The Basecamp integration replaces password-based login with biometric authentication via SAML 2.0 using the 1Kosmos mobile app.
Integration type
Auth/IDP
Overview
1Kosmos integrates with Basecamp as a SAML 2.0 identity provider, enabling team members to access Basecamp using biometric passwordless authentication via the 1Kosmos mobile app. Supported biometric options include Touch ID, Face ID, and liveness-checked LiveID.
What we solve
Organizations using Basecamp need to protect access to projects and collaboration workspaces without relying on passwords that are vulnerable to phishing and reuse. This integration enables SAML 2.0 SSO from Basecamp to 1Kosmos so team members sign in with biometric, passwordless authentication via the 1Kosmos mobile app.
Basecamp's SSO configuration is accessed through the account admin settings. The integration requires adding 1Kosmos as the SAML identity provider by entering the 1Kosmos SSO URL, entity ID, and signing certificate. Basecamp supports both IdP-initiated and SP-initiated SSO flows.
When a user navigates to Basecamp and initiates login, they are redirected to 1Kosmos for biometric authentication before being returned to their Basecamp session.
SSO in Basecamp applies to the specific account it is configured on. Users must have existing Basecamp accounts with email addresses that match their records in the 1Kosmos directory before SSO can be enabled for them.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Basecamp administrator access: Owner or admin rights to the Basecamp account, including access to account settings and SSO configuration.
Basecamp plan with SSO support: Confirm your Basecamp plan includes SAML SSO. Contact Basecamp support if you are unsure whether SSO is available on your plan.
Matching user email addresses: Email addresses in 1Kosmos must match the email addresses on Basecamp user accounts before SSO is enabled.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Basecamp:
Field | Where to find it |
|---|---|
SSO Login URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
x.509 Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
SAML Metadata URL | AdminX → Settings → IdP Configuration → Metadata URL (optional, if Basecamp supports metadata import) |
Values to collect from Basecamp (SP) for AdminX:
Field | Description |
|---|---|
Basecamp Account URL | Your Basecamp account URL (e.g., https://3.basecamp.com/[account-id]), used as the Application Access URL in AdminX |
ACS URL | Provided in Basecamp SSO settings; the endpoint that receives the SAML assertion |
SP Entity ID | Provided in Basecamp SSO settings; the audience URI for the SAML assertion |
Integration steps
Step 1: Add Basecamp as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "Basecamp" as the Application Name, set Instance to Production, and enter your Basecamp account URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for
email(Username),firstname(first_name), andlastname(last_name). Click Next.Enter the Basecamp SP Entity ID and ACS URL (collected from Basecamp SSO settings in the next step). Set Method to POST and enable Assertion signing. Click Save.
Step 2: Access Basecamp SSO settings
Log in to Basecamp as an administrator and navigate to account settings.
Locate the Single Sign-On section. The exact path may vary by Basecamp plan and version. If you do not see SSO settings, contact Basecamp support to confirm SSO availability on your account.
Note the ACS URL and SP Entity ID values displayed in the SSO settings. Return to AdminX and update the SAML application with these values if you did not have them during Step 1.
Step 3: Enter 1Kosmos IdP details in Basecamp
In Basecamp SSO settings, enter the 1Kosmos SSO Login URL in the Identity Provider SSO URL field.
Enter the 1Kosmos IdP Entity ID in the Issuer or Entity ID field.
Paste the 1Kosmos x.509 signing certificate into the certificate field.
Save the configuration.
Step 4: Test the integration
Open an incognito browser window and navigate to your Basecamp URL.
Select the SSO login option. You will be redirected to the 1Kosmos login screen.
Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are returned to Basecamp as an authenticated user.
Test with a single user before enabling SSO for the full team.
Attribute mappings
Source (1Kosmos) | Target (Basecamp) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Must match the user's Basecamp account email |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
Basecamp's SSO feature and its specific configuration screens vary by account plan. If your plan does not include SSO or if the SSO settings are not accessible in your account, contact Basecamp support to enable and configure the feature.
For organizations migrating from password-based login to SSO, ensure all team members' Basecamp email addresses match their 1Kosmos directory records before enabling SSO enforcement to avoid access disruptions.
