpLb1pJaHZjTkFRRUYKQlFBd1JURVFNQTRHQTFVRUNnd0hRMjluYm1sbmVURVZNQk1HQTFVRUN3d01UMjVsVEc5bmFXNGdTV1JRTVJvdwpHQVlEVlFRRERCRlBibVZNYjJkcGJpQkJZMk52ZFc1MElEQWVGdzB4T1RBeE1UY3hPREk0TURKYUZ3MHlOREF4Ck1UY3hPREk0TURKYU1FVXhFREFPQmdOVkJBb01CME52WjI1cFoza3hGVEFUQmdOVkJBc01ERTl1WlV4dloybHUKSUVsa1VERWFNQmdHQTFVRUF3d1JUMjVsVEc5bmFXNGdRV05qYjNWdWRDQXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gvbzNvLzc0S1g1YSsvaVNHbUZHRUM1NDFQUXBpRk56VGZ3bjYvQ1J5CjlXNS94eWRKdlZ3NEk4YkZOZGNmV1hZenJTdVJ5eXdrSDdZcE44U0hjSElyQUJJZmJvOUFXSm0welFTbWZDemkKa1NXOENmdm5MbGJJbjVpSGdtRnVGRFdJUHNKTHdHN1M4M2ZtNnhGUjlRcEV3YmZDNFNVc1ZQdUZIWmczWUU3VQpqS1lreERFOGtmZm01ZG5id201blJNbWlucHlIYmdJZXdhZ1NMRHk5ZmNGZUcza3VOSE0********************************************************************************kcGJpQkpaRkF4R2pBWUJnTlZCQU1NRVU5dVpVeHZaMmx1SUVGagpZMjkxYm5RZ2doUnNkbGNnUmJzMkQ4VEo1cUluakg0ai90MENIakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdEUVlKCktvWklodmNOQVFFRkJRQURnZ0VCQURmYnFsQ1BTRWR4S2I4Q3RwbUllVTJIWjFackp6aG5HSXFsWUNnU1d3TWQKekNOemMrQ2g4UEtCb1dhS2dDUmw2YysySitZL0dZaFEyVW80L3ZwUFdTRGlvSGgwWmVQMkgvK0Z5c1ZHOTBlMwpzWE1MZjVjeHJxdUllUmtBOEk5VnpBdDIxbnBTcjRFUEJjSmZzMkNGSEswRkp3cnZiNElya2FhMHhSMXJ6ZVovCk5NT2FESHBzVDNjQk91UnFxWWNiRVRyRTFIUlg3QlcwK3YxajhtOWh0R283YVozUXo4NmVBZWtNOHZVQkU2clkKZzliM2ZueTdDVnUrQVZEWnE0d0k4N1cwcGRRNjRyajFXUm02MzJvTyt2eFRGdjFKK1Y4cG0wODJ4ZkhXRU5CUAo3c0VqZ2dwZ2hXMG1FeE5PbmJ6cC9YQmtCN1pxc29UdCszck9NL1hTbWJZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgo=",
    "idpIssuer": "https://app.onelogin.com/saml/metadata/31beeb04-********-b8aa-b637b4fbfc01",
    "idpLogoutEndpoint": "https://cognigy.onelogin.com/trust/saml2/http-redirect/slo/******"
}

Configuring User Roles

In order to configure user roles for the users in Cognigy.AI, you either have to add the supported roles as User Roles in OneLogin, or assign the role to each user of your app manually. Alternatively, you can also assign one global role to your app by using a Macro so that all users have the same role within Cognigy.AI.

The supported roles within Cognigy.AI are as follows: admin, apiKeys, base_role, livechat, odata, projectManager and userManager. You can read more about user roles here: Access Control

Editing User Roles in OneLogin

To edit the user roles within OneLogin, navigate to Users > Roles and click on New Role. In the text field that appears, input one of the supported Cognigy.AI roles as listed above and assign your app to the role.

newRole.PNG

Creating a new role in OneLogin

Adding User Roles Manually

You can also add the roles to each user, who uses the app, manually. To do this, navigate to your app in OneLogin and click on the Users tab. Here you can click on each user assigned to your app and change their role manually. However, this will display warnings.

editUser.PNG

Manually editing roles for users in OneLogin

You're now done configuring Single Sign-on for OneLogin, and your users can now login to Cognigy.AI through OneLogin


Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
1 out of 1 found this helpful