Kanbanize Single Sign-On integration is an excellent way for companies to centralize user management, i.e., provisioning.
SAML 2.0 effectively outsources part of the user provisioning to your IdP as initial identification and SSO capabilities, while the SCIM can take care of your users' central management. You can easily add new users, rename or change emails, and, or remove users centrally. You can scale this by using groups of users in your IdP or applying the changes in batches. All IdP changes will be automatically transferred to your Kanbanize account.
Unfortunately, the SCIM has different implementation and all Identity providers do not uniquely cover it, so you still need to adjust to the specifics for your IdP and do some extra user management in Kanbanize, but here are the main configuration steps you need to know.
2. User Provisioning
To set up automatic user provisioning, your Identity Provider must support the SCIM (System for Cross-domain Identity Management) standard.
If so, you can enable automatic provisioning of users via SCIM in the Kanbanize SSO settings.
Under the User Provisioning section in the SSO integration panel, once the slider is activated, you have two Credential parameters:
- Tenant or SCIM Base URL - This URL is called automatically from your IdP to notify Kanbanize, when modifications of your users are done.
- Secret or SCIM Bearer Token - Used to securely connect your IdP to your Kanbanize account.
Copy these credentials and place them in your IdP configuration panel. See the articles at the bottom for some of the most common IdPs that we support.
Adding new users to your organization:
When there are new people joining your organization, they are usually registered within your IdP and assigned individually or in most cases via some set of groups to the accompanied Provisioning Applications like Kanbanize. When this happens, the IdP sends a signal to our SSO / SCIM integration with meta information about the user and Kanbanize will automatically create the user in your Kanbanize Account. Same way as if you have manually invited the user, the system will send an invitation email to the user email with a link for logging to the Kanbanize account. The user is not active and does not consume license seat until the first login.
Even if your IdP doesn't support SCIM, as long as users are allowed to access Kanbanize through your SAML 2.0 IdP settings, we provide the option to create new Kanbanize users upon their first login automatically.
If that option is not enabled and you don't have the provisioning setup, you would need to first register , send a Kanbanize email invitation from your Kanbanize Account, so that the user will be able to log in to the system using the SSO flow.
Note: Once users are invited and successfully logged in via SSO, they will not be assigned to any workspaces or boards. The Account Owner or Workspace Managers should assign the newly registered users to the appropriate workspaces and boards. We found as a best practice for the end-user experience of large organizations using SSO Integration to create Company Dashboard assigned to the Global Kanbanize Team, with a text widget, listing your company Workspace Managers or Contacts within the organization. This way users can directly contact the responsible people and ask for access to their boards and workflows.
Enabling SCIM provisioning and how this affects existing Kanbanize users:
If a user has had an account in Kanbanize before the SSO integration is configured and uses the same email in your IdP, their user profiles will be automatically mapped. This means the user will now log in through the IdP but will continue using the same user profile in Kanbanize.
If, however, the user uses one email for logging into Kanbanize, but they are registered with another email in the Identity Provider, after turning on the provisioning the integration will create a new user account in Kanbanize with the IdP email of the user!
IMPORTANT: If you use User Groups to manage the people in your IdP that are assigned to the Provisioning Application, once you turn the integration on, the IdP will start synchronizing one by one all users from your assigned Groups into Kanbanize. If those users are not registered in Kanbanize, you might end up sending many invitation emails to users from that group as automatically registering and inviting them to join Kanbanize. If this is not the required behavior, there should be a an option at the IdP Provisioning configuration to switch off new users/create events and use only update and remove user events.
Updating users in Kanbanize with provisioning:
With the provisioning enabled, if a user's email is centrally changed, the modification will be done in Kanbanize as well.
Note: Kanbanize uses the user email as unique identified for login and mapping between the user from your IdP and the user in Kanbanize, so only email modifications are supported.
If the users are required to login by your IdP, with their Usernames, or Company ID Numbers, or any other special property, these have no impact on Kanbanize upon modifications.
Removing users from Kanbanize with provisioning:
With the provisioning enabled, if a user is centrally removed from the IdP (deleted, unassigned from the application or a group, disabled, blocked, etc.) a signal is sent to the SSO Provisioning Integration and the system will disable the user in Kanbanize as well, revoking it's access.
Disabling a user profile is reversible, and if the user is expected to require access to Kanbanize at a later stage, their profile can be re-enabled centrally from your IdP.
Deleting a user profile in Kanbanize is permanent and irreversible, that's why even if the user is permanently removed at your IdP, it is only disabled in your Kanbanize account. Disabled users free up license seats and at any point of time the Account Owner could delete the user in Kanbanize permanently.
Note: Deleting user in Kanbanize will anonymize all previously assigned cards and performed actions because of the GDPR regulations. If re-invited old/deleted user it will be added as a fully new one to the system.
Note: If the Account Owner disable or delete the user profile directly in Kanbanize, but not in the IdP, on the next sync, the user will be created / invited again inside Kanbanize!
3. IdP Configurations
Each IdP should have a Provisioning Configuration section for adding the required two parameters for the integration: SCIM Base URL and SCIM Bearer Token. These names could be called differently depending on the IdP.
For detailed instructions on how to configure SSO and user provisioning, check out our dedicated articles on some of the most common Identity Providers: