Kanbanize Single Sign-On integration is a great way for companies to centralize user management, i.e., provisioning and deprovisioning.
However, this raises a sensible question – what happens with user provisioning in Kanbanize when you integrate the platform with your Identity Provider (IdP)?
SAML 2.0 effectively outsources part of the user provisioning to your IdP, and SCIM can take care of users' deprovisioning. Unfortunately, the SAML protocol does not cover user provisioning explicitly, so you still need to do some user management in Kanbanize, too. Here is what you need to know.
2. User Provisioning
- How to grant access to Kanbanize for new users when SSO integration is already in place:
You can grant your users access to Kanbanize by provisioning them to use the Kanbanize app in your IdP.
The SSO integration setting is added to ensure a more secure environment and controlled access. If the setting shown in the below image is enabled in your Kanbanize SSO settings, it automatically creates a Kanbanize user for the unregistered emails upon login:
If that option is not enabled, you would need to first send a Kanbanize email invitation to the user in order to be able to log in to the system using the SSO flow.
Note: Once a user is invited and they have successfully logged in via SSO, they will not be assigned to any workspaces or boards. Users who have the Account Owner or Workspace Manager role should assign the newly registered users to the appropriate workspaces and boards.
- Enabling SSO integration and how this affects existing Kanbanize users:
If a user has had an account in Kanbanize before the SSO integration is configured and uses the same email in your IdP, their user profiles will be automatically mapped. This means that the user will now log in through the IdP but will continue to use the same user profile in Kanbanize.
If, however, the user uses one email for logging into Kanbanize, but they are registered with another email in the Identity Provider, attempting to log in to Kanbanize with the second email will create a new user account in Kanbanize (if the above-mentioned option is enabled).
- How to provide access to external users (that are not part of your IdP):
When you have third-party consultants or contractors that are not part of your IdP, one possible solution is to allow both access via SSO and without SSO. This can be done by selecting the following option in the Kanbanize SSO settings:
In that way, external users will need to go through the central login page located at:
Internal users (members of the IdP) will be able to utilize the SSO flow by going through your account's dedicated login page, i.e.:
The Account Owners of the account will need to send invitations to the external users via the Administration Panel. They will receive an invite link to register and set up their Kanbanize credentials.
Note: If the option for login from both systems is not enabled, the invited external users will be able to access the system only the first time they are invited, and after logging out, they will be forced to use the SSO only. This could be used as temporary one-time access only for consultants or 3rd party users that do not need to re-enter the system.
3. User Deprovisioning
Whenever automatic user deprovisioning is not enabled in the Kanbanize SSO settings, and a user's access to Kanbanize needs to be revoked, the Account Owner will need to manually disable or delete the user profile.
Disabling a user profile is reversible, and if the user is expected to require access to Kanbanize at a later stage, their profile can be re-enabled.
Deleting a user profile is permanent and irreversible - if that user requires access to Kanbanize in the future, they would need to be re-invited.
In order to be able to set up automatic users deprovisioning, the Identity Provider you are using needs to support the SCIM (System for Cross-domain Identity Management) standard.
If so, you can enable automatic deprovisioning of users via SCIM in the Kanbanize SSO settings, so whenever a user is disabled/deactivated in the SAML identity provider, the corresponding user profile in Kanbanize will also get disabled.
Note: if this is configured after a user has already been disabled in the IdP, but their Kanbanize user profile is still active, they will not be automatically disabled in Kanbanize, until their IdP user profile is reactivated and deactivated again.
There should be a dedicated section in your IdP settings where you can specify the SCIM Base URL and provide the SCIM Bearer Token that can be retrieved from the Kanbanize SSO settings, as shown in the above image.
Another prerequisite for successful automatic users (provisioning and) deprovisioning is for the users to have the same email addresses in both the Identity Provider and in Kanbanize.
Note that when a user gets disabled in Kanbanize, this should free up their license seat.
If this user is not expected to use Kanbanize in the future, the Account Owner can permanently delete the user profile from Kanbanize.
For detailed instructions on how to configure user provisioning, check out our dedicated articles on some of the most common Identity Providers: