/
How to login with SSO

How to login with SSO

Oct 06, 2025

1. Overview

CostOS supports Single Sign-On (SSO) via:

  • SAML v2.0

  • OpenID Connect v1.0

This allows users to authenticate with their corporate identity provider (e.g., Azure AD, Okta, Keycloak, ADFS, Ping Federate) instead of using local CostOS credentials.

⚠️ Only users with the User Administrator role can configure authentication settings in CostOS.

2. Prerequisites

Before configuring SSO:

  1. Log in to CostOS Web Interface or Workstation Client using an account with the User Administrator role.

  2. Obtain necessary details from your Identity Provider (IdP):

    • For SAML 2.0: metadata URL, Entity ID, redirect URL

    • For OpenID Connect: discovery endpoint, client ID, and client secret

  3. Ensure CostOS Server is reachable by the IdP via HTTPS.

  4. Back up your existing authentication configuration.

  5. Keep a local admin account enabled in case SSO misconfiguration prevents login.

3. Accessing Authentication Settings

  1. Log in to CostOS Web Interface as an administrator.

  2. Go to:
    Administration → Security → Authentication Settings

  3. Select the Authentication method:

    • SAML v2

    • OpenID Connect v1.0

4. SAML v2.0 Configuration

4.1 Field-by-Field Description

Field

Required

Description

Example

Field

Required

Description

Example

Display Name

The friendly name for your SSO configuration. Appears in the authentication menu.

Saml2

Redirect URI

The URL where the IdP will send authentication responses after login. It must match the redirect URL defined in the IdP.

https://yourserver:8080/ces/saml2-login

Service Provider Entity ID

The unique identifier (Entity ID) for CostOS. Used by the IdP to recognize CostOS as a service provider.

costos-saml

SAML Entity Descriptor

The metadata URL provided by your IdP. It describes endpoints, certificates, and SAML configuration details.

https://idp.company.com/realms/costos/protocol/saml/descriptor

Private Key

Optional

Used by CostOS to sign SAML authentication requests or decrypt encrypted assertions. Can be automatically generated.

Certificate

Optional

The public certificate that corresponds to the private key. Uploaded to IdP if signing/encryption is required.

💡 Note:
The Private Key and Certificate are not mandatory. CostOS automatically uses HTTPS to protect communication. Only configure them if your IdP requires message signing or encryption.

4.2 Certificate Management

  • Click Recreate to generate a new key/certificate pair (valid for 1 year).

  • You can export the certificate in several formats:

    • .cer – for metadata import to IdP

    • .jks – Java KeyStore (alias: default, password: changeit)

    • .pfx – PKCS#12 bundle (alias: default, password: changeit)

  • Exported certificates are stored in the CostOS installation directory.

4.3 IdP Configuration Steps

In your Identity Provider (e.g., Keycloak, ADFS, Azure AD, Okta):

  1. Create a new SAML application / service provider.

  2. Enter:

    • Entity ID → same as Service Provider Entity ID

    • Assertion Consumer Service (ACS) → same as Redirect URI

  3. Upload the CostOS certificate, if using message signing.

  4. Set the NameID format to match CostOS usernames (usually username or email).

  5. Assign users or groups who can access the application.

4.4 Save and Test

  1. Click Save in CostOS.

  2. Log out.

  3. On the login screen, select your configured SAML method.

  4. You should be redirected to your IdP login page.

  5. Authenticate and confirm successful redirection back to CostOS.

5. OpenID Connect (OIDC) Configuration

5.1 Field-by-Field Description

Field

Required

Description

Example

Field

Required

Description

Example

Display Name

Friendly name for your OpenID configuration.

OpenID

Redirect URI

The callback URL CostOS uses to receive the authentication token. Must match the Redirect URI in your IdP configuration.

https://yourserver:8080/ces/openid-login

Discovery Endpoint

The .well-known/openid-configuration URL from your IdP. This endpoint provides all necessary metadata (authorization, token, userinfo URLs).

https://idp.company.com/realms/costos/.well-known/openid-configuration

Client ID

The unique identifier of the CostOS application registered in the IdP.

costos-openid

Client Secret

The secret key associated with the Client ID, used for authentication between CostOS and the IdP.

xFCOxmNDGF2dmg...

Username Claim

The field in the IdP token that CostOS should use as the username. Common values: preferred_username, email, or upn.

preferred_username

💡 Note:
The “Username Claim” value must match the CostOS username field for the user to be identified correctly after authentication.

5.2 Identity Provider Configuration Steps

In your OpenID Connect provider (e.g., Keycloak, Azure AD, Okta):

  1. Create a new OpenID client / application named CostOS.

  2. Add a Redirect URI matching the one displayed in CostOS (/ces/openid-login).

  3. Enable standard flows (authorization_code, refresh_token).

  4. Copy the Client ID and Client Secret into CostOS.

  5. Optionally configure the Username Claim mapping (e.g., preferred_username).

  6. Assign the correct users or groups to the CostOS client.

5.3 Save and Test

  1. Click Save in CostOS.

  2. Log out and select the OpenID login option.

  3. You should be redirected to your IdP for authentication.

  4. After successful login, you will return to CostOS as an authenticated user.

6. Troubleshooting

Issue

Cause

Solution

Issue

Cause

Solution

Redirect loop during login

Redirect URI mismatch

Verify that the URI matches exactly (including port and protocol).

“Invalid Client ID/Secret”

Wrong credentials

Re-enter correct client ID and secret from IdP.

User not found in CostOS

Username claim mismatch

Confirm the claim maps to the CostOS username.

SAML response invalid

Certificate mismatch or expired

Recreate certificate and update IdP metadata.

Authentication timeout

HTTPS or firewall restriction

Verify HTTPS ports are open and valid certificate is installed.

7. Security Recommendations

  • Always use HTTPS for all URLs.

  • Restrict SSO configuration access to User Administrators.

  • Rotate certificates and client secrets regularly (e.g., annually).

  • Keep one local admin account enabled for emergency access.

  • Audit SSO logins periodically to detect inactive or unauthorized users.

8. Example Configurations

Identity Provider

Recommended Protocol

Discovery / Metadata URL Example

Identity Provider

Recommended Protocol

Discovery / Metadata URL Example

Azure AD

OpenID Connect

https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration

Keycloak

SAML 2.0 or OpenID

https://idp.company.com/realms/costos/.well-known/openid-configuration

Okta

SAML 2.0

https://<org>.okta.com/app/<app-id>/sso/saml/metadata

Ping Federate / ADFS

SAML 2.0

https://adfs.company.com/FederationMetadata/2007-06/FederationMetadata.xml

9. Support

If you encounter configuration or login issues:

  • Check the CostOS server logs (ces.log, auth.log) for SSO-related messages.

  • Validate the IdP metadata or discovery URL in a browser.

  • Contact CostOS Support at 📧 support@costos.example.com (replace with your actual contact address).