Skip to main content

Single Sign-On (SSO)

Allow your staff and members to log into Cobot using various identity providers.

Amanda avatar
Written by Amanda
Updated over 2 weeks ago

Cobot supports single sign-on (SSO). This means members and admins can log in using various identity providers instead of having to set up a password for Cobot. This can be set up via identity providers that support either OpenID Connect or OAuth2.

OpenID Connect is supported by some big tech companies, so your members can log in with their existing accounts. In addition, dedicated identity providers let you set up your own user management.

  • Google

  • Microsoft Azure Active Directory

  • Sign in with Apple

  • Auth0 / Okta

  • Also support social logins (Google, Facebook, LinkedIn, GitHub, etc.)

OAuth2 requires more technical knowledge but is supported by more services and open-source projects.

  • WordPress OAuth / WP OAuth Server

  • Slack

  • Facebook

  • LinkedIn

To set up SSO, click Setup » Single Sign-on » Add Provider, and follow the guides. After adding a provider, you will be given a single sign-on link to place on your website.

Optionally, links can be added to the login and signup forms on Cobot. Members who visit this link will be able to sign up and log in to this space on Cobot using said provider. The provider must support the OAuth2 or OpenID Connect protocol, which will be used to authenticate members.

Here are the configuration steps for a few popular providers:

Slack

Unfortunately, Slack's OAuth2 implementation deviates from the standard, requiring a bit of extra setup.

To set up Cobot Single Sign-on (SSO) with Slack:

Create an app on Slack: go to https://api.slack.com/apps/new

This image displays a modal window titled "Create an app," presenting two options for configuring an app's settings and scopes. The first option, "From a manifest," allows users to upload a manifest file containing the app's basic details, scopes, settings, and features. The second option, "From scratch," lets users manually configure these details through a user interface. Below these options, a help section provides links to documentation and an example for further guidance. A close button is located in the top-right corner.

Click on From scratch.

This image shows a modal window titled "name app & choose workspace" for creating a new slack app. The user is prompted to enter an app name, with "slack sign-in" already filled in. Below, they must select a workspace to develop the app in, with "cobot" currently chosen. A note warns that the workspace cannot be changed later, and if the user leaves it, they will lose access to manage the app. There's an option to sign into a different workspace. At the bottom, a disclaimer states that by creating a web api application, the user agrees to the slack api terms of service. Two buttons, "cancel" and "create app," are at the bottom-right for user action. A close button is in the top-right corner.

Give it a name and select the Slack workspace to use.

This image displays a slack app credentials page under the basic information section. It includes fields for the app id, date of app creation, client id, client secret, signing secret, and verification token. The client secret and signing secret fields are hidden by default but can be revealed using the "show" button or regenerated with the "regenerate" button. A note advises users not to share or store credentials in insecure locations. The verification token is marked as deprecated, with a recommendation to use the signing secret instead.

Copy the Client ID and Client Secret for later.

Click on OAuth & Permissions in the left column. Scroll down to Scopes.

This image shows the scopes settings for a Slack app, which define its permissions and capabilities. The page is divided into two sections: bot token scopes and user token scopes. The bot token scopes section is empty, with an option to add an OAuth scope. The user token scopes section includes two existing OAuth scopes: "identity.basic," which allows the app to view a user's identity, and "identity.email," which grants access to a user's email address. Both scopes have a delete icon next to them. There is also an option to add more OAuth scopes. A footer note explains that scopes define what API methods an app can call and what information it can access.

Under User Token Scopes add identity.basic and identity.email.

Leave this page open and open your Cobot space in a new tab. Click on SetupSingle Sign-on Add ProviderAdd OAuth 2 Provider.

Fill out the form as below:

Name:
Slack (or anything else, this will be shown on the login button)

OAuth Client ID
the Client ID from Slack

OAuth Client Secret
the Client Secret from Slack

Show link
check

Debug mode
don't check.

Authentication URL
https://slack.com/oauth/v2/authorize?user_scope=identity.basic,identity.email

Access Token Endpoint URL
https://slack.com/api/oauth.v2.access

Access Token Scope
leave blank

User Endpoint URL
https://slack.com/api/users.identity

User Email JSON Pointer
/user/email

Access Token JSON Pointer
/authed_user/access_token

Click Save.

This image shows the single sign-on settings for an application. A Slack integration is listed as the current single sign-on provider. There are options to edit or remove this provider. A blue "Add Provider" button in the top right allows adding additional sign-on providers. The page has a clean interface with a light background and simple navigation options.

Click on the link with the name you entered in the form.

This image displays Slack integration settings for a platform, showing the login URL for members and the OAuth redirect URL. Both URLs are listed in a light gray box, providing the necessary links for authentication and access. The section is labeled "Slack," indicating that it is part of the single sign-on or authentication setup for users logging in through Slack.

Copy the OAuth Redirect URL. Go back to the tab with your Slack app that you left open.

On the OAuth & Permissions page, scroll down to Redirect URLs.

This image displays the redirect URL configuration settings for a Slack integration. The section titled "Redirect URLs" explains that these URLs are necessary for generating the "Add to Slack" button and ensuring OAuth requests match an authorized URL. A pre-configured redirect URL is shown, with options to edit or delete it. Below, there is a button labeled "Add New Redirect URL" for adding additional URLs, along with a "Save URLs" button to confirm changes.

Add the redirect URL from the previous step. Click Save URLs.

Now when people try to log in to your Cobot space, they see a button Log in with Slack.

This image shows a login screen with fields for entering an email and password. Below the password field, there is a "Forgot password?" link for account recovery. Users can log in by clicking the dark gray "Log in" button. Alternatively, there is an option to log in using Slack, displayed as a separate button labeled "Log in with Slack." The design includes a visual separator with the word "or" between the two login methods.

Google

Google uses OpenID Connect which makes the setup very easy.

  • Create an app on Google

  • Create a login provider configuration on Cobot under Setup -> Single Sign-on -> Add OpenID Connect Provider

  • and fill out the form as below (add the Client ID/secret from Google):

This image displays a configuration form for setting up Google as an authentication provider using OpenID Connect. The form includes fields for entering the provider name ("Google"), OAuth Client ID, OAuth Client Secret, and the hostname ("accounts.google.com"). There is also a checkbox labeled "Show link," which is checked, indicating that a single sign-on link will appear on signup and login forms.

More information about using Google for OpenID Connect can be found here.

Microsoft Azure Active Directory B2C

Microsoft uses OpenID but not all of it so the setup is not as easy as it should be. When setting up SSO, select OAuth 2 and not OpenID Connect.

Fill out the form as below, replacing <TENANT_ID> with your tenant id from Microsoft.

Authentication URL

https://<TENANT_ID>.b2clogin.com/<TENANT_ID>.onmicrosoft.com/B2C_1A_PortaleStdFtc_SI/oauth2/v2.0/authorize

Access Token Endpoint URL

https://<TENANT_ID>.b2clogin.com/<TENANT_ID>.onmicrosoft.com/B2C_1A_PortaleStdFtc_SI/oauth2/v2.0/token

Access Token Scope

openid

User Endpoint URL

https://www.<TENANT_ID>.it/infederazioneservices/api/v1/user/currentuser

User Email JSON Pointer

/email

Access Token JSON Pointer

/id_token

For more information, click here.

Radius WiFi Integration

Please note that Single Sign-On (SSO) is not compatible with the current Radius WiFi integration (via IronWiFi).

This means that members cannot use their SSO credentials to log in to the WiFi network. Instead, they will need to create a separate password specifically for WiFi access.

We recommend sharing this information with members during onboarding to avoid confusion.

Questions? Email us at support@cobot.me.

Related Articles
Using Our API
Connecting Cobot to ROOMZ
Connecting Cobot to Luckey by Sofia Locks
Member and Admin Login Page
Did this answer your question?