{"id":4751,"date":"2025-02-28T14:22:13","date_gmt":"2025-02-28T13:22:13","guid":{"rendered":"https:\/\/help.ino.cx\/?post_type=ht_kb&#038;p=4751"},"modified":"2026-02-12T14:58:17","modified_gmt":"2026-02-12T13:58:17","slug":"configuring-single-sign-on-sso","status":"publish","type":"ht_kb","link":"https:\/\/help.ino.cx\/index.php\/help-center\/configuring-single-sign-on-sso\/","title":{"rendered":"Configuring Single Sign-On (SSO)"},"content":{"rendered":"\n<figure class=\"wp-block-image alignright is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1080\" height=\"400\" src=\"https:\/\/help.ino.cx\/wp-content\/uploads\/2024\/09\/Smart-licence-needed-2.png\" alt=\"\" class=\"wp-image-3984\" style=\"width:250px\"\/><\/figure>\n\n\n\n<p>[<em>Reading time: 3 minutes<\/em>]<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"overview\">Overview<\/h2>\n\n\n\n<p><strong>Single Sign-On (SSO)<\/strong> is a mechanism that allows a user to log in once and access multiple applications without having to re-enter their credentials each time.<\/p>\n\n\n\n<p>Example: If you log in once with your Google account, you can access Gmail, YouTube, and Google Drive without logging in again.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1283\" height=\"1216\" src=\"https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/02\/undraw_connected_0xor.png\" alt=\"\" class=\"wp-image-4753\" style=\"width:250px\"\/><\/figure>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No need to remember multiple passwords<\/li>\n\n\n\n<li>Saves time<\/li>\n\n\n\n<li>Reduces the risk of password theft<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring SSO on INO cx<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisites<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>username<\/strong> must be in email format and match the one defined in your SSO Provider (Google, Azure, Okta, etc.).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Creating an SSO connector<\/h3>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>In the <strong>Maker<\/strong> module, click on SSO connectors module. <\/li>\n\n\n\n<li>Create an <strong>SSO plugin<\/strong> by filling in the following parameters:\n<ul class=\"wp-block-list\">\n<li style=\"font-size:16px\"><strong>Name<\/strong>: Give a name to your connector.<\/li>\n\n\n\n<li><strong>Reference<\/strong>: A unique identifier for the connector. Allowed special characters are _ . + &#8211; @ <\/li>\n\n\n\n<li><strong>Type<\/strong>:\n<ul class=\"wp-block-list\">\n<li><strong>SAML v2<\/strong> is a standard authentication protocol that allows exchanging information between an identity provider (IdP) and an application.<\/li>\n\n\n\n<li><strong>OAUTH 2<\/strong> is an authorization framework that allows applications to obtain limited access to user accounts on an HTTP service, without sharing the user\u2019s credentials. Instead, the application receives an access token from the identity provider.<\/li>\n\n\n\n<li><em>Note: SAML v2 is an authentication protocol mainly used in enterprise environments. It allows your agents to log in to INO cx using their corporate identity (e.g. via Azure AD, Okta, Google Workspace) without creating a separate password. OAuth2 is an authorization framework. It is typically used when INO cx needs to connect to external applications (e.g. Salesforce, Hubspot, Zoho CRM) and access data on behalf of the user, using an access token instead of a password.<\/em><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span style=\"text-decoration: underline;\">FOR SAML v2:<\/span>\n<ul class=\"wp-block-list\">\n<li><strong>Issuer URL<\/strong>: The identity provider (IdP) URL, identifying the entity sending SSO requests.\n<ul class=\"wp-block-list\">\n<li>Example: <code>https:\/\/accounts.google.com\/o\/saml2?idpid=XXXXXXXXX<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Endpoint<\/strong>: The URL to which INO cx sends SSO requests to authenticate users.\n<ul class=\"wp-block-list\">\n<li>Example: <code>https:\/\/accounts.google.com\/o\/saml2\/idp?idpid=XXXXXXXXX<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>SAML Identifier Format<\/strong>: A unique identifier sent to the IdP to validate the user.\n<ul class=\"wp-block-list\">\n<li><strong>Certificate<\/strong>: A security certificate provided by the IdP to ensure secure communication.\n<ul class=\"wp-block-list\">\n<li>Expected format: A text starting with <code>-----BEGIN CERTIFICATE-----<\/code> and ending with <code>-----END CERTIFICATE-----<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Identity (EntityID)<\/strong>: <a href=\"https:\/\/{{domain}}.ino.cx\/api\/saml\/metadata\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/{{domain}}.ino.cx\/api\/saml\/metadata<\/a><\/li>\n\n\n\n<li><strong>Reply URL (ACS)<\/strong>: <a href=\"https:\/\/{{domain}}\/.ino.cx\/api\/sso\/login\/callback\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/{{domain}}\/.ino.cx\/api\/sso\/login\/callback<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span style=\"text-decoration: underline;\">FOR OAUTH 2<\/span>:\n<ul class=\"wp-block-list\">\n<li>An <strong>authentication method<\/strong> must be chosen (e.g. Hubspot, Salesforce, Zoho CRM, Zendesk Support, etc.).<\/li>\n\n\n\n<li>Each connector will redirect to the external tool for authentication.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p style=\"font-size:16px\">Mandatory fields are marked with an asterisk (*). All these parameters are provided by your <strong>Identity Provider (IdP)<\/strong>. If you don&#8217;t know where to find them, check your IdP&#8217;s documentation or ask your IT team.<\/p>\n<\/blockquote>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"479\" height=\"636\" src=\"https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/09\/Capture-decran-2025-09-09-a-11.00.16.png\" alt=\"\" class=\"wp-image-5380\" style=\"width:350px\" srcset=\"https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/09\/Capture-decran-2025-09-09-a-11.00.16.png 479w, https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/09\/Capture-decran-2025-09-09-a-11.00.16-226x300.png 226w, https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/09\/Capture-decran-2025-09-09-a-11.00.16-38x50.png 38w, https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/09\/Capture-decran-2025-09-09-a-11.00.16-45x60.png 45w, https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/09\/Capture-decran-2025-09-09-a-11.00.16-75x100.png 75w\" sizes=\"auto, (max-width: 479px) 100vw, 479px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Linking a user to an SSO connector<\/h3>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>In the Maker, go to the <strong>User<\/strong> module.<\/li>\n\n\n\n<li>Open the <strong>User card<\/strong>.<\/li>\n\n\n\n<li>In the <strong>SSO connectors<\/strong> tab, associate the user&#8217;s account with one or more SSO connectors.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"2844\" height=\"1180\" src=\"https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/02\/SSO-connector.png\" alt=\"\" class=\"wp-image-4757\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Generating the login URL<\/h3>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Return to SSO connectors list.<\/li>\n\n\n\n<li>Click the cogged wheel next to the connector.<\/li>\n\n\n\n<li>Click <strong>&#8220;Copy the login address used on INO cx&#8221;<\/strong>.<\/li>\n\n\n\n<li>A new login URL is generated. Share this URL with users so they can log in via SSO.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"714\" height=\"454\" src=\"https:\/\/help.ino.cx\/wp-content\/uploads\/2025\/02\/Capture-de\u0301cran-2025-02-25-a\u0300-14.56.06.png\" alt=\"\" class=\"wp-image-4759\" style=\"width:250px\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Managing SSO connectors<\/h3>\n\n\n\n<p>From the <strong>SSO connectors<\/strong> module, you can view and manage all existing connectors.<\/p>\n\n\n\n<p>The list displays:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Name<\/li>\n\n\n\n<li>Reference<\/li>\n\n\n\n<li>Type (SAML V2 \/ OAUTH2)<\/li>\n\n\n\n<li>Authentication method (for OAUTH2)<\/li>\n\n\n\n<li>Issuer URL (for SAML V2)<\/li>\n\n\n\n<li>Endpoint (for SAML V2)<\/li>\n\n\n\n<li>SAML identifier format  (for SAML V2)<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Identifier and Reply URL<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identifier (or Entity ID): What is the application?<\/h3>\n\n\n\n<p>The <strong>Identifier<\/strong> is a unique identity used to identify your application to the IdP. It ensures that the IdP is exchanging information with the correct application.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Example<\/strong>: <code>https:\/\/yourclientdomain.com\/api\/saml\/metadata<\/code> (replace with your own domain).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reply URL (or ACS URL, Assertion Consumer Service): Where to redirect the user after login?<\/h3>\n\n\n\n<p>The <strong>Reply URL<\/strong> is the address where the IdP redirects the user after a successful authentication. This is where the application retrieves and validates authentication information.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Example<\/strong>: <code>https:\/\/yourclientdomain.com\/api\/sso\/login\/callback<\/code> (replace with your own domain).<\/li>\n<\/ul>\n\n\n\n<p>These two elements are essential for setting up a <strong>secure SSO<\/strong> with an Identity Provider! <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[Reading time: 3 minutes] Overview Single Sign-On (SSO) is a mechanism that allows a user to log in once and access multiple applications without having to re-enter their credentials each time. Example: If you log in once with your Google account, you can access Gmail, YouTube, and Google Drive without&#8230;<\/p>\n","protected":false},"author":5,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[107],"ht-kb-tag":[],"class_list":["post-4751","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-configuring"],"_links":{"self":[{"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/ht-kb\/4751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/comments?post=4751"}],"version-history":[{"count":14,"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/ht-kb\/4751\/revisions"}],"predecessor-version":[{"id":6050,"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/ht-kb\/4751\/revisions\/6050"}],"wp:attachment":[{"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/media?parent=4751"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/ht-kb-category?post=4751"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/help.ino.cx\/index.php\/wp-json\/wp\/v2\/ht-kb-tag?post=4751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}