Skip to main content
Back to Admin Console Configure Single Sign-On (SSO) so that users can access AI for Service using your existing identity provider. SSO is configured from Security & Control > Single Sign-On in the Admin Console. Supported protocols:
  • OpenID Connect (OIDC)
  • Security Assertion Markup Language (SAML)
  • WS-Federation
Security & Control - Single Sign-On

Enable or Disable SSO

To enable SSO: On the Single Sign On page, select Enable SSO. To disable SSO: Select Disable SSO, then configure user password policies. When SSO is disabled or expires, users must log in with their Kore.ai credentials. If no account-specific password policies are defined, default AI for Service password policies apply automatically.
SSO and 2FA are mutually exclusive — enabling one disables the other.

OIDC

  1. On the Single Sign On page, select Enable SSO.
  2. Under Select suitable Sign-On Protocol, select OpenID Connect.
  3. Select an identity provider (for example, Sign in with Google).
  4. Select Create.

WS-Federation

  1. On the Single Sign On page, select Enable SSO.
  2. Under Select suitable Sign-On Protocol, select WS-Federation.
  3. Select an identity provider and enter the required settings: Windows Azure:
    FieldDescription
    Azure AD Sign-On End Point URLURL for sign-on and sign-off requests
    Azure AD Federation Metadata DocumentURL for the federation metadata document
    Other (generic WS-Federation):
    FieldDescription
    AD Sign-On End Point URLURL for sign-on and sign-off requests
    AD Federation Metadata Document URLURL for the WS-Federation metadata document
  4. In your SSO provider’s admin console, configure these exchange URLs:
    ProtocolLDAP AttributeClaim Attribute
    SAML 2.0nameIduri
    SAML 1.1nameIdemailAddress
    Assertion Consumer Service (ACS) URL / Callback URL: https://idp.kore.com/authorize/callback
  5. If using ADFS, pass the user’s email address as an LDAP attribute. See Attributes for ADFS.
  6. Select Create.

SAML

SAML is a standard protocol for SSO using secure tokens. It eliminates passwords and uses cryptographic signatures to pass a sign-in token from the identity provider to the application.

How SAML Works

  1. The user accesses a remote application.
  2. The application redirects the user to the identity provider (IdP) with an authentication request.
  3. The user authenticates with the IdP.
  4. The IdP returns a signed XML response with the user’s identity to the application.
  5. The application validates the response and grants access.

Use Cases in AI for Service

Use CaseDescription
App Builder authenticationEnterprise SSO for developers and admins accessing Bot Builder
End-user authenticationAuthenticate users accessing bots embedded in portals or mobile apps
For end-user authentication: retrieve the SSO token on the client side and pass it to the bot using the secureCustomPayload parameter in the Bot SDK API. Use service or webhook nodes in dialog tasks for custom API auth logic.

Configuring SSO Using SAML

Okta

  1. On the Single Sign On page, select Enable SSO > SAML > Okta.
  2. Configure:
    FieldDescription
    Okta Single Sign-On URLSP-initiated SAML flow SSO URL
    Identity Provider IssuerEntity that authenticates users
    CertificatePublic certificate from Okta (max 2; platform uses latest valid)
    ACS URL for SP Initiated SAML FlowRedirect URL for SP-initiated flow
    ACS URL for IDP Initiated SAML FlowAccount-specific URL for IdP-initiated flow
    Skip 2FA AuthenticationThis setting determines whether users must complete two-factor authentication (2FA) during their first login. Enforcement can be skipped at the Service Provider (SP), Identity Provider (IdP), or both, based on configuration

    • Select IdP (Identity Provider) to skip 2FA during first-time authentication
    • Select SP to skip 2FA during first-time authentication
    SAML Attribute MappingMap SAML attributes to AI for Service groups or admin roles
    Restrict Auto - OnboardingEnable this option to restrict automatic user onboarding during IdP-initiated login for users who don’t exist in the platform
    Exclude RequestedAuthnContextRemove RequestedAuthnContext from SAML requests
SAML Attribute Mapping modes:
ModeBehavior
Full SyncReplaces all existing group/role assignments with those in the SAML response on every login
Inclusion OnlyAdds new assignments from the SAML response while retaining existing ones
Each mapping pair includes: SAML Attribute Name, SAML Attribute Value, Attribute Type (Group Name or Role Name), and AI for Service Attribute. To add the AI for Service app to Okta:
  1. Log on to Okta, go to Applications > Add Application > Create application.
  2. In General settings, enter an app name.
  3. In Configure SAML, enter the Single Sign-On URL — get this from Admin Console > Security & Control > Single Sign On > SAML > Okta > ACS URL for SP Initiated SAML Flow.
  4. Configure the ACS URL for IDP-initiated flow; set the Audience URI to the SP-initiated ACS URL.
  5. Select Finish.
  6. On the Sign On tab, select View Setup Instructions and copy:
    • Identity Provider Single Sign-On URL → paste into Okta Sign-On URL field in AI for Service
    • Identity Provider Issuer → paste into Identity provider issuer field
    • X.509 Certificate → copy data between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste into the Certificate field
  7. Select Create in AI for Service.
The ACS URL for IDP-initiated flow shown during initial setup is temporary. After adding the app to Okta, copy the final ACS URL and update the field.

OneLogin

Required fields:
FieldDescription
SAML 2.0 EndpointHTTP SSO endpoint for SP-initiated flow
Issuer URLOneLogin issuer URL
X.509 CertificatePublic certificate (max 2)
ACS URL for SP Initiated SAML FlowRedirect URL
ACS URL for IDP Initiated SAML FlowAccount-specific URL
Skip 2FA AuthenticationThis setting determines whether users must complete two-factor authentication (2FA) during their first login. Enforcement can be skipped at the Service Provider (SP), Identity Provider (IdP), or both, based on configuration

• Select IdP (Identity Provider) to skip 2FA during first-time authentication
• Select SP to skip 2FA during first-time authentication
SAML Attribute MappingMap SAML attributes to groups or roles
Restrict Auto - OnboardingEnable this option to restrict automatic user onboarding during IdP-initiated login for users who don’t exist in the platform
Exclude RequestedAuthnContextRemove RequestedAuthnContext from SAML requests
To add the AI for Service app to OneLogin:
  1. Log on to OneLogin, go to APPS > Add Apps.
  2. Search for AI for Service and select the app.
  3. Optionally update the display name and select SAVE.
  4. On the SSO tab, copy:
    • OneLogin SAML 2.0 Endpoint (HTTP) → paste into SAML 2.0 Endpoint field
    • OneLogin Issuer URL → paste into Issuer URL field
    • X.509 Certificate (click View Details) → copy the certificate data and paste into the Certificate field
  5. Select Create in the AI for Service Admin Console.
SSO OneLogin

Bitium

Required fields:
FieldDescription
Single Sign-On URLHTTP SSO endpoint for SP-initiated flow
Issuer URLBitium issuer URL
CertificatePublic certificate (max 2)
ACS URL for SP Initiated SAML FlowRedirect URL
ACS URL for IDP Initiated SAML FlowAccount-specific URL
Skip 2FA AuthenticationThis setting determines whether users must complete two-factor authentication (2FA) during their first login. Enforcement can be skipped at the Service Provider (SP), Identity Provider (IdP), or both, based on configuration

• Select IdP (Identity Provider) to skip 2FA during first-time authentication
• Select SP to skip 2FA during first-time authentication
SAML Attribute MappingMap SAML attributes to groups or roles
Restrict Auto - OnboardingEnable this option to restrict automatic user onboarding during IdP-initiated login for users who don’t exist in the platform
Exclude RequestedAuthnContextRemove RequestedAuthnContext from SAML requests
To add the AI for Service app to Bitium:
  1. Log on to Bitium, go to Manage > Manage Apps > Add an App.
  2. Search for AI for Service and install the app.
  3. On the Single Sign-On tab, select SAML Authentication.
  4. Copy from Bitium into AI for Service:
    • Bitium Login URL → Single Sign-On URL field
    • Bitium Logout URL → Issuer URL field
    • X.509 Certificate → Certificate field (content between BEGIN/END headers only)
  5. Select Save in AI for Service.
Bitium Portal

Other (Generic SAML)

Use this for any identity provider not covered by built-in configurations. Fields: Single Sign-On URL, Issuer URL, Certificate, ACS URLs, SAML Attribute Mapping (same structure as above). In your SSO provider’s admin console, configure:
  • ACS URL / Callback URL: https://idp.kore.com/authorize/callback
  • Identity URL / Sign On URL: https://idp.kore.com

Attributes for ADFS

When using SAML or WS-Federation with ADFS, pass additional user attributes through the ACS or Callback URL. Required attribute: EmailAddress Example attributes passed in the callback: 
<Attribute Name="FirstName" ...><AttributeValue>Michael</AttributeValue></Attribute>
<Attribute Name="LastName" ...><AttributeValue>Doe</AttributeValue></Attribute>
<Attribute Name="DisplayName" ...><AttributeValue>John Doe</AttributeValue></Attribute>
<Attribute Name="EmailAddress" ...><AttributeValue>john.doe@example.com</AttributeValue></Attribute>
NameID format:
ProtocolFormat
SAML 2.0urn:oasis:names:tc:SAML:2.0:attrname-format:uri
SAML 1.1urn:oasis:names:tc:SAML:1.1:nameid:format:emailAddress

Mapping Attributes in ADFS

In ADFS Management, go to Relying Party Trusts > Edit Claim Rules > Add Rule > Send LDAP Attributes. Add the following mappings:
ProtocolLDAP AttributeClaim Attribute
SAML 2.0nameIduri
SAML 1.1nameIdemailAddress

Bypass SSO with Admin Password

If SSO fails or you forget SSO credentials, access the Admin Console directly at: https://bots.kore.ai/admin Admin Console Login Log in using your Admin password credentials. If you’ve forgotten your Admin password, enter your email and select Forgot your password? to receive reset instructions.
A custom admin can bypass SSO only if custom privileges are enabled for at least one module. To use the Directory Agent, the custom admin must have Enrollment – Directory Sync privileges.

Logging Off

Select your username in the Admin Console and select Logout. Log Off Sessions idle for more than 15 minutes are automatically terminated. The next action opens the AI for Service web client. Select the Admin Console icon and sign in again to start a new session.