Configure SAML for Single Sign On to an Organisation

Specific setup guides:

General Instructions:

Coggle Organisations support SAML to allow your Organisation Members to log in to your Organisation using their existing Single Sign On account.

To set up Single Sign On (SSO), your SSO provider must support SAML 2.0.

  1. First create your Organisation by logging in with a google, Microsoft, or apple account (If necessary this account can be removed later, to leave access only via Single Sign On).
  2. In your SSO provider, select the Coggle application. (If your SSO provider doesn't have a pre-built app for Coggle yet, see below for the settings required, or email orgs@coggle.it for assistance.)
  3. Open the Organisation's settings, and switch to the authentication tab.
  4. In the SAML section of the authentication tab, add the Certificate and Entry point / SSO URL from your identity provider's Coggle application.

  5. Save the settings, and the login URL for your single-sign-on users will be displayed. This is the URL that you should share with your SSO users, and which they use to access your Organisation (They cannot log in from the normal Coggle homepage).

When users log in via the your Organisation's login URL they will be taken to your SSO provider to authenticate, and then returned to Coggle once they are logged in.

Depending on your SSO provider you might need to assign or provision users to the Coggle app before they can log in. Anyone who you allow access to log in to the Coggle app via single-sign-on will be automatically added to your Organisation's members list the first time they log in, they do not need inviting separately.

Coggle's SAML settings for use where a pre-built application isn't available:

  • SP-initiated login flow preferred. IdP-initiated login also supported.
  • Coggle uses the HTTP-Redirect binding for requests to the ID provider.
  • Audience: https://coggle.it
  • Callback / SSO URL / Recipient / Destination URL and ACS URL https://coggle.it/auth/saml/callback
  • SP Login URL: as displayed in your Organisation dashboard (see above)
  • Name ID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • Assertion Signature: enabled
  • Response Signature: enabled (both the assertion and response should be signed)
  • Assertion Encryption: disabled
  • Attribute statements:
    • email : user's email address
    • firstName : user's first name
    • lastName : user's last name
  • ACS URL Validator ^https://coggle\.it/auth/saml/callback$
  • Entity ID https://coggle.it