Skip to main content

Single Sign On with SAML

Set up an SSO connection to your Go1 Platform with your SAML Identity Provider.

Updated this week

Single Sign On is a means for users of Go1 to sign in to their account using existing account details from a compatible platform.

Setting up SSO

Before you begin, we suggest involving your IT department to support you in enabling SSO. If you have questions read our Single Sign On FAQ page or check in with your Implementation Project Manager.

1. Configure Go1 connection for your Identity Provider

Your SSO team will need to set up part of the SSO connection on your SSO platform (Identity Provider) prior to completing the steps below in your Go1 platform.

Create a connection Go1 with:

  • Assertion Consumer URL/Reply URL:
    https://auth-go1-sso-user-pool-prod-1.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse

  • SP Entity ID:
    urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtK

  • Default RelayState: optionally if you want to support IDP-initiated flow, enter the following - replacing the {customer-portal-id} with an ID the Go1 team will supply for you. You can also retrieve this by downloading the metadata on the Go1 Single Sign On setup page.
    identity_provider=saml-{customer-portal-id}&client_id=33hckk53i9d9hn55djs3j1hk5&scope=openid&response_type=code&redirect_uri=https://api.go1.co/sso/saml/cognito-callback/ap-southeast-2_oZpTmvPtK

  • Attributes: Please note ALL below attributes need to be set up.

Name

Name format

Value

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Unspecified

user.email

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Unspecified

user.firstName

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Unspecified

user.lastName

After setup has been completed in your IdP, copy the Login URL, x.509 Certificate and Entity ID for the Go1 setup.

Okta

Create a SAML app in Okta

  1. Open the Okta Developer Console (You need to have admin access).

  2. In the navigation menu, expand Applications, and then choose Applications.

  3. Choose Create App Integration.

  4. In the Create a new app integration menu, choose SAML 2.0 as the Sign-in method.

  5. Choose Next.

Configure SAML integration for your Okta app

  1. On the Create SAML Integration page, under General Settings, enter a name for your app.

  2. (Optional) Upload a logo and choose the visibility settings for your app.

  3. Choose Next.

  4. Under GENERAL, for Single sign on URL (Vendor - Reply URL (Assertion Consumer Service URL) for some other idps other than OKTA), enter:

    https://auth-go1-sso-user-pool-prod-1.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse

  5. For Audience URI (SP Entity ID) (Vendor - Identifier (Entity ID) for some other IdPs other than OKTA), enter:

    urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtK

  6. For Default RelayState, This is optional; if you want to support the IDP-initiated flow, enter:

    identity_provider=saml-{customer portal id}&client_id=33hckk53i9d9hn55djs3j1hk5&scope=openid&response_type=code&redirect_uri=https://api.go1.co/sso/saml/cognito-callback/ap-southeast-2_oZpTmvPtK

    Alternatively, you can download the Metadata and copy the RelayState located at the bottom of the file (which includes portal_id).

  7. Under ATTRIBUTE STATEMENTS, add a statement with the attributes in the Attributes table above.

  8. For all other settings on the page, leave them as their default values or set them according to your preferences.

  9. Choose Next.

  10. Choose a feedback response for Okta Support.

  11. Choose Finish.

  12. Copy separately to use in the next steps on Go1:

  • Sign on URLLogin URL in Go1

  • Signing CertificateX.509 Certificate in Go1

  • Issuer Entity ID in Go1

  • Sign out URL Logout URL in Go1

2. Connect your SSO to Go1

  1. Log in to an administrator account on your Go1 Platform.

  2. Access the Integrations page by clicking your initials in the top-right navigation, followed by Integrations.

  3. Select from the left-hand menu the tab: Single Sign-On.

  4. From the Single sign-on settings, check the box: Enable Single sign-on

After checking the box, complete the fields with the information provided from your Identity Provider setup, note some are optional.

  • Login URL: Copy the URL from your Identity Provider

  • x.509 Certificate: Copy the public x.509 certificate (SAMLP server public key encoded in PEM or CER format) from your IdP's SSO setup, note the BEGIN header and END footer below must surround the x.509 certificate to be included:

    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----

  • Logout URL: Choose where to direct users when they logout of the Go1 platform. If setting here please leave blank in Settings > Portal information.

  • Entity URL: enter the Entity URL from your IdP

    • if you want to setup IDP-initiated flow in your Identity Provider with your portal specific Default RelayState, enter the Go1 Entity URL: urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtK and check the box below.

  • Accept Requests from IdP-initiated SSO Behaviour: Check this box if you want to have users access Go1 via your identity provider and use Go1's Entity URL above.

  • Field Mapping: Map your IdPs attributes to Go1 using key:value pairs. The keys must match Go1 keys below, and the field/attribute name should be obtained from your IDP and match what was created during step 1 above.

{
"email":"{Your IDPs field/attribute name}", // Mandatory
"family_name":"{Your IDPs field/attribute name}", // Optional
"given_name":"{Your IDPs field/attribute name}" // Optional
}

example if setup per the Prep Work steps above:

{
"email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"family_name":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"given_name":"{Your IDPs field/attribute name}"
}

Select Submit to create a connection with Go1. After selecting submit, you will see the Post back URL and Entity ID fields appear. Go to the next section to complete the SSO setup.

Customising your SSO sign-up button

Administrators can also customise the button text that displays on your Go1 Platform's sign-in page, which by default says "Login with Identity Provider". This will only be visible if you have multiple SSO connections or have the option to login with username/password on.

Type the text into the field provided to see a preview and then click Save to apply that change.

Please note, in some instances, custom configuration may be required on Go1’s authorisation platform Cognito. Please speak to your Implementation Project Manager or Go1 Support before making changes to an existing SSO setup.

Final configurations

Once your connection is successfully configured and tested you may also choose to enable/disable two additional settings that can be found under the Go1 platform Settings page.

To find these go to your avatar in the top right-hand corner > choose Settings > choose Configuration from the left-hand menu > under Enabled Applications you will see the following:

  • Hide login with email option

    • This makes SSO the only option to access your Go1 platform and auto-redirects users to SSO login.

  • Disallow Register via SSO

    • Go1 enables just-in-time provisioning by default on all SSO connections, this can be disabled here.

Related Articles
Single Sign On - Benefits & FAQ
Launch Learning on Go1
Single Learning Object formats
Did this answer your question?