Kanbanize SAML 2.0 Single Sign-On integration is a great way for companies to centralize user management. However, this raises a sensible question – what happens with user provisioning in Kanbanize when you integrate the platform with your Identity Provider? SAML integration effectively outsources part of the user provisioning to your IdP. Unfortunately, the SAML protocol does not cover user provisioning explicitly so you still need to do some user management in Kanbanize, too. Here is what you need to know:
How to add NEW users to Kanbanize:
- You give your users access to Kanbanize by provisioning them to use the app in your IdP
- The SSO integration setting is added to ensure a more secure environment and controlled access. If the setting is checked, it automatically creates a Kanbanize user for the unregistered emails upon login. When the setting is unchecked, you need to first send a Kanbanize email invitation to the user in order to be able to log in to the system using the SSO flow
Note: Initially, users will not be assigned to any boards. Kanbanize Account Owners or users with "Manage Integrations" privileges should assign them to the appropriate ones.
How SAML integration affects EXISTING Kanbanize users:
- If a user has had an account in Kanbanize before the SAML integration and uses the same email in your IdP, their accounts will be automatically mapped. This means that the user will now log in through the IdP but will continue to use the same account in Kanbanize.
How to DELETE users from Kanbanize:
- When a user no longer has access to Kanbanize the Account Owner removes him/her from the app access list in the IdP. However, while not being able to log in anymore, this user will continue to have an account in Kanbanize which will take up one user license. If this user is not expected to use Kanbanize in the future the Account Owner can delete the account from Kanbanize and thus free the user license.
How to Manage External Users:
- When you have 3rd party consultants, generic emails, or users that are not part of your IdP, one possible solution is to allow both: Access through your SSO or using the credentials from Kanbanize. This way:
- 3rd Party Users go through our main web page login panel:
https://kanbanize.com/user-login - Internal IdP users go through your account subdomain login page:
https://myaccount.kanbanize.com
- 3rd Party Users go through our main web page login panel:
- The Account Owners of the account need to just Invite/Register the 3rd party users from the Administration Panel. They will receive an invite link to register and set up their Kanbanize credentials.
Note: If the option for login from both systems is not enabled, the invited 3rd party users will be able to access the system only the first time they are invited and after log out, they will be forced to use the SSO only. This could be used as temporary one-time access only for consultants or 3rd party users that do not need to re-enter the system. - To activate the login mode with both systems go to your Administration Panel -> Integrations -> Single Sign-On - Configure:
Check out the dedicated article on setting up SAML Single Sign-On for your account.