Top

Articles in this section

How to Set Up SAML Single Sign-Оn with Microsoft Entra ID

Avatar
Kanbanize Help
  • Updated

Content:

1. Introduction to SAML
2. Setting Up SAML Single Sign-Оn with Microsoft Entra ID
3. Automatic Provisioning Settings
4. Kanbanize SSO Setup

 

Since this article was initially published, Kanbanize has been added to the Azure Application Gallery. While you can still add Kanbanize as a custom app by following the steps outlined below, it will be easier if you use the Gallery app by following this tutorial.
________________________________________________________________________

Introduction to SAML

Security Assertion Markup Language (SAML) is a technology that can help you leave all problems connected to remembering passwords in the past and log in to all of your digital tools with a single sign-on. In order to do so, you need to configure the SAML 2.0 Identity Provider.

In the "Configuring SAML Single Sign-On in Kanbanize" article, the general steps needed to set up SAML integration between Kanbanize and your Identity Provider are described. The next paragraphs will walk you through the process of enabling SSO with Microsoft Entra ID as your IdP.

Note that this guide uses the new Azure portal accessible from https://portal.azure.com.

 

Setting Up SAML Single Sign-Оn with Microsoft Entra ID

1. From the Azure home page, go to Microsoft Entra ID. You will find it under Azure services or from the dropdown navigation menu on the left sidebar.

azure-microsoft-entra-ID.png

2. Select “Enterprise applications.”

enterprise-applications.png

3. Click on “New application” in the upper left corner.

enterprise-applications-new-application.png

4. Click on “Create your own application” in the upper left corner of the page.

create-your-own-application.png

5. Enter the name of your application in the new window that opens. When ready, click on “Create.”

create-your-own-application-setup.png

6. A new window for the application will open. Select “Single Sign-On” from the menu on the left.

enterprise-application-single-sign-on.png

7. Select SAML from the available SSO methods.

select-SAML.png

8. Fill out the necessary fields in the window that opens. When ready, press “Test.”

SAML-setup-steps.png

  • (1) The Identifier (or Entity ID in SAML terms) for your account should be https://{subdomain}.kanbanize.com/. Replace {subdomain} with your company’s custom Kanbanize subdomain, e.g. https://yourcompany.kanbanize.com/.
  • (2) The Reply URL (Assertion Consumer Service or ACS in SAML language) should be https://<subdomain>.kanbanize.com/saml/acs.
  • (3) For “Unique User Identifier,” select “user.mail” from the dropdown.
    Note: The URI value identifier for the user email could look something like this as well: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

9. When done, download the SAML Certificate (in base64 format).

SAML-certificate-download.png

Automatic Provisioning Settings

If you would like to utilize automatic provisioning of users from Azure to Kanbanize, follow these additional steps.

1. From the application you created above, navigate to the Provisioning tab from the left sidebar.

Important: To have the provisioning enabled, you need to create/register a 'Non-gallery' application! The listed Kanbanize application in the Azure Gallery does not yet support provisioning services!

2. Choose the settings as shown below:

  • Provisioning Mode: Automatic
  • Tenant URL: https://{subdomain}.kanbanize.com/scim
  • Secret token: Use the SCIM Bearer Token that can be retrieved in your Kanbanize SSO settings under the Automatic User Provisioning section (that setting needs to be enabled beforehand).

provisioning-setup.png

3. To automatically provision users in Kanbanize, click on “Start provisioning.”

start-provisioning.png

Note: Keep in mind that there is a fixed provisioning interval set by the system of up to 40 minutes.

provisioning-interval.png

4. After that time, the users in Azure should be mapped according to the users in your Kanbanize instance, as long as their emails are identical in both applications.

provisioning-status.png

5. If a user gets added, updated, or deleted/deactivated in Azure, this should automatically modify the corresponding user in Kanbanize within 40 minutes by default.

You are done configuring Azure!

 

Kanbanize SSO Setup

Now let’s configure Kanbanize!

In Kanbanize, open the Administration panel and go to Integrations → Applications.

kanbanize-SSO.png

There, you will find a box for configuring Single Sign-On. You should have already enabled it for your account.

Use the information from the “Configure sign-on” window in Azure as follows:

  • SAML Entity ID goes to IdP Entity Id
  • SAML Single Sign-On Service URL goes to IdP Login Endpoint
  • Sign-Out URL goes to IdP Logout Endpoint

Copy (without the start and end markers) and paste your certificate in the last field.

Optional:

  • If, for some reason, you need to send in NameID something different from the user's email, we need another attribute to get it from. Enter the name in the “Attribute name for Email” box, e.g. "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" (you can get the value from the section SAML Token Attributes).
  • You don’t have to fill in the other two fields either — “Attribute name for First Name” and “Attribute name for Last Name.” However, if you do, when users log in for the first time, they will be registered with their real names. So, you can enter "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" for “Attribute name for First Name” and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" for “Attribute name for Last Name.”

kanbanize-SSO-setup.png

Below the fields, you will find a dropdown from which you can select among a variety of options that cover different log-in use cases:

  • Disable Kanbanize login, only SSO login is applied for all users
  • Allow Kanbanize login for users with Account Owner privileges
  • Allow Kanbanize login for users with Manage Integrations privileges
  • Allow Kanbanize and SSO login for all users

Notes:

  • There is a checkbox on the left — "Automatically create a Kanbanize user for the unregistered emails upon login" that secures controlled access. If the setting is checked, it automatically creates a Kanbanize user for the unregistered emails upon login. When the setting is unchecked, you need to first send a Kanbanize email invitation to the user to be able to log in to the system using the SSO flow.
  • There is another checkbox — “Sign outgoing messages.” Turning it on will result in Kanbanize signing authentication and log-out requests, logout responses, and the metadata. You will find the public certificate in the metadata, which is located at: https://<subdomain>.kanbanize.com/saml/metadata

Once everything is configured and saved, navigate to the “Users and groups” tab in Azure to assign the desired users who would need access to the Kanbanize application. After that, they should be able to log in via SSO.

users-and-groups.png

You are now ready to give the Kanbanize – Azure SSO a test drive!

Be sure to try the integration, and don’t hesitate to contact our support if you have any trouble.

________________________________________________________________________

Related Articles: 

  1. Configure SAML Single Sign-on with OneLogin
  2. Configuring SAML Single Sign-On in Kanbanize
  3. How to set up a SAML Single-on with Okta
  4. How To Manage User Provisioning with SAML Integration

Related articles