Single Sign-on with SAML 2.0¶
Cognigy.AI integrates with popular Single Sign-on (SSO) Identity Providers (IDPs), such as Azure Active Directory, OneLogin, and Okta. This integration allows users within your organization to log in to Cognigy.AI without separate credentials.
Using SSO automatically grants access that ensures a streamlined authentication process. Additionally, you can use the robust Access Control tool in Cognigy.AI to effectively manage the access rights of individual users and fulfill security standards. If you need SSO to comply with security standards across your organization, you can enforce login with SSO.
Get the SSO URL¶
To configure an SSO in your IDP, you will need the URL that is used during the SAML authentication process. The SAML requests are sent to the API service, so you should use the API domain that you have configured for your installation. The SSO URL will have the following format:
https://<api-url>/auth/saml/login/<organization-id>
For example, the api-url for the app environment is api-app.cognigy.ai
. The organization-id
is the id
of your organization within Cognigy.AI. You can get your organizationId
on the My Profile page by clicking > Copy Organization ID.
You will need the SSO URL when configuring your IDP using one of the setup guides provided.
To configure the SSO Provider with Cognigy.AI, refer to one of the specific guides for the supported IDPs. These guides provide examples of the required API requests. If your IDP is not listed, we recommend following the OneLogin guide as an example. The API request for configuring SSO with Cognigy.AI is the same, but the configuration values may vary depending on the provider.
Get the SLO URL¶
Warning
Single Logout is only supported with OneLogin and Microsoft Azure Active Directory: - Service Provider initiated Single Logout is only supported with Microsoft Azure Active Directory. - IDP initiated Single Logout is only supported with OneLogin.
To configure Single Logout for your IDP, you will need the URL that is used to process the logout request from the IDP. During the Single Logout process, the IDP will redirect to the frontend of Cognigy.AI. Therefore, you should use the frontend domain that you have configured for your installation. The SLO URL will have the following format:
https://<frontend-url>/slo/<organization-id>
For instance, the frontend URL could be app.cognigy.ai
.
Learn more about connecting to your proffered SSO provider in Cognigy Help Center.
Change an SSO Configuration in Cognigy.AI¶
You can have only one SSO configuration for your organization. If you want to change the configuration, you first need to delete it and create a new one. To delete an SSO configuration, send a POST
request to:
https://<api-url>/v2.0/identityprovider/reset
Read more about using the Cognigy.AI API on the API Reference Page.
Enforce Login with SSO¶
Enforcing login with SSO can be useful to standardize the authentication process and meet security standards within your Cognigy.AI installation. By default, you can log in to Cognigy.AI with your credentials or with SSO. However, you can enforce login with SSO for all users across either all organizations or specific ones within your installation. In this case, users can only log in with SSO.
To enforce login with SSO, proceed as follows:
- For shared SaaS installations, contact Cognigy technical support. If you use your credentials to log in, you receive an error message. To log in, enter your email address and click Sign in with SSO.
- For dedicated SaaS installations, contact Cognigy technical support. You can enforce login with SSO for:
- The entire Cognigy.AI installation — the login with credentials is deactivated for all users. To log in, enter your email address on the login page and click Sign in with SSO.
- Specific organizations — if you use your credentials to log in, you receive an error message. To log in, enter your email address on the login page and click Sign in with SSO.
- For on-premises installations, you can enforce login with SSO for:
- The entire Cognigy.AI installation — set the
DEACTIVATE_NON_SSO_LOGIN
feature flag totrue
. The login with credentials is deactivated for all users. To log in, enter your email address on the login page and click Sign in with SSO. - Specific organizations — set the
DEACTIVATE_NON_SSO_LOGIN
feature flag tofalse
and assign theorganization-id
to theDEACTIVATE_NON_SSO_LOGIN_ORG_WHITELIST
environment variable invalues.yml
. If you use your credentials to log in to the organizations listed inDEACTIVATE_NON_SSO_LOGIN_ORG_WHITELIST
, you receive an error message. To log in, enter your email address on the login page and click Sign in with SSO.
- The entire Cognigy.AI installation — set the
Log in with SSO¶
First time login
During the first login with SSO, you need to log in using your IDP credentials. Cognigy.AI redirects you to your configured IDP. You need to enter your IDP credentials to complete the login.
- Go to the login page and click Login with SSO.
- Enter your email in the E-Mail field.
- Click Login with SSO.
- Click Sign in with SSO.
- Go to the login page and click Login with SSO.
- Enter your email in the E-Mail field.
- Click Sign in with SSO.
More Information¶
- Help Center articles: