The AppGate SDP integration adds biometric identity verification before zero-trust network access, replacing passwords with 1Kosmos mobile app authentication via SAML 2.0.
Integration type
Connector
Updated
Overview
1Kosmos integrates with AppGate SDP as a SAML 2.0 identity provider, replacing password-based authentication with biometric login via the 1Kosmos mobile app. Users authenticate biometrically before AppGate grants network access, binding zero-trust access decisions to verified identity rather than credentials that can be stolen or shared. Configuration is managed in AppGate Controller and 1Kosmos AdminX.
This integration addresses a specific gap in zero-trust architecture: AppGate controls what a user can access, but the strength of that access decision depends on how confidently the user's identity was verified at login. By placing 1Kosmos biometrics ahead of AppGate's policy evaluation, organizations bind network access to verified identity rather than to a credential that can be stolen or shared.
AppGate SDP supports SAML, LDAP, and RADIUS for identity provider connections. This integration uses the SAML 2.0 path. The configuration is performed in the AppGate Controller's Identity Providers section and the 1Kosmos AdminX portal.
Prerequisites
Active 1Kosmos tenant: Community administrator access to the AdminX portal. Contact 1kosmos.com/contact if your tenant is not yet provisioned.
AppGate SDP deployment: An active AppGate SDP environment with administrator access to the Controller Admin UI (typically at https://appliance.domainname.com:444/).
SAML IdP configuration completed in AdminX: The IdP configuration in AdminX must be completed before creating the AppGate application entry. Navigate to Settings → IdP Configuration to confirm your SSO URL, Logout URL, and signing certificate are active.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX before configuring AppGate:
Field | Where to find it |
|---|---|
IdP Name / Issuer | AdminX → Settings → IdP Configuration → Core Configuration |
Single SignOn Service URL | AdminX → Settings → IdP Configuration → Service URL End Points |
Single Logout Service URL | AdminX → Settings → IdP Configuration → Service URL End Points |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values to collect from AppGate after creating the SAML IdP entry:
Field | Description |
|---|---|
SAML Consumer URL (ACS URL) | The AppGate endpoint that accepts SAML assertions; found in the SAML IdP configuration screen |
Entity ID | The AppGate SP Entity ID; found in the SAML configuration settings |
Redirect URL | The URL AppGate redirects to after authentication; used for the Application Access URL in AdminX |
Integration steps
Step 1: Collect IdP values from AdminX
Log in to the AdminX portal as a community administrator and navigate to Settings → IdP Configuration.
Note the IdP Name and copy the Single SignOn Service URL and Single Logout Service URL from the Service URL End Points section.
Click View Certificate and copy the Signing Certificate public key in PEM format.
Step 2: Add 1Kosmos as a SAML Identity Provider in AppGate
Log in to the AppGate Controller Admin UI and navigate to Configuration → Identity Providers.
Click New SAML (or Add Identity Provider, depending on your AppGate version) to create a new SAML entry.
Enter a name for the identity provider (e.g., "1Kosmos").
Paste the Single SignOn Service URL from AdminX into the IdP SSO Service URL field.
Paste the Signing Certificate public key from AdminX into the certificate field.
Set the User ID Mapping to use email as the primary identifier.
Save the configuration and copy the SAML Consumer URL (ACS URL) and Entity ID generated by AppGate.
Step 3: Add AppGate as a SAML application in AdminX
In the AdminX portal, navigate to Applications → Add Application.
Scroll to the Custom App section, select SAML 2.0 Generic, and click Add integration.
Enter "AppGate" as the Application Name, set Instance to Production, and enter the AppGate Redirect URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand the NameID Value toemail.Add claims mappings for
email(Username),firstname(first_name), andlastname(last_name). Click Next.Enter the AppGate Entity ID as the SAML Entity ID in AdminX.
Enter the AppGate SAML Consumer URL as the ACS URL. Set Method to POST.
Enable Assertion signing. Click Save.
Step 4: Test the integration
Open the AppGate client or navigate to the AppGate login URL.
Select 1Kosmos as the identity provider when prompted.
You will be redirected to the 1Kosmos AdminX login screen.
Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are returned to AppGate as an authenticated session with the correct access entitlements applied.
Test with a single user before enabling for the full organization. Keep a direct admin login path available during rollout as a fallback.
Attribute mappings
Source (1Kosmos) | Target (AppGate) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary user identifier for AppGate policy matching |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
AppGate SDP uses the authenticated identity from the SAML assertion to evaluate policies and assign entitlements. The NameID value must match exactly how users are referenced in AppGate's policy engine. If users are identified by email in AppGate policies, the NameID format must be emailAddress and the value must be the user's email.
AppGate also supports passing additional attributes in the SAML assertion for use in policy conditions, such as group membership or department. These can be added as additional claims in the AdminX application configuration if your AppGate environment uses attribute-based policy rules.
