Skip to main content
Configure authentication, encryption, service integrations, data retention, and domain access for your AI for Work account.

Single Sign-On (SSO)

SSO lets users authenticate through an external Identity Provider (IdP) instead of the default sign-in flow. Only account admins can enable or disable SSO.

Enable SSO

  1. Go to Admin Console > Security > Single Sign-On.
  2. Turn on the Enable SSO toggle.
  3. Select a sign-on protocol.
  4. Select your identity provider and enter the configuration details.
  5. Click Save.

SAML

SAML uses signed XML tokens to authenticate users. The IdP authenticates the user and sends a signed response; the platform validates it using the certificate and grants access.

Okta

Configuration fields: Configure Okta:
  1. Log in to the Okta Admin Dashboard.
  2. Go to Applications > Add Application > Create Application.
  3. Enter an App Name and click Next.
  4. Under Configure SAML, paste the ACS URL for SP-Initiated SAML Flow from the platform into the Okta Single Sign-On URL field.
    • For on-premise accounts, use https://idproxy-dev.<platform>.com/authorize/callback as the SSO URL and https://idproxy-dev.<platform>.com as the Audience URL.
  5. Click Finish.
  6. On the Sign On tab, click View Setup Instructions and copy:
    • Identity Provider Single Sign-On URLOkta Single Sign-On URL on the platform
    • Identity Provider IssuerIdentity Provider Issuer on the platform
    • X.509 CertificateCertificate on the platform
  7. Click Save.

OneLogin

Configuration fields: Configure OneLogin:
  1. In the OneLogin Portal, go to Applications > Add Apps, search for your app, and save it.
  2. On the SSO tab, copy:
    • OneLogin SAML 2.0 Endpoint (HTTP)SAML 2.0 Endpoint on the platform
    • OneLogin Issuer URLIssuer URL on the platform
  3. Click View Details on the X.509 Certificate field. Copy the certificate data (between the header and footer lines) and paste it into the X.509 Certificate field on the platform.
  4. Copy the ACS URL for SP-Initiated SAML Flow and ACS URL for IDP-Initiated SAML Flow from the platform and paste them into the corresponding fields in OneLogin.
  5. Click Save in both the platform and OneLogin.

Bitium

Configuration fields: Configure Bitium:
  1. In Bitium, go to Manage Organization > Manage Apps > App.
  2. On the Single Sign-On tab, select SAML Authentication.
  3. Copy:
    • Bitium Login URLSingle Sign-On URL on the platform
    • Bitium Logout URLIssuer URL on the platform
    • X.509 CertificateCertificate on the platform
  4. Click Save.

Other SAML Providers

Use this option for any SAML 2.0-compliant provider not listed above. Configuration fields: Fetch the SSO parameters from your IdP portal, paste them into the platform, then copy the ACS URLs from the platform back into your IdP app settings.
When multiple certificates are added, the platform uses the most recent valid certificate. If it’s invalid, it falls back to the other certificate.

WS-Federation

WS-Federation uses signed security tokens to authenticate users across security domains. Commonly used with Active Directory Federation Services (ADFS).

Windows Azure

Configuration fields: Configure Windows Azure:
  1. Log in to the Azure Portal and go to Microsoft Entra ID > Enterprise Applications > New Application > Create your own application.
  2. Enter the application name and click Create.
  3. Go to Single sign-on and select WS-Fed.
  4. Configure the Identifier (Entity ID) and Reply URL provided by the platform.
  5. Go to Users and Groups and assign users or groups.
  6. Go to App Registrations > Endpoints and copy:
    • WS-Federation Sign-On EndpointAzure AD Sign-On Endpoint URL on the platform
    • Federation Metadata Document URL → Azure AD Federation Metadata Document on the platform
  7. Click Save.

Other WS-Federation Providers (ADFS)

Configuration fields: Configure ADFS:
  1. Open ADFS Management on your ADFS server. Right-click Relying Party Trusts and select Add Relying Party Trust.
  2. Choose Enter data about the relying party manually and click Next.
  3. Select AD FS profile and skip certificate configuration.
  4. Enable WS-Federation Passive protocol and enter the Relying Party WS-Federation Passive protocol URL provided by the platform.
  5. Enter the relying party trust identifier provided by the platform.
  6. In Edit Claim Rules, click Add Rule, select Send LDAP Attributes as Claims, and map:
    • E-Mail-Addresses → E-Mail Address
    • Given-Name → Given Name
    • Surname → Surname
    • User-Principal-Name → UPN
  7. Add another rule: select Transform an Incoming Claim, set Incoming claim type to E-Mail Address, Outgoing claim type to Name ID, and Outgoing name ID format to Email.
  8. In Service > Endpoints, copy:
    • WS-Federation Passive Endpoint (/adfs/ls/) → AD Sign-On Endpoint URL on the platform
    • Federation Metadata URL → AD Federation Metadata Document URL on the platform
  9. Click Save.

OpenID Connect (OIDC)

OIDC is an authentication layer on top of OAuth 2.0 that supports identity verification and user profile access. Supported providers are Google and Microsoft Azure.

Google

Configuration fields: Configure Google:
  1. Log in to Google Cloud Console.
  2. Go to IAM & Admin > Service Accounts > Create Service Account. Enter a name, click Create and Continue, then Done.
  3. Click the service account → Keys > Add Key > Create New Key → select JSONCreate. Save the downloaded file securely.
  4. In the service account details, enable Google Workspace Domain-wide Delegation and note the Client ID.
  5. Log in to Google Admin Console.
  6. Go to Security > API Controls > Domain-wide Delegation > Add new.
  7. Enter the Client ID and add the following OAuth scopes as a comma-separated list:
    • https://www.googleapis.com/auth/admin.directory.user.readonly
    • https://www.googleapis.com/auth/admin.directory.group.readonly
    • https://www.googleapis.com/auth/admin.directory.orgunit.readonly
    • https://www.googleapis.com/auth/admin.directory.domain.readonly
  8. Click Authorize.
  9. In the platform, select Sign in with Google, enable Configure service account for your G-Suite domain, and enter the values from the JSON key file:
    • client_emailClient Email
    • private_keyPrivate Key
    • Admin email → Admin Email
  10. Click Save.

Microsoft Azure

Configuration fields: Configure Microsoft Azure:
  1. Log in to the Azure Portal and go to Microsoft Entra ID > App Registrations > New Registration.
  2. Enter an application name and add the Redirect URL from the platform as the redirect URI. Click Register.
  3. Under Authentication, enable ID Tokens under Implicit grant and hybrid flows.
  4. Under Certificates & Secrets, create a new client secret. Copy the Value immediately — it is shown only once.
  5. Under API Permissions, add Microsoft Graph delegated permissions: User.Read, email, openid, profile. Click Grant Admin Consent.
  6. From the app Overview page, copy the Application (client) ID and Directory (tenant) ID.
  7. In the platform, select Microsoft Azure, enter the credentials, and click Save.

Service Accounts

Service accounts connect the platform to external identity providers to access user directories, groups, and organizational data. You can configure multiple accounts and designate one as the default for system-wide operations. Go to Admin Console > Security > Connections > Service Account. Supported providers:

Add a Service Account

Click the provider type to open the configuration form.

Google

Before configuring, complete the Google Cloud setup (see Configure Google under OIDC for the required service account and domain delegation steps). Click Save.

Microsoft Azure

Before configuring, complete the Azure app registration (see Configure Microsoft Azure under OIDC, or follow the steps below). Click Save. Required Microsoft Graph permissions (Application permissions, not Delegated): After adding permissions, click Grant Admin Consent in the Azure Portal. Azure app registration steps:
  1. Log in to the Azure Portal and search for App Registrations.
  2. Click New Registration, enter an application name, select the tenant type (Single or Multi-tenant), and click Register.
  3. Go to API Permissions > Add a Permission > Microsoft Graph > Application Permissions and add the required permissions above.
  4. Click Grant Admin Consent for [Your Organization].
  5. Go to Certificates & Secrets > New Client Secret. Select an expiration period and click Add. Copy the Value immediately.
  6. From the app Overview, copy the Application (client) ID and Directory (tenant) ID.
Set calendar reminders to rotate client secrets before they expire — 30 days before to plan, 7 days before to create and test a new secret, and 2 days before to update production.

LDAP

Click Save.

Okta

All fields are required. The platform validates the Okta Domain format and tests the credentials through the Okta API before saving.
  • If the credentials are valid, the service account saves successfully.
  • If the credentials are invalid, the platform displays an error message and does not save the account.
Error messages display for invalid credentials, network or API failures, expired API tokens, and expired service accounts. Click Save.

Manage Service Accounts

Click the three-dot menu next to any service account to access these options:
You cannot delete a service account linked to active user enrollment. The platform displays a warning if you attempt this.

Enterprise Encryption

All account data is encrypted by default. You can use the platform-managed default key or bring your own encryption key (BYOK) for full organizational control. Go to Admin Console > Enterprise Encryption.

Default Key

The platform automatically manages encryption — no configuration required. You can:
  • Copy — Copy the current key to your clipboard.
  • Refresh — Generate a new default key.
Default key actions are disabled once BYOK is activated.

Bring Your Own Key (BYOK)

BYOK lets you use your own Customer Master Keys (CMKs) from AWS KMS or Azure Key Vault for all encryption operations. The platform communicates with your external KMS for cryptographic operations. Supported providers: AWS KMS, Azure Key Vault
BYOK is permanent. Once activated, you cannot revert to the default key, and the configuration cannot be modified. Contact Kore.ai support if changes are needed.

Configure BYOK

  1. Go to Admin Console > Enterprise Encryption.
  2. Under Bring Your Own Key, click Create Key.
  3. Select your cloud provider (AWS or Azure).
  4. Note the pre-populated values shown by the platform — these are required when configuring your cloud provider.
  5. Enter the required identifiers (see provider sections below).
  6. Click Test Connection to validate key access and permissions.
  7. Click Next, then Proceed to activate.

AWS KMS

For detailed guidance on AWS KMS, refer to the AWS KMS Developer Guide. Values the platform provides: When you initiate the BYOK setup, the platform displays these values for you to copy. You will need them when configuring your IAM role. Values you provide: AWS setup steps:
  1. Locate your Customer Managed Key (CMK) ARN. The platform uses this key for all encryption operations. In the AWS KMS console, open your CMK’s details page and copy the CMK ARN (e.g., arn:aws:kms:<region>:<account-id>:key/<key-id>).
  2. Create an IAM role for the platform. This role allows the platform to securely access your KMS key without sharing credentials. Go to IAM > Roles > Create Role, select Another AWS account, enter the Service Role ARN provided by the platform, and name the role (e.g., AIforWorkByokAccessRole). Note the Role ARN after creation.
  3. Configure the trust policy on the role. The trust policy restricts who can assume this role. By specifying the platform’s Service Role ARN and the External ID, you ensure that only the platform’s verified service can use it. Go to IAM > Roles > Your role > Trust Relationships > Edit Trust Policy and set the following (replace placeholders with actual values):
  4. Create and attach a permissions policy. This policy defines which KMS actions the role is allowed to perform on your key. Go to IAM > Policies > Create Policy > JSON and add the following:
    Name the policy (e.g., AIKMSPolicy), create it, then attach it to the role via IAM > Roles > Your role > Add Permissions > Attach Policies.
  5. Grant the IAM role access in the CMK key policy. This authorizes the role to perform cryptographic operations on the key from the KMS side. In the KMS console, select your CMK, go to the Key Policy tab, switch to edit mode, and add the following statement to the existing policy’s Statement array:
  6. Validate the configuration (optional). Run the following AWS CLI commands to verify that your IAM role and CMK key policy are set up correctly. This step does not validate the full BYOK integration.
  7. Share your details with Kore.ai. Contact Support and provide your CMK ARN (from step 1) and Role ARN (from step 2). The team will configure the service side to assume the role and securely access your KMS key. Once this is done, the BYOK configuration and test connection will complete successfully.

Azure Key Vault

For detailed guidance on Azure Key Vault, refer to the Azure Key Vault documentation. Values the platform provides: When you initiate the BYOK setup, the platform displays these values for you to copy. You will need them when granting access to the platform’s service principal. Values you provide: Azure setup steps:
  1. Authorize the platform in your Azure tenant. This step registers the platform as a service principal in your tenant, allowing it to interact with your Key Vault securely. Sign in to the Azure portal as a Global Administrator and grant admin consent for the platform’s application using one of:
    • Admin Consent URL: Navigate to https://login.microsoftonline.com/<your-tenant-id>/adminconsent?client_id=<platform-client-id> (replace <your-tenant-id> with your tenant ID, found in Microsoft Entra ID > Properties).
    • Azure CLI: Run az ad sp create --id '<platform-client-id>' (replace <platform-client-id> with the Client ID provided by the platform).
  2. Prepare your Key Vault and encryption key. Ensure you have a Key Vault and an RSA key in your Azure subscription. Note the following details, which you will share with the team:
    • Key Vault URI (e.g., https://<vault-name>.vault.azure.net/)
    • Key Name for the specific key the platform will use
  3. Grant the platform access to your Key Vault. This authorizes the platform’s service principal to perform the cryptographic operations required for BYOK. In your Key Vault, go to Access Control (IAM) > Add Role Assignment and assign the following roles to the platform’s service principal (search by the App Name or Client ID provided by the platform):
    • Key Vault Crypto User — allows cryptographic operations like wrapping and unwrapping keys, required for BYOK functionality
    • Key Vault Reader — allows reading metadata about the Key Vault and its resources
  4. Share your details with Kore.ai. Contact Support and provide: your Tenant ID (found in Microsoft Entra ID > Properties), the Key Vault URI, and the Key Name.
  5. Approve the private endpoint connection. After the team configures the connection on their end, a private endpoint request will appear in your Key Vault. Go to Key Vault > Networking > Private Endpoint Connections, find the pending request, and approve it. This establishes a secure private link between the platform and your Key Vault.

Data Settings

Control what conversation data is stored and how long it is retained. Go to Admin Console > Security > Data Settings.

Conversation Data Storage

When Do not store full conversation data is selected, apply the policy at one of three levels:

Data Retention Period


Domain Management

Add and verify company and partner domains to enable controlled account access via SSO. Go to Admin Console > Security > Domain Management.

Domain Types

Add a Domain

  1. Click Add New.
  2. Select the domain type (Company or Partner).
  3. Enter the domain details and submit for verification.
  4. Verified domains are added to the account. Rejected domains remain listed with a Rejected status.

Access Rules

Switching Accounts (Partner Users)

Partner domain users with access to multiple accounts can switch between them by clicking the profile icon in the top-right corner and selecting Switch Account. This option is available from both the Admin Console and the application UI.

Personal API Key

A personal API key identifies and authorizes users for API access, replacing username and password credentials in each request. To generate your key, go to My Profile — accessible via the profile icon in the lower-left of the Admin Console or the upper-right corner of the application homepage — then open the Personal API Key section and click to generate.

Manage Your Key

Authenticate API Requests

Include the key in the auth header of every API request: