Authentication (SAML 2.0)

Allow your users to authenticate using your SAML 2.0 identity provider for simple SSO.

Allow your users to authenticate using your SAML 2.0 identity provider for simple SSO. You must support user email address as the ID type with your identity provider.

Configure SAML 2.0

In your account settings, go to /dashboard/settings/integrations and under SAML config enter your:

  • SAML certificate - including the "-----BEGIN CERTIFICATE/END CERTIFICATE-----" lines;

  • entry point URL as configured within your IdP (for a Service Provider-initiated request).

This will generate a login URL in the format https://<your hosted domain>/login/saml/<provider ID> where <your hosted domain> defaults to the domain that is hosting your cobrowse account, e.g. in most cases. This URL can be used as the login page for your agents.

Configure within your identity provider

You may be required to add configuration for within your identity provider.


If your SAML identity provider requires registering as an approved application, then please use the following information:

  • service provider id: cobrowseio-saml

  • ACS / Callback / Recipient / Destination / SSO URL: https://<your hosted domain>/api/1/saml/auth/callback

Please replace <your hosted domain> with when using our hosted service.

Configuring Admin users

All users who login via SAML will, by default, have the "Support Agent" role. If you'd like to manage your Admin users through SAML, you must:

  • create a group/role named "cobrowseio_administrator" within your identity provider

  • pass this value through as an attribute in your SAML profile as a value or an array, e.g.:

    • "groups" : "cobrowseio_administrator"

    • "groups" : ["cobrowseio_administrator", "abc", "def", ...]

Configuring display names

To import the real names of your users from your SAML provider, please configure a displayName SAML assertion within your IdP for your users.

IFrame integrations

If you are running Cobrowse in your own IFrame integration, then you may optionally choose to perform the SSO within the IFrame by loading it from:

https://<your hosted domain>/api/1/saml/auth?provider=<provider ID>&redirectTo=<your URI encoded Cobrowse route>

<your hosted domain> is when using our hosted service.

The parameter <your URI encoded Cobrowse route> is the endpoint specified by your choice of IFrame embed and must be correctly URI encoded, e.g. for /code use %2Fcode.

Your IFrame settings and identity provider must allow sharing of cookies to your IFrame'd domain. This includes for additional steps with your provider, such as MFA.


Validating the SAML request (optional)

Our SAML requests are signed to verify their origin. You can optionally validate this signature within your identity provider. To do this, please use the certificate provided at this endpoint:

Last updated