Since this article was initially published, Kanbanize has been added to the Azure Application Gallery. While you can still add Kanbanize as a custom app by following the steps outlined below, it will be easier if you use the Gallery app by following this tutorial.
________________________________________________________________________
Security Assertion Markup Language (SAML) is a technology that can help you leave all problems connected to remembering passwords in the past and log in all of your digital tools with a single sign-on. In order to do so, you need to configure the SAML 2.0 Identity Provider.
In the "Configuring SAML Single Sign-On in Kanbanize" article, the general steps needed to set up SAML integration between Kanbanize and your Identity Provider are described. The next paragraphs will walk you through the process of enabling SSO with Azure Active Directory as your IdP:
Note that this guide uses the new Azure portal accessible from https://portal.azure.com.
1. From your Azure dashboard, go to Azure Active Directory.
2. Select 'Enterprise Application'.
3. Click Add in the upper left corner.
4. Choose 'Non-gallery application'.
5. Enter a name for the new application and click 'Add' at the bottom.
6. A new window for the application will open.
7. Select 'Single Sign-On' from the menu on the left.
8. From the dropdown, select 'SAML-based Sign-on'.
9. New fields will show up on the screen that needs to be filled.
10. Identifier (or Entity ID in SAML terms) for your account should be https://{subdomain}.kanbanize.com/ (replace {subdomain} with your company’s custom Kanbanize subdomain, e.g. https://yourcompany.kanbanize.com/).
11. Reply URL (Assertion Consumer Service or ACS in SAML language) should be https://<subdomain>.kanbanize.com/saml/acs
12. For 'User Identifier', select user.mail.
Note: The URI value identifier for the user email could look something like this as well: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
13. Tick the checkbox "View and edit all other user attributes" and leave them as they are.
14. Then click the 'Create New Certificate' link.
15. When done, download the new certificate (in base64 format).
16. Tick 'Make new certificate active'.
17. Click 'Save' at the top of the page.
18. If you would like to utilize automatic provisioning/de-provisioning of users from Azure to Kanbanize, follow these additional steps.
19. From the application you created above, click on the 'Provisioning' tab.
20. Choose the settings as shown below:
Provisioning Mode: Automatic
Tenant URL: https://{subdomain}.kanbanize.com/scim
Secret token: use the SCIM Bearer Token that can be retrieved in your Kanbanize SSO settings under the Automatic User De-Provisioning section (that setting needs to be enabled beforehand)
21. On the next step, ensure that 'Provision Azure Active Directory Groups' is disabled and 'Provision Azure Active Directory Users' is enabled.
22. To automatically provision users in Kanbanize, click on 'Start provisioning' as shown on the below image:
23. After a while (this may take between 20 and 40 minutes), the users in Azure should be mapped accordingly to the users in your Kanbanize instance, as long as their emails are identical in both applications:
24. If a user gets deleted/deactivated in Azure, this should automatically disable the corresponding user in Kanbanize within 20-40 minutes.
You are done configuring Azure!
*To enlarge the image -> right click on the image and open it in a new tab.
*To enlarge the image -> right-click on the image and open it in a new tab.
19. Now let’s configure Kanbanize! Click the button that says 'Configure Kanbanize' at the bottom and a new window will open. It contains information that you will need in just a minute
20. In Kanbanize, open the Administration panel and go to Integrations > Applications.
21. There, you will find a box for configuring Single Sign-On.
22. Tick the checkbox to enable it for your account.
23. Use the information from the 'Configure sign-on' window in Azure as follows:
- SAML Entity ID goes to IdP Entity Id
- SAML Single Sign-On Service URL goes to IdP Login Endpoint
- Sign-Out URL goes to IdP Logout Endpoint
24. Copy (without the start and end markers) and paste your certificate in the last field.
25. (optional) If, for some reason, you need to send in NameID something different from the user's email, we need another attribute to get it from. In 'Attribute name for Email' enter its name, e.g. "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" (you can get the value from the section SAML Token Attributes)
26. (optional) You don’t have to fill in the other two fields, too. But, if you do, when your users log in for the first time, they will be registered with their real names. So, you can enter "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" for Attribute name for First Name and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" for Attribute name for Last Name.
- Disable Kanbanize login, only SSO login is applied for all users
- Allow Kanbanize login for users with Account Owner privileges
- Allow Kanbanize login for users with Manage Integrations privileges
- Allow Kanbanize and SSO login for all users
28. There is a checkbox on the left "Automatically create a Kanbanize user for the unregistered emails upon login" that secures controlled access. If the setting is checked, it automatically creates a Kanbanize user for the unregistered emails upon login. When the setting is unchecked, you need to first send a Kanbanize email invitation to the user in order to be able to log in to the system using the SSO flow.
29. There is another checkbox "Sign outgoing messages". Turning it on will result in it Kanbanize signing authentication and log out requests, logout responses, and the metadata. You will find the public certificate in the metadata, which is located at https://<subdomain>.kanbanize.com/saml/metadata
30. In Azure close the Configure sign-on window to go back to the previous one.
31. Click Save in Azure and Save Settings in Kanbanize and you are almost ready!
32. The only thing left to do is to navigate to 'Users and groups' in Azure and assign the desired users that would require access to the Kanbanize application. Afterward, they should be able to log in via SSO.
33. Now you are ready to give the Kanbanize – Azure SSO a test drive!
Be sure to try the integration, and don’t hesitate to contact our support if you have any trouble.