To stay on top of their game, modern companies use a variety of software tools (like Kanbanize!) to help them work better and more efficiently. However, as the number of tools increases, so do the passwords every user has to remember as well as the load on system administrators and IT have to support. A remedy for this is Single Sign-On (SSO) – a technology which allows a company to maintain a centralized Identity Provider server that all other tools communicate with in order to authenticate and authorize users. SAML (Security Assertion Markup Language) is the most wide-spread SSO standard in the enterprise world. This is why Kanbanize provides you with the ability to integrate with your company’s SAML 2.0 Identity Provider and eliminate the need of remembering all of those passwords!
*The rest of this article assumes that you are a user with Account Owner privileges in Kanbanize, so you have the proper permissions to modify settings in your Identity Provider and are familiar with the SAML 2.0 protocol.
Here are the steps required to connect Kanbanize with your Identity Provider (IdP):
- In Kanbanize, open the Administration panel and go to Integrations.
- There, you will find a section called Single Sign-On.
- Tick the checkbox at the top to enable to configuration fields.
- In the first field, you need to enter the Entity Id of your Identity Provider. Consult the documentation and/or metadata of your IdP if you don’t know it.
- The second field is IdP Login Endpoint. Here, you should enter the URL to which Kanbanize should redirect login requests.
- Similarly, Idp Logout Endpoint is the URL to which Kanbanize should redirect logout requests. This is an optional field which means that you need to fill it in only if you want to enable Single Log-Out, too. What this means is that when users log out from Kanbanize they will be logged out of your IdP (and all other tools connected with it). Vice-versa – when users log out from your IdP they will be logged out of Kanbanize, too.
- In the last field, paste (without the start and end markers) the X.509 certificate that your IdP uses to sign data.
- The first from the fields on the right is Attribute name for Email. Here, you need to enter the name of the attribute that holds the user’s email in the authentication statement that the IdP will send to Kanbanize. If you don’t know that, consult your IdP’s documentation and/or settings.
- The next two fields are optional. They represent the names of the attributes that hold the user’s first and last name. This information is utilized when a user logs in for the first time in Kanbanize. An account is automatically provisioned for that user and, if the above-mentioned attributes are present, the user’s name will be filled in the account.
You can use the field at the bottom of the panel to select among a variety of options that cover different log in use cases:
- Disable Kanbanize login, only SSO login is applied for all users
- Allow Kanbanize login for users with Account Owner privileges
- Allow Kanbanize login for users with Manage Integrations privileges
- Allow Kanbanize and SSO login for all users
- Click Save Settings, with which the configuration of SAML in Kanbanize is complete.
Now you need to set up the Identity Provider. The steps will differ for every particular IdP so, once more, you will need to consult its documentation. Here is the information that you will need:
*Open the image in a new tab to get a closer view.
- The Entity Id of Kanbanize is https://<subdomain>.kanbanize.com/ (replace <subdomain> with your company’s custom Kanbanize subdomain, e.g. https://yourcompany.kanbanize.com/ )
- Assertion Consumer Service (ACS) endpoint (or the URL where the IdP will redirect after successfully authenticating and authorizing the user) is https://<subdomain>.kanbanize.com/saml/acs
- Single Logout Service (SLS) endpoint is https://<subdomain>.kanbanize.com/saml/sls
- RelayState is /ctrl_login/finish_saml_login
Note: There is a setting at the bottom left corner "Automatically create a Kanbanize user for the unregistered emails upon login" hat secures controlled access. If the setting is checked, it automatically creates a Kanbanize user for the unregistered emails upon login. When the setting is unchecked, you need to first send a Kanbanize email invitation to the user in order to be able to log in to the system using the SSO flow.
If your IdP supports configuration with metadata you can find it at: https://<subdomain>.kanbanize.com/saml/metadata
When the configuration has been completed, the users that you have provisioned to use Kanbanize will be redirected to your IdP’s login page when they try to log in. Upon successful authentication and authorization, they will be redirected back to Kanbanize and live happily with one less password in their lives!
If you have any trouble don’t hesitate to contact us at firstname.lastname@example.org.
These were the general steps for configuring SAML with any Identity Provider. In the related articles below, you can find the specific step-by-step tutorials for enabling SSO with Azure Active Directory, OneLogin, and Okta as your IdP and for managing user provisioning with SAML Integration: