Using Single Sign-On¶
SSO enables easy access to AI for Work using your existing identity provider. With SSO, your users can log on once, for example, to your company account, and when accessing AI for Work, the system can automatically use the same login credentials.
Administrators can configure Single Sign-On (SSO) authentication for AI for Work using one of the following sign-on protocols or methods:
- OpenID Connect
- Security Assertion Markup Language (SAML)
- WS-Federation sign-on protocol.
Depending on the security required for your company, you can enable or disable Single Sign-On (SSO) for users accessing the AI for Work. Turn on the toggle Enable SSO to enable Single Sign-On.
Configure Sign-on Protocol¶
Open ID Connect¶
Refer to the below steps to configure SSO using the Open ID Connect protocol.
- Go to Admin Console > Security > Single Sign-On and turn on the toggle Enable SSO.
- In the Select a suitable Sign-On Protocol section, select Open ID connect.
- In the Configure section, select an identity provider, for example, Sign in with Google.
- Optionally, turn on the toggle to Configure service account for your G-Suite domain and then define the settings:
- Client Email
- Admin Email
- Private key
- Click Save.
- The Identity Provider information successfully updated message is displayed at the top of the page.
WS-Federation¶
Refer to the below steps to configure SSO using the WS-Federation protocol.
- Go to Admin Console > Security > Single Sign-On and turn on the toggle Enable SSO.
- In the Select a suitable Sign-On Protocol, select WS-Federation.
- In the Configure section, select an identity provider, and then define the settings for:
- Windows Azure®
- Azure AD sign-on endpoint URL – The URL that AI for Work must use for sign-on and sign-off/out requests using Azure.
- Azure AD Federation metadata Document – The URL for the federation metadata document used for authentication with Azure Active Directory.
- Other – Generic WS-Federation identity provider configuration, other than Azure
- AD Sign-On endpoint URL – The URL that AI for Work must use for sign-on and sign-off/out requests using your WS-Federation identity provider.
- AD Federation metadata Document URL – The URL for the WS-Federation metadata document used for authentication with Active Directory.
- Windows Azure®
- Click Save.
SAML¶
Security Assertion Markup Language (SAML) is a standard protocol for web browser Single Sign-On (SSO) using secure tokens. SAML eliminates passwords and uses standard cryptography and digital signatures to pass secure sign-in tokens from an identity provider to a SaaS application.
SAML provides a solution to allow your identity provider and service provider to exist separately. When a user logs into a SAML-enabled application, the service provider requests authorization from the appropriate identity provider. The identity provider authenticates the user's credentials and then returns the authorization for the user to the service provider, allowing the user to access the application.
Getting Started¶
Setting up SAML authentication is straightforward and takes just a few configuration steps. Follow this quick setup process to enable secure access for your organization.
- Navigate to Admin Console > Security > Single Sign-On.
- Turn on the toggle Enable SSO.
- In the Select a suitable Sign-On Protocol section, select SAML.
- In the Configure section, select your identity provider and configure the settings.
Identity Provider Configurations¶
Choose from the supported identity providers or use a custom SAML configuration. Each provider offers specific features and integration capabilities to match the security requirements.
Okta Configuration¶
Okta provides enterprise-grade identity management with robust security features and seamless user experience. This configuration enables both Service Provider and Identity Provider initiated authentication flows.
Field | Description | Required |
Okta Single Sign-On URL | The SSO URL for Okta to enable Service Provider-initiated SAML flow. | Yes |
Identity Provider Issuer | The entity that provides user identities, including the ability to authenticate users. | Yes |
Certificate | The public certificate stored by the service provider from the identity provider is used to validate user signatures. You can add multiple certificates (max 2). The platform uses the latest certificate for authorization; if invalid, it falls back to the older certificate. | Yes |
ACS URL for SP-Initiated SAML Flow | The redirect URL for Service Provider-initiated SAML flow (automatically generated). | Read only |
ACS URL for IDP Initiated SAML Flow | The account-specific URL for Identity Provider-initiated SAML flow (automatically generated). | Read only |
Setting up Okta for AI for Work SSO
To set up the AI for Work application in your Okta environment, you need to create and configure the application, configure SAML settings, and transfer authentication details.
Prerequisites: You must have already selected Okta as a SAML provider in the AI for Work Admin Console.
Steps to configure Okta:
- Log in to Okta and navigate to the Admin dashboard.
- Add Application:
- Go to Applications > Add Application > Create Application.
- Provide an App name and click Next.
- Configure SAML Settings:
- In Configure SAML, provide the Single Sign-On URL from AI for Work:
- Log in to AI for Work Admin Console.
- Go to Security > Single Sign-On.
- After enabling SAML and selecting Okta.
- Copy the ACS URL for SP-Initiated SAML Flow.
- For on-premise accounts:
- Use
https://idproxy-dev.kore.com/authorize/callback
as the Single Sign-On URL. - Use
https://idproxy-dev.kore.com
as the Audience URL.
- Use
- Configure Attribute statements (e.g., emailId, firstName) as required.
- In Configure SAML, provide the Single Sign-On URL from AI for Work:
- Complete Configuration:
- For the ACS URL for IDP Initiated SAML Flow, check "Use this Recipient URL and Destination URL".
- Enter the Audience URI as the ACS URL for SP-Initiated SAML Flow.
- Click Finish.
- Copy Configuration Details:
- Go to Sign On tab > Settings > View Setup Instructions.
- Copy the following to AI for Work:
- Identity Provider Single Sign-On URL → Okta Single Sign-On URL
- Identity Provider Issuer → Identity Provider Issuer
- X.509 Certificate → Certificate field
- Save the configuration in AI for Work.
OneLogin Configuration¶
OneLogin offers a comprehensive identity platform with advanced user provisioning and access management capabilities. Configure these essential fields to establish secure communication between OneLogin and AI for Work.
Field | Description | Required |
SAML 2.0 Endpoint | The HTTP SSO endpoint for OneLogin to enable Service Provider-initiated SAML flow. (e.g., https://app.onelogin.com/trust/saml2/http-post/sso/358111 )
|
Yes |
Issuer URL | The URL for the OneLogin issuer. (e.g., https://app.onelogin.com/saml/metadata/358111 )
|
Yes |
X.509 Certificate | The public certificate from OneLogin is used to validate user signatures. You can add multiple certificates (max 2). | Yes |
ACS URL for SP-Initiated SAML Flow | The redirect URL for Service Provider-initiated SAML flow (automatically generated). | Read only |
ACS URL for IDP Initiated SAML Flow | The account-specific URL for Identity Provider-initiated SAML flow (automatically generated). | Read only |
Setting up OneLogin for AI for Work SSO
OneLogin's app includes a pre-configured Kore.ai application that simplifies the integration process. Follow these steps to add the application and configure the necessary authentication parameters.
- Add Kore.ai App to OneLogin:
- Log in to OneLogin.
- Go to APPS > Add Apps.
- Search for "Kore.ai" and select the app.
- Optionally customize display name and icons.
- Click Save.
- Configure SSO Settings:
- Go to the SSO tab
- Copy the following to AI for Work:
- OneLogin SAML 2.0 Endpoint (HTTP) → SAML 2.0 Endpoint
- OneLogin Issuer URL → Issuer URL
- Copy Certificate:
- Click View Details for the X.509 Certificate.
- Copy only the certificate data (exclude headers and footers).
- Paste into AI for Work X.509 Certificate field.
- Save the configuration in AI for Work.
Bitium Configuration¶
Bitium specializes in cloud-based identity and access management with a focus on simplicity and security. These configuration parameters establish the trust relationship between Bitium and AI for Work for seamless authentication.
Field | Description | Required |
Single Sign-On URL | The HTTP SSO endpoint for Bitium to enable Service Provider-initiated SAML flow. (e.g., https://www.bitium.com/7655 )
|
Yes |
Issuer URL | The URL for the Bitium issuer. (e.g., https://bitium.com/7655/saml/82456/metadata.xml )
|
Yes |
Certificate | The public certificate from Bitium used tis o validate user signatures. You can add multiple certificates (max 2). | Yes |
ACS URL for SP-Initiated SAML Flow | The redirect URL for Service Provider-initiated SAML flow (automatically generated). | Read only |
ACS URL for IDP Initiated SAML Flow | The account-specific URL for Identity Provider-initiated SAML flow (automatically generated). | Read only |
Setting up Bitium for AI for Work SSO
Integrating with Bitium's app management interface is a quick and efficient process. This involves adding the Kore.ai app and configuring its SAML authentication parameters..
- Add Kore.ai App to Bitium:
- Log in to Bitium.
- Go to Manage <Company Name> > Manage Apps > Add an App.
- Search for "Kore.ai" and install the app.
- Configure SAML Authentication:
- Go to Manage Organization > Manage Apps > Kore.ai.
- On the Single Sign-On tab, select SAML Authentication.
- Copy the following to AI for Work:
- Bitium Login URL → Single Sign-On URL
- Bitium Logout URL → Issuer URL
- X.509 Certificate → Certificate field
- Save the configuration in AI for Work.
Other (Generic SAML Provider)¶
Use this option for any SAML 2.0 compliant identity provider not specifically listed above. This flexible configuration supports custom enterprise identity solutions and third-party SAML providers.
Field | Description | Required |
Single Sign-On URL | The HTTP SSO endpoint enables Service Provider-initiated SAML flow. | Yes |
Issuer URL | The URL for the identity provider issuer. | Yes |
Certificate | The public certificate from your identity provider is used to validate user signatures. You can add multiple certificates (max 2). | Yes |
ACS URL for SP-Initiated SAML Flow | The redirect URL for Service Provider-initiated SAML flow (automatically generated). | Read only |
ACS URL for IDP Initiated SAML Flow | The account-specific URL for Identity Provider-initiated SAML flow (automatically generated). | Read only |