All Studios and Cognitive Cities can be configured to authenticate users against an organization's own identity provider, as long as it supports the OpenID Connect standard (ODIC). There is streamlined support for integrating with Google and Azure Active Directory, as these are very common SSO options.


Follow the steps below to set up SSO. Please note that if you want your SSO provider to be the only way someone can access the City, you'll need to make sure you follow the last step and disable the default Exaptive authentication after the SSO is in place.


Step 1: You will need to know the OIDC redirect endpoint for your Cognitive City, which depends on your Cognitive City name (<name>) and which OIDC provider you are using. Refer to the table below to determine the appropriate redirect endpoint URL.

OIDC Provider

Redirect Endpoint Format

Google

https://<name>.cognitive.city/cnapi/login/redirect/google/<name>

Microsoft Active Directory

https://<name>.cognitive.city/cnapi/login/redirect/ad/<name>


Step 2: Generate a clientID and clientSecret within your OIDC provider. This involves the following:

  • Create a new application - either a Web Application for Google or a App for AD.
  • Configure the application to include Permission scopes: openid, email, and profile.
  • Register the redirect endpoint.
  • Get client credentials.


Step 3: Log in to your Cognitive City and request SSO integration by submitting a helpdesk ticket via the blue “Help” button in the lower right corner of any Cognitive City page. Include in the ticket which OIDC Provider you are using and the clientID. To ensure security do not include the clientSecret in the ticket request.


Step 4: Once we receive your SSO integration request, we will contact the requestor with instructions for transferring the clientSecret through a secure channel via Wickr Pro. You will need to download Wickr Pro to be able to transmit the clientSecret to us.


Step 5: Upon receiving the clientSecret we will configure the SSO integration within 1 business day. A SSO “Login with …” button will appear on the landing page of your Cognitive City.


Step 6: Once the SSO integration is in place, if you want this to be the only method of login available, you will need to disable the default Exaptive username/password authentication:

  •  Log in to your Cognitive City as any user that has City Admin privileges and navigate to the Admin -> Access page. At the bottom of the page you will see a list of the configured authentication providers. Uncheck the “Exaptive” authentication provider and click “Save Changes”:

  • Log out of the Cognitive City and you will be brought back to the landing page where you should see that the only way to now log in to your City is via your own SSO. 


If you run into any problems accessing your City as a result of SSO integration, you can click the blue “Help” icon in the lower right corner of the landing page to submit a ticket for assistance.