Since this article was initially published Kanbanize has been added to the Azure Application Gallery. While you can still add Kanbanize as a custom app by following the steps outlined below it will be easier if you use the Gallery app by following this tutorial.
________________________________________________________________________
Security Assertion Markup Language (SAML) is a technology that can help you leave all problems connected to remembering passwords in the past and log in all of your digital tools with a single sign-on. In order to do so, you need to configure the SAML 2.0 Identity Provider.
In the "Configuring SAML Single Sign-On in Kanbanize" article, the general steps needed to set up SAML integration between Kanbanize and your Identity Provider are described. The next paragraphs will walk you through the process of enabling SSO with Azure Active Directory as your IdP:
*Please note that this guide uses the new Azure portal accessible from https://portal.azure.com.
1. From your Azure dashboard, go to Azure Active Directory.
2. Select Enterprise Application.
3. Click Add in the upper left corner.
4. Choose Non-gallery application.
5. Enter a name for the new application and click Add at the bottom.
6. A new window for the application will open.
7. Select Single sign-on from the menu on the left.
8. From the dropdown, select SAML-based Sign-on.
9. New fields will show up on the screen that needs to be filled.
10. Identifier (or Entity ID in SAML terms) for your account is https://<subdomain>.kanbanize.com/ (replace <subdomain> with your company’s custom Kanbanize subdomain, e.g. https://yourcompany.kanbanize.com/ ).
11. Reply URL (Assertion Consumer Service or ACS in SAML language) is https://<subdomain>.kanbanize.com/saml/acs
12. For User Identifier, select user.mail.
Note: The URI value identifier for the user email could look something like this as well: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
13. Tick the checkbox View and edit all other user attributes and leave them as they are.
14. Then click the Create New Certificate link.
15. When done, download the new certificate (in base64 format)
16. Tick Make new certificate active.
17. Click Save at the top of the page.
18. You are done configuring Azure!
*To enlarge the image -> right click on the image and open it in a new tab.
*To enlarge the image -> right-click on the image and open it in a new tab.
19. Now let’s configure Kanbanize! Click the button that says Configure Kanbanize at the bottom and a new window will open. It contains information that you will need in just a minute
20. In Kanbanize, open the Administration panel and go to Integrations > Applications.
21. There, you will find a box for configuring Single Sign-On.
22. Tick the checkbox to enable it for your account.
23. Use the information from the Configure sign-on window in Azure as follows:
- SAML Entity ID goes to IdP Entity Id
- SAML Single Sign-On Service URL goes to IdP Login Endpoint
- Sign-Out URL goes to IdP Logout Endpoint
24. Copy (without the start and end markers) and paste your certificate in the last field.
25. (optional) If for some reason you need to send in NameID something different from the user's email, we need another attribute to get it from. In Attribute name for Email enter its name, e.g. "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" (you can get the value from the section SAML Token Attributes)
26. (optional) You don’t have to fill the other two fields, too. But, if you do, when your users log in for the first time, they will be registered with their real names. So, you can enter "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" for Attribute name for First Name and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" for Attribute name for Last Name.
Disable Kanbanize login, only SSO login is applied for all users
Allow Kanbanize login for users with Account Owner privileges
Allow Kanbanize login for users with Manage Integrations privileges
Allow Kanbanize and SSO login for all users
28. There is a checkbox on the left "Automatically create a Kanbanize user for the unregistered emails upon login" that secures controlled access. If the setting is checked, it automatically creates a Kanbanize user for the unregistered emails upon login. When the setting is unchecked, you need to first send a Kanbanize email invitation to the user in order to be able to log in to the system using the SSO flow.
29. There is another checkbox "Sign outgoing messages". Turning it on will result in it Kanbanize signing authentication and log out requests, logout responses, and the metadata. You will find the public certificate in the metadata, which is located at https://<subdomain>.kanbanize.com/saml/metadata
30. In Azure close the Configure sign-on window to go back to the previous one.
31. Click Save in Azure and Save Settings in Kanbanize and you are almost ready!
32. The only thing left to do is to navigate to 'Users and groups' in Azure and assign the desired users that would require access to the Kanbanize application. Afterward, they should be able to log in via SSO.
33. Now you are ready to give the Kanbanize – Azure SSO a test drive!
Be sure to try the integration and don’t hesitate to contact our support if you have any trouble.