Skip to main content
Use this page when configuring Cotool as a first-class application in an identity provider (IdP), such as Okta, Microsoft Entra ID, Google Workspace, OneLogin, or Ping Identity. Cotool uses SAML 2.0 for single sign-on and SCIM 2.0 for user provisioning. A Cotool admin can find the organization-specific values and generate SCIM tokens from Authentication Settings.
All examples use Cotool Cloud at https://app.cotool.ai.

SAML SSO

Cotool is the SAML service provider (SP). Your IdP is the identity provider.
FieldValue
SAML version2.0
ACS URL / Single sign-on URLhttps://app.cotool.ai/api/auth/saml/{orgId}/callback
SP Entity ID / Audience URIThe Entity ID shown in Cotool. By default, this is the ACS URL.
Recipient / DestinationSame as the ACS URL.
Default RelayStateLeave blank unless you are sending users to a specific Cotool path.
SSO initiationSP-initiated SSO is supported. IdP-initiated SSO can post assertions to the ACS URL.
SAML response bindingHTTP POST to the ACS URL.
Single logoutNot currently supported.

Login URLs

Use either of these SP-initiated login URLs:
PurposeURL
Email discovery loginhttps://app.cotool.ai/api/auth/saml/login?email=user@example.com
Organization-scoped loginhttps://app.cotool.ai/api/auth/saml/{orgId}/login
The email discovery URL resolves the Cotool organization from the configured SAML email domain, then starts the SAML flow.

Required SAML assertion fields

Cotool identifies users by email address. Configure the IdP to send the user’s work email as one of:
  • NameID
  • email
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Recommended IdP settings:
SettingRecommended value
Name ID formatEmailAddress
Application usernameEmail address
Assertion signingEnabled
Response signingEnabled if required by your IdP policy
EncryptionNot required
Cotool validates SAML assertions with the IdP signing certificate from the metadata XML configured in Cotool.

Cotool admin setup

  1. Open Authentication Settings.
  2. Enable SAML Single Sign-On.
  3. Enter the email domain used for login discovery, such as example.com.
  4. Copy the Cotool ACS URL and Entity ID into your IdP application.
  5. Paste your IdP metadata XML into Cotool, or fetch it from your IdP metadata URL.
  6. Save the settings and test SP-initiated login.

SCIM provisioning

Cotool implements SCIM 2.0 user provisioning with bearer-token authentication.
FieldValue
SCIM version2.0
SCIM base URLhttps://app.cotool.ai/api/scim/v2/{orgId}
Users endpointhttps://app.cotool.ai/api/scim/v2/{orgId}/Users
AuthenticationAuthorization: Bearer {scimToken}
GroupsNot currently supported
Password syncNot supported
Bulk operationsNot supported
Generate or rotate the SCIM bearer token in Authentication Settings. Cotool shows the token only once, so copy it into the IdP when it is generated.

Supported SCIM endpoints

MethodEndpointPurpose
GET/ServiceProviderConfigReturn SCIM capability metadata.
GET/UsersList users with pagination and optional filters.
POST/UsersCreate a user, or update an existing user matched by email or externalId.
GET/Users/{userId}Fetch a user by Cotool user ID.
PUT/Users/{userId}Replace supported user fields.
PATCH/Users/{userId}Update supported user fields.
DELETE/Users/{userId}Deactivate the user by setting active to false.

Supported user attributes

Cotool accepts and returns these SCIM user fields:
AttributeNotes
schemasOptional on input. Responses include the SCIM core User schema.
idCotool user ID. Returned by Cotool.
externalIdStored and used for matching provisioned users.
userNameRequired unless emails[0].value is present. Must be a valid email address.
name.givenNameOptional.
name.familyNameOptional.
name.formattedOptional.
emails[].valueOptional when userName is present. The primary or first email is used.
activefalse deactivates the user.
New SCIM-created users receive the default role selected in Cotool’s SCIM settings.

Filtering and pagination

GET /Users supports:
Query parameterSupport
filteruserName eq "user@example.com", emails.value eq "user@example.com", or externalId eq "abc123"
startIndex1-based index. Defaults to 1.
countDefaults to 100. Maximum 200.
Sorting is not currently supported.

PATCH support

Cotool supports SCIM add and replace operations for these paths:
  • active
  • userName
  • externalId
  • name
  • emails
remove operations are not currently supported.

Okta configuration notes

SAML application

In Okta, create a SAML 2.0 application and use:
Okta fieldCotool value
Single sign-on URLCotool ACS URL
Recipient URLCotool ACS URL
Destination URLCotool ACS URL
Audience URI (SP Entity ID)Cotool Entity ID
Name ID formatEmailAddress
Application usernameEmail
After creating the app, copy Okta’s IdP metadata XML or metadata URL into Cotool.

SCIM provisioning

Enable SCIM provisioning for the Okta application and use:
Okta fieldCotool value
SCIM connector base URLCotool SCIM base URL
Unique identifier field for usersuserName
Supported provisioning actionsCreate users, update user attributes, deactivate users
Authentication modeHTTP Header / Bearer token
Bearer tokenToken generated in Cotool
Use Okta’s Test Connector Configuration action after saving the SCIM base URL and bearer token.

Troubleshooting

SymptomCheck
SAML login cannot find the organizationConfirm the user’s email domain matches the domain configured in Cotool.
SAML assertion is rejectedConfirm the IdP metadata XML in Cotool contains the active signing certificate and SSO URL.
User signs in but lands on an error pageConfirm the assertion includes the user’s email as NameID or a supported email attribute.
SCIM returns 401Rotate the SCIM token in Cotool and update the IdP.
SCIM returns 403Confirm SCIM is enabled in Cotool for the organization.
SCIM returns 409Confirm the email address or externalId is not already assigned to another user.