The ARCON integration configures 1Kosmos as the SAML 2.0 identity provider, requiring biometric authentication before granting access to vaulted credentials, sessions, and managed applications.
Integration type
SSO
Updated
Overview
The ARCON integration adds biometric identity verification to privileged access scenarios. ARCON PAM enforces least-privilege access and session recording, while 1Kosmos ensures the user initiating each session is verified rather than using stolen credentials. Configuration is performed in ARCON Partner Management and the 1Kosmos AdminX portal via SAML 2.0.
This integration is particularly relevant for privileged access scenarios where the identity behind the session must be known with high assurance. ARCON PAM enforces least-privilege access and session recording; 1Kosmos ensures that the user initiating each session is a verified individual rather than someone using a stolen or shared credential.
Configuration is performed in the ARCON Partner Management section, where 1Kosmos is added as a trusted identity provider using the 1Kosmos SAML metadata or certificate. The 1Kosmos AdminX portal is then configured with ARCON as a SAML service provider.
Prerequisites
Active 1Kosmos tenant: Community administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned. Request the SAML metadata XML file and signing certificate from your 1Kosmos representative.
ARCON administrator access: Administrative access to the ARCON PAM or ARCON SSO console, including rights to configure Partner Management and identity provider settings.
Verified user directory: Users must exist in both the 1Kosmos directory and the ARCON user store with matching email addresses before SSO can be tested.
Federated domain configured in ARCON: ARCON requires one or more federated domains to be defined in Partner Management so it knows which users to redirect to 1Kosmos for authentication.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for ARCON:
Field | Where to find it |
|---|---|
SAML Metadata XML file | AdminX → Settings → IdP Configuration → Metadata URL (download or request from 1Kosmos representative) |
IdP Entity ID (Issuer) | AdminX → Settings → IdP Configuration → Core Configuration |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values to collect from ARCON (SP) for AdminX:
Field | Where to find it |
|---|---|
SP Entity ID | ARCON console → Settings → Identity Provider configuration or SP metadata |
ACS URL | ARCON console → Settings → Identity Provider configuration |
ARCON Login URL | Your ARCON deployment URL, used as Application Access URL in AdminX |
Integration steps
Step 1: Collect 1Kosmos IdP values
Log in to the AdminX portal and navigate to Settings → IdP Configuration.
Copy the IdP Entity ID and SSO URL, and download or copy the signing certificate PEM.
Your 1Kosmos representative can also provide the SAML metadata XML file directly for use in ARCON's Partner Management configuration.
Step 2: Add 1Kosmos as a Partner Identity Provider in ARCON
Log in to the ARCON PAM or ARCON SSO console as an administrator.
Navigate to Settings → Users → Partner Management (or the equivalent identity provider configuration section in your ARCON version).
Click Add to create a new partner identity provider entry.
Enter "1Kosmos" as the Partner Name.
In the Federated Domains section, add the email domain(s) whose users will authenticate through 1Kosmos. Users with these domains will be redirected to 1Kosmos at login.
Upload the 1Kosmos SAML metadata XML file or manually enter the Entity ID, SSO URL, and signing certificate.
Save the configuration and copy the ARCON SP Entity ID and ACS URL for use in AdminX.
Step 3: Add ARCON as a SAML application in AdminX
In the AdminX portal, navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "ARCON" as the Application Name, set Instance to Production, and enter the ARCON login URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for
email(Username),firstname(first_name), andlastname(last_name). Click Next.Enter the ARCON SP Entity ID and ACS URL, set Method to POST, enable Assertion signing, and click Save.
Step 4: Test the integration
Navigate to the ARCON login URL and enter a test user's email address.
Confirm you are redirected to the 1Kosmos login screen.
Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are returned to ARCON as an authenticated session with the correct access entitlements.
Test with a single privileged user account before enabling for the full user base.
Attribute mappings
Source (1Kosmos) | Target (ARCON) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary identifier; must match the ARCON user account |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
ARCON Partner Management requires federated domains to be defined before authentication redirects will work. If a user's email domain is not listed as a federated domain in ARCON, the user will not be redirected to 1Kosmos and will see the standard ARCON login screen.
For deployments using ARCON SSO to front multiple downstream applications, configuring 1Kosmos at the ARCON SSO layer means all applications behind ARCON will benefit from biometric authentication without requiring separate IdP configurations for each.
Confirm with your ARCON representative that your version supports external SAML IdP configuration, as the Partner Management menu path may differ across ARCON product versions.
