Remembering passwords can prove to be a difficult task when you are using a large number of tools that require you to sign-in every time. Thankfully, with the help of the SAML technology, you can minimize the time you spend on trying to recover your password in Kanbanize.
In this article, you will find a step-by-step tutorial for OneLogin - a popular IDaaS (Identity As A Service) provider. Here is what you need to do to set up the integration:
1. From your OneLogin dashboard go to Apps > Company Apps.
2. Click the ‘Add App’ button in the upper right corner.
3. Type ‘SAML’ in the search field and choose SAML Test Connector:
Important: If you would like to utilize automatic provisioning of users using SCIM, you would need to look for the "SCIM Provisioner with SAML (SCIM v2 Core)" application. Instructions on how to set up this can be found after at the bottom on this page / section provisioning.
4. Give the app a proper name and click ‘Save’:
5. From the detailed app page, select the ‘Configuration’ tab:
6. There you need to fill in the following data:
RelayState: /ctrl_login/finish_saml_login
Audience: https://{subdomain}.kanbanize.com/
(beware the / at the end)
Recipient: https://{subdomain}.kanbanize.com/saml/acs
ACS (Consumer) URL Validator: ^https:\/\/{subdomain}\.kanbanize\.com\/saml\/acs\/$
ACS (Consumer) URL: https://{subdomain}.kanbanize.com/saml/acs
Single Logout URL: https://{subdomain}.kanbanize.com/saml/sls
Everywhere replace {subdomain} with your Kanbanize account’ subdomain. For example, if you access Kanbanize at https://acme.kanbanize.com your subdomain is acme.
In the end, the form should look like this:
7. Click ‘Save’ then go to the ‘Parameters’ tab.
8. Make sure that the value of NameID is Email.
9. Click ‘Save’ in the upper right corner to save all the changes you have made to the app so far.
10. (optional) Add two more parameters that hold the user’s first and last names.
With this the setup in OneLogin is complete! It’s time to move on to Kanbanize. But before you do that, switch to the ‘SSO’ tab – it contains information that you will need:
11. Now head over to your Kanbanize account, open the administration panel, and select Integrations > Applications > Single Sign-On:
12. Enable the toggle next to "Single Sign-On" and fill the fields on the right with the info from OneLogin like this:
Issuer URL goes to IdP Entity Id
SAML 2.0 Endpoint (HTTP) goes to IdP Login Endpoint
SLO Endpoint (HTTP) goes to IdP Logout Endpoint (fill this only if you want to enable Single Logout, too)
13. You don't need to fill Attribute name for Email. If you completed step 10, you can enter the names of the extra parameters in Attribute name for First Name and Attribute name for Last Name respectively. These will be used when a user logs in for the first time and an account is created for them (if you enable that from the checkbox below).
14. Back in OneLogin click ‘View Details’ under the certificate. A detailed page will open:
15. Copy the full certificate and paste it into the respective field in Kanbanize.
Disable Kanbanize login, only SSO login is applied for all users
Allow Kanbanize login for users with Account Owner privileges
Allow Kanbanize login for users with Manage Integrations privileges
Allow Kanbanize and SSO login for all users
17. There is a checkbox on the left "Automatically create a Kanbanize user for the unregistered emails upon login" that secures controlled access. If the setting is checked, it automatically creates a Kanbanize user for the unregistered emails upon login. When the setting is unchecked, you need to first send a Kanbanize email invitation to the user in order to be able to log in to the system using the SSO flow.
18. There is another checkbox "Sign outgoing messages". Turning it on will result in it Kanbanize signing authentication and log out requests, logout responses, and the metadata. You will find the public certificate in the metadata, which is located at https://<subdomain>.kanbanize.com/saml/metadata
19. Click ‘Save Settings’ and you are almost done!
20. The only thing left is to give users of your IdP access to Kanbanize. Start by going back to OneLogin and selecting ‘Users’ > ‘All Users’.
21. Select a user and switch to the ‘Applications’ tab:
22. Click the plus button in the upper right corner. A popup will appear – select the Kanbanize app and click ‘Continue’. You don’t need to change anything in the next popup so you can close it.
23 That’s it! Your user should now be able to log in to Kanbanize through your OneLogin account!
Provisioning:
As mentioned in step 3 above, in order to utilize automatic provisioning, you would need to create a new application and follow the below instructions, as your existing application (created using the above instructions) might not support SCIM.
In the Kanbanize SSO settings panel, there is a switch button called 'Enable User Provisioning' - this enables/disables the automatic provisioning of users using the SCIM. When enabled, the system will populate the SCIM Base URL (should be something like https://subdomain.kanbanize.com/scim), and there should be a unique SCIM bearer token that can be re-generated when needed and is used when configuring SSO.
If the token is regenerated, the old one becomes invalid, so this needs to be updated in all systems where this token is used.
To setup SAML SSO & SCIM provisioning, follow the below instructions:
- In OneLogin, navigate to Applications and search for "SCIM Provisioner with SAML (SCIM v2 Core)".
- Create a new application.
- In the configuration, use the following settings:
SAML Audience URL: https://{subdomain}.kanbanize.com/
SAML Consumer URL: https://{subdomain}.kanbanize.com/saml/acs
SCIM Base URL: https://{subdomain}.kanbanize.com/scim
SCIM Bearer Token: can be retrieved from your Kanbanize SSO settings
In the Parameters step, use the following parameters:
scimusername - Email
In the Provisioning step, checkmark the 'enable provisioning' option and configure the settings accordingly:
When users are added, updated or deleted/removed in OneLogin the corresponding action is done in your Kanbanize account. Make sure you have the desired synchronization checkboxes marked.
Create User, Delete User and/or Update User.
Note: When deleted, in Kanbanize this will basically disable (not delete) the associated Kanbanize user.
When user accounts are suspended in OneLogin, perform the following action:
Set this to Suspend.
The SCIM configuration is now completed.
From the Users tab, you can assign users to the newly created application in OneLogin:
At the next step, simply click on 'Save':
From the Users-> Provisioning, we can see that there is a new pending task for the creation of a new user for the SCIM application:
Once the task is approved, and if the user's email address is the same in both OneLogin and Kanbanize, the two users should be mapped accordingly.
If the user is a new one and missing in Kanbanize it will be invited and registered.
Note: If you want keep only de-provisioning, but have the users invited by the Kanbanize Admins, un-check the "Create User" mark from the configuration.
If that user is disabled or deleted from OneLogin, there will be a new pending task in the Users-> Provisioning menu, and after approving either of those tasks (for deleting/disabling the user), the same user will also be disabled in Kanbanize:
Note: If the user is disabled in Kanbanize and you enable or re-assign it in OneLogin, the "Update user" event will enable it back into Kanbanize as well. Switch this checkmark off if you want to keep only the deletion of users.
Be sure to try the integration and don’t hesitate to contact our support if you have any trouble.