Single Sign On is a means for users of Go1 to sign in to their account using existing account details from a compatible platform.
Setting up SSO
Before you begin, we suggest involving your IT department to support you in enabling SSO. If you have questions read our Single Sign On FAQ page or check in with your Implementation Project Manager.
1. Configure Go1 connection for your Identity Provider
Your SSO team will need to set up part of the SSO connection on your SSO platform (Identity Provider) prior to completing the steps below in your Go1 platform.
General SAML details for creating a SAML connection Go1 with:
Assertion Consumer URL/Reply URL:
https://auth-go1-sso-user-pool-prod-1.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponseSP Entity ID:
urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtKDefault RelayState: optionally if you want to support IDP-initiated flow, enter the following - replacing the
{customer-portal-id}with an ID the Go1 team will supply for you. You can also retrieve this by downloading the metadata on the Go1 Single Sign On setup page.
identity_provider=saml-{customer-portal-id}&client_id=33hckk53i9d9hn55djs3j1hk5&scope=openid&response_type=code&redirect_uri=https://api.go1.co/sso/saml/cognito-callback/ap-southeast-2_oZpTmvPtKAttributes: Please note ALL below attributes need to be set up.
Note: If a value from your IdP is necessary in multiple Go1 fields, separate values will need to be mapped in order for Go1 SSO to ingest the field. Sending identical duplicate values will cause SSO to fail if configured.
Name | Name format | Value |
Unspecified | user.email | |
Unspecified | user.firstName | |
Unspecified | user.lastName |
After setup has been completed in your IdP, copy the Login URL, x.509 Certificate and Entity ID for the Go1 setup.
Microsoft Entra
Create a new Enterprise application in Entra
In Microsoft Entra admin center, select Applications → Enterprise applications from the left menu.
Select New application → Create your own application.
Fill in the name, select option “ Integrate any other application you don’t find in the gallery (Non-gallery) " and click Create.
Setup the connection
Navigate to Single sign-on → SAML of the created application.
Populate the Identifier (SP Entity ID), Reply URL (ASC URL) and optionally Relay State (Default Relay State) if using for IdP-initiated login with the above information.
Leave the Logout URL (optional) blank.
Click Save.
Edit Attributes & Claims
On the Required Claim - click to edit nameidentifier
If necessary, change the Name identifier format to: persistent
Change the Source attribute to: user.mail
Save
Add new claims with the attributes in the Attributes table above.
Retrieve the IdP Metadata
From the SAML Certificates section, copy the App Federation Metadata URL and paste into new browser page/tab.
Copy separately to use in the next steps on Go1:
SingleSignOnService → Login URL in Go1
X509Certificate → X.509 Certificate in Go1
entityID → Entity ID in Go1
SingleLogoutService (optional) → Logout URL in Go1
Okta
Create a SAML app in Okta
Open the Okta Developer Console (You need to have admin access).
In the navigation menu, expand Applications, and then choose Applications.
Choose Create App Integration.
In the Create a new app integration menu, choose SAML 2.0 as the Sign-in method.
Choose Next.
Configure SAML integration for your Okta app
On the Create SAML Integration page, under General Settings, enter a name for your app.
(Optional) Upload a logo and choose the visibility settings for your app.
Choose Next.
Under GENERAL, for Single sign on URL (Vendor - Reply URL (Assertion Consumer Service URL) for some other IdPs other than OKTA), enter:
For Audience URI (SP Entity ID) (Vendor - Identifier (Entity ID) for some other IdPs other than OKTA), enter:
urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtK
For Default RelayState, This is optional; if you want to support the IDP-initiated flow, enter:
identity_provider=saml-{customer portal id}&client_id=33hckk53i9d9hn55djs3j1hk5&scope=openid&response_type=code&redirect_uri=https://api.go1.co/sso/saml/cognito-callback/ap-southeast-2_oZpTmvPtK
Alternatively, you can download the Metadata and copy the RelayState located at the bottom of the file (which includes portal_id).
Under ATTRIBUTE STATEMENTS, add a statement with the attributes in the Attributes table above.
For all other settings on the page, leave them as their default values or set them according to your preferences.
Choose Next.
Choose a feedback response for Okta Support.
Choose Finish.
Copy separately to use in the next steps on Go1:
Sign on URL → Login URL in Go1
Signing Certificate → X.509 Certificate in Go1
Issuer → Entity ID in Go1
Sign out URL → Logout URL in Go1
Google Suite
Create a SAML SSO app in Google Suite
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
In the Admin console, go to Menu
Click Add App > Add custom SAML app > Enter the app name and, optionally, upload an icon for your app. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.
Click Continue.
On the Google Identity Provider details page, get the setup information needed by the service provider using one of these options:
Download the IDP metadata.
Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).
Send these details to your Go1 IPM.
Click Continue.
In the Service Provider Details window, enter:
ACS URL—
https://auth-go1-sso-user-pool-prod-1.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
Entity ID—
urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtK
Start URL— (Optional, but typically used for IdP-initiated flow) - replace the {customer portal id} portion with the customer portal id)
identity_provider=saml-{customer portal id}&client_id=33hckk53i9d9hn55djs3j1hk5&scope=openid&response_type=code&redirect_uri=https://api.go1.co/sso/saml/cognito-callback/ap-southeast-2_oZpTmvPtK
Set Name ID format and Name ID value for your custom SAML app. The default Name ID is the primary email.
Click Continue.
Click Add mapping to map user attributes:
(Optional) To enter group names that are relevant for this app:
For Group membership (optional), click Search for a group, enter one or more letters of the group name, and select the group name.
Add additional groups as needed (maximum of 75 groups).
Regardless of how many group names you enter, the SAML response includes only groups that a user is a member of (directly or indirectly). For more information, go to About group membership mapping.
For App attribute, enter the groups attribute name of the corresponding service provider.
Click Finish.
Turn on your SAML app
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
In the Admin console, go to Menu > Apps > Web and mobile apps
Select your SAML app.
Click User access.
To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
(Optional) To turn a service on or off for an organizational unit:
At the left, select the organizational unit.
To change the Service status, select On or Off.
Choose one:
If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
Note: Learn more about organizational structure.
To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.
Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.
Changes can take up to 24 hours but typically happen more quickly.
Create a connection in Go1
Step for Go1
Go to the portal as an admin.
Add the following to the end of the portal URL:
/r/app/portal/integrations/sso-cognito?
Enable Single sign-on tick box to add the customers Sign On URL, x.509, logout URL (optional), entity ID, mapping below and tick on “Allow IdP-initiated flow”.
Note: Google Suite does not support encrypted assertions in its standard configurations.
{"email":"user.email","family_name":"user.lastName","given_name":"user.firstName"}
Go to your portal login page, and you should see the new button called 'Identity Provider'
5. Once tested successfully, if there are no users that need to use their email and password to login, navigate to your initials in the right-hand corner, select Settings > Configuration, and tick on “hide login with email address” under Enabled Applications.
Additional details
Troubleshooting docs: Troubleshooting Single Sign-On (SSO) Setup
If new users are created with hyphens instead of their names, try using user.Displayname instead of user.Firstname
Get a connection for portal curl request:
curl --location 'https://api.go1.co/sso/connections/36409887/aws-cognito' \ --header 'Authorization: Bearer {jwt}'Disable the existing connection curl request(Save the existing details before using this endpoint as it removes some details):
curl --location --request PATCH 'https://api.go1.co/sso/v2/connections/{connection_id}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {jwt}' \
--data '{
"portal_id":{portal_id},
"enabled":false }'
4. Optional: To change the label of the SSO button, copy the curl below and replace the label name, portal name, and JWT.
In the below API call instead of the portal name the portal id can be used.
Step for Go1
curl --location 'https://api.go1.co/portal/{portal_name}' \ --header 'authorization: Bearer {JWT}' \ --header 'content-type: application/json;charset=UTF-8' \ --data '{"configuration.sso_button":{"go1_cognito":"{LABEL_NAME}"}}'
2. Connect your SSO to Go1
Log in to an administrator account on your Go1 Platform.
Access the Integrations page by clicking your initials in the top-right navigation, followed by Integrations.
Select from the left-hand menu the tab: Single Sign-On.
From the Single sign-on settings, check the box: Enable Single sign-on
After checking the box, complete the fields with the information provided from your Identity Provider setup, note some are optional.
Login URL: Copy the URL from your Identity Provider
x.509 Certificate: Copy the public x.509 certificate (SAMLP server public key encoded in PEM or CER format) from your IdP's SSO setup, note the BEGIN header and END footer below must surround the x.509 certificate to be included:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----Logout URL: Choose where to direct users when they logout of the Go1 platform. If setting here please leave blank in Settings > Portal information.
Entity URL: enter the Entity URL from your IdP
Accept Requests from IdP-initiated SSO Behaviour: Check this box if you want to have users access Go1 via your identity provider and use Go1's Entity URL above.
Field Mapping: Map your IdPs attributes to Go1 using key:value pairs. The keys must match Go1 keys below, and the field/attribute name should be obtained from your IDP and match what was created during step 1 above.
{
"email":"{Your IDPs field/attribute name}", // Mandatory
"family_name":"{Your IDPs field/attribute name}", // Optional
"given_name":"{Your IDPs field/attribute name}" // Optional
}
example if setup per the Prep Work steps above:
{
"email":"https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"family_name":"https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"given_name":"https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
}
Select Submit to create a connection with Go1. After selecting submit, you will see the Post back URL and Entity ID fields appear. Go to the next section to complete the SSO setup.
Customising your SSO sign-up button
Administrators can also customise the button text that displays on your Go1 Platform's sign-in page, which by default says "Login with Identity Provider". This will only be visible if you have multiple SSO connections or have the option to login with username/password on.
Type the text into the field provided to see a preview and then click Save to apply that change.
Please note, in some instances, custom configuration may be required on Go1’s authorisation platform Cognito. Please speak to your Implementation Project Manager or Go1 Support before making changes to an existing SSO setup.
Final configurations
Once your connection is successfully configured and tested you may also choose to enable/disable two additional settings that can be found under the Go1 platform Settings page.
To find these go to your avatar in the top right-hand corner > choose Settings > choose Configuration from the left-hand menu > under Enabled Applications you will see the following:
Hide login with email option
This makes SSO the only option to access your Go1 platform and auto-redirects users to SSO login.
Disallow Register via SSO
Go1 enables just-in-time provisioning by default on all SSO connections, this can be disabled here.