SSO (Single Sign-On)
In the Teams section, it is now possible to configure an AI assistant with SSO (Single Sign-On).
This means that employees in a company can access the assistant simply by using their company credentials, without needing to log in again.
Once enabled, only authorized employees can use the assistant, and there is no need to sign in to multiple platforms.
1. SSO - Configuration
Prerequisites
Configure SSO
Navigate to Workspace > Teams.
Select the desired team from the list.
Click the Configure SSO button.
Then, click Fetch URI and copy the Redirect URI. You must paste this URI into your Identity Provider's (IdP) application configuration.
Complete the remaining fields: a. Client ID and Client Secret are both mandatory. b. You must provide either the Tenant ID (required for Microsoft Entra) or the Issuer URL (required for all other providers)
Once all details are entered, click Submit. SSO is now configured for this team.
After submission, a pop-up will display the Widget API Key. You will need this key later
If you want to configure SSO for the iframe do this:
Since the AI assistant widget is embedded within a third-party parent website using an iframe, additional configuration is required to ensure a smooth authentication experience.
Refer to Understand Tech’s sample repository. This demonstration shows how to integrate the parent website’s frontend and backend with our SSO authentication flow.
This allows your end-users to automatically secure their session with the iframe without having to log in again.
2. Delete SSO for a team
Navigate to Workspace > Teams and select your team.
Click the Delete SSO button.
3. Linking SSO to an AI assistant
In the Workspace tab, select the AI assistant for which you want to enable SSO. From the options, select Share your model with others.
In the pop-up, select Customize the look and feel of your assistant. Then, scroll down and select Enable SSO.
Click save!
SSO is now enabled on the AI assistant. To test, go back to the Share your model with others button and select the URL option.
You should be redirected to the Login screen:
Appendix: Provider-Specific Configuration
Create an App Registration:
Navigate to Azure Portal → Azure Active Directory → App registrations
Click New registration
Enter a name for your application
Under Redirect URI, select Web and paste the Redirect URI copied from Understand Tech
Click Register
Retrieve Required Values:
Client ID: Found on the app's Overview page as "Application (client) ID"
Tenant ID: Found on the app's Overview page as "Directory (tenant) ID"
Client Secret: Navigate to Certificates & secrets → New client secret. Copy the secret value immediately (it's shown only once)
Enable ID Tokens:
Navigate to Authentication
Under Implicit grant and hybrid flows, check ID tokens
Click Save
In Understand Tech:
Provide the Client ID, Client Secret, and Tenant ID
Leave the Issuer URL field empty (not required for Entra)
Create OAuth 2.0 Credentials:
Go to Google Cloud Console
Select your project or create a new one
Navigate to APIs & Services → Credentials
Click Create Credentials → OAuth client ID
Select Web application as the application type
Add the Redirect URI from Understand Tech to Authorized redirect URIs
Click Create
Retrieve Required Values:
Client ID: Displayed after creation (format: xxxxx.apps.googleusercontent.com)
Client Secret: Displayed alongside the Client ID
Issuer URL: https://accounts.google.com
Configure OAuth Consent Screen:
Navigate to OAuth consent screen
Configure the consent screen with your application information
Add the following scopes:
openid
email
profile
In Understand Tech:
Provide the Client ID, Client Secret, and Issuer URL (https://accounts.google.com)
Leave the Tenant ID field empty (not applicable for Google)
Create a User Pool (if you don't have one):
Navigate to AWS Cognito Console
Click Create user pool
Configure sign-in options and security requirements
Complete the setup wizard
Create an App Client:
In your User Pool, navigate to App integration → App clients
Click Create app client
Select Confidential client
Under Allowed callback URLs, add the Redirect URI from Understand Tech
Enable the following OAuth 2.0 flows:
Authorization code grant
Enable the following OAuth scopes:
openid
email
profile
Click Create
Configure Domain:
Navigate to App integration → Domain
Either create a Cognito domain or use a custom domain
Note the domain URL (e.g., https://yourdomain.auth.region.amazoncognito.com)
Retrieve Required Values:
Client ID: Found in the app client details
Client Secret: Found in the app client details (click Show client secret)
Issuer URL: Your Cognito domain + user pool ID
Format: https://cognitoidp.{region}.amazonaws.com/{userPoolId}
Example: https://cognito-idp.us-east1.amazonaws.com/us-east-1_ABC123
You can find this under User pool overview → User pool ID
In Understand Tech:
Provide the Client ID, Client Secret, and Issuer URL
Leave the Tenant ID field empty (not applicable for Cognito)
Create an Application:
Log in to your Okta Admin Console
Navigate to Applications → Applications
Click Create App Integration
Select OIDC - OpenID Connect
Select Web Application
Click Next
Configure Application Settings:
Enter an App integration name
Under Sign-in redirect URIs, add the Redirect URI from Understand Tech
Under Assignments, select who can access this application
Click Save
Retrieve Required Values:
Client ID: Displayed on the application's General tab
Client Secret: Displayed on the application's General tab (click the eye icon to reveal)
Issuer URL: Your Okta domain
Format: https://{yourOktaDomain}.okta.com or https://{yourOktaDomain}.oktapreview.com
Example: https://dev-12345.okta.com
Found in the top-right corner of the Admin Console or under Security → API → Authorization Servers (use the Issuer URI of the default server)
Assign Users/Groups:
Navigate to the Assignments tab of your application
Assign the users or groups who should have access
In Understand Tech:
Provide the Client ID, Client Secret, and Issuer URL
Leave the Tenant ID field empty (not applicable for Okta)
4. Common Troubleshooting
Redirect URI Mismatch: Ensure the Redirect URI in your IdP exactly matches what's shown in Understand Tech (including protocol, trailing slashes, etc.).
Client Secret Invalid: If you regenerate a client secret in your IdP, you must update it in Understand Tech immediately.
Permissions/Scopes: Ensure your IdP application has been granted the necessary permissions (openid, email, profile at minimum).
Issuer URL Format: Double-check that your Issuer URL doesn't include trailing slashes or unnecessary paths. It should be the base authentication URL only.
Cross-Origin Issues: For iframe integration, ensure your IdP supports third-party cookies or configure appropriate SameSite cookie settings. Refer to Section IV of this guide for iframe-specific configuration.
Last updated