Single Sign On is a means for users of Go1 to sign in to their account using existing account details from a compatible platform.
Setting up SSO
Before you begin, we suggest involving your IT department to support you in enabling SSO. If you have questions read our Single Sign On FAQ page or check in with your Implementation Project Manager.
Prep Work
Your SSO team will need to set up part of the SSO connection on your SSO platform (Identity Provider) prior to completing the steps below in your Go1 platform.
Your connection will need a Login URL and Entity ID, these will be generated by Go1 after you have connected your SSO to your Go1 platform (see below).
If you want to support IDP-initiated flow, which is optional, you'll need to set the Default RelayState. Enter the following - replacing the {customer-portal-id} with an ID the Go1 team will supply for you:
identity_provider=saml-{customer-portal-id}&client_id=33hckk53i9d9hn55djs3j1hk5&scope=openid&response_type=code&redirect_uri=https://api.go1.co/sso/saml/cognito-callback/ap-southeast-2_oZpTmvPtK
The following user attributes need to be configured in your Identity Provider. Please note ALL below attributes need to be set up.
Name | Name format | Value |
Unspecified | user.email | |
Unspecified | user.firstName | |
Unspecified | user.lastName |
Configure Go1 connection for your Identity Provider
Copy information from your IDP into the Go1 Single sign-on configuration screen
Okta
Create a SAML app in Okta
Open the Okta Developer Console (You need to have admin access).
In the navigation menu, expand Applications, and then choose Applications.
Choose Create App Integration.
In the Create a new app integration menu, choose SAML 2.0 as the Sign-in method.
Choose Next.
Configure SAML integration for your Okta app
On the Create SAML Integration page, under General Settings, enter a name for your app.
(Optional) Upload a logo and choose the visibility settings for your app.
Choose Next.
Under GENERAL, for Single sign on URL (Vendor - Reply URL (Assertion Consumer Service URL) for some other idps other than OKTA), enter:
https://auth-go1-sso-user-pool-prod-1.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
For Audience URI (SP Entity ID) (Vendor - Identifier (Entity ID) for some other IdPs other than OKTA), enter:
urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtK
For Default RelayState, This is optional; if you want to support the IDP-initiated flow, enter:
identity_provider=saml-{customer portal id}&client_id=33hckk53i9d9hn55djs3j1hk5&scope=openid&response_type=code&redirect_uri=https://api.go1.co/sso/saml/cognito-callback/ap-southeast-2_oZpTmvPtK
Alternatively, you can download the Metadata and copy the RelayState located at the bottom of the file (which includes portal_id).
Under ATTRIBUTE STATEMENTS, add a statement with the following information:
Login URL → Sign on URL in Okta
X.509 Certificate → Signing Certificate in Okta
Entity ID → Issuer in Okta
Logout URL → Sign out URL in Okta
Connect your SSO to Go1
Log in to an administrator account on your Go1 Platform.
Access the Integrations page by clicking your initials in the top-right navigation, followed by Integrations.
Select from the left-hand menu the tab: Single Sign-On.
From the Single sign-on settings, check the box: Enable Single sign-on
After checking the box, complete the fields with the information provided from your Identity Provider setup, note some are optional.
Login URL: Copy the URL from your Identity Provider
x.509 Certificate: Copy the public x.509 certificate (SAMLP server public key encoded in PEM or CER format) from your IdP's SSO setup, note the BEGIN header and END footer below must surround the x.509 certificate to be included:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----Logout URL: Choose where to direct users when they logout of the Go1 platform. If setting here please leave blank in Settings > Portal information.
Entity URL:
urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtK;if you want to support the IDP-initiated flow, enter the Entity URL from your IdP and check the box below
Accept Requests from IdP-initiated SSO Behaviour: Check this box if you want to have users access Go1 via your identity provider and use Go1's Entity URL above.
Field Mapping: Map your IdPs attributes to Go1 using key:value pairs. The keys must match Go1 keys below, and the field/attribute name should be obtained from your IDP and match what was created during the Prep Work steps above.
{
"email":"{Your IDPs field/attribute name}", // Mandatory
"family_name":"{Your IDPs field/attribute name}", // Optional
"given_name":"{Your IDPs field/attribute name}" // Optional
}
example if setup per the Prep Work steps above:
{
"email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"family_name":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"given_name":"{Your IDPs field/attribute name}"
}
Select Submit to create a connection with Go1. After selecting submit, you will see the Post back URL and Entity ID fields appear. Go to the next section to complete the SSO setup.
Customising your SSO sign-up button
Administrators can also customise the button text that displays on your Go1 Platform's sign-in page, which by default says "Login with Identity Provider". This will only be visible if you have multiple SSO connections or have the option to login with username/password on.
Type the text into the field provided to see a preview and then click Save to apply that change.
Please note, in some instances, custom configuration may be required on Go1’s authorisation platform Cognito. Please speak to your Implementation Project Manager or Go1 Support before making changes to an existing SSO setup.
Final configurations
Once your connection is successfully configured and tested you may also choose to enable/disable two additional settings that can be found under the Go1 platform Settings page.
To find these go to your avatar in the top right-hand corner > choose Settings > choose Configuration from the left-hand menu > under Enabled Applications you will see the following:
Hide login with email option
This makes SSO the only option to access your Go1 platform and auto-redirects users to SSO login.
Disallow Register via SSO
Go1 enables just-in-time provisioning by default on all SSO connections, this can be disabled here.