This article will demonstrate how to set up an integration between Kanbanize and Okta:
Authenticated Login via SSO (using SAML 2.0)
1. Switch your Okta dashboard to ‘admin mode’ by clicking the button in the upper right corner:
2. Then select ‘Applications’ and click ‘Create App Integration’:
3. Select ‘SAML 2.0’ and click Next:
4. A new screen will appear. Give the new app a name and press ‘Next’:
5. Now you are taken to the SAML configuration screen. Here is how you fill the first (‘General’) section:
Single sign-on URL: https://{subdomain}.kanbanize.com/saml/acs
Audience URI (SP Entity ID): https://{subdomain}.kanbanize.com/
(beware the / at the end)
Default RelayState: /ctrl_login/finish_saml_login
Name ID format: EmailAddress
Everywhere replace {subdomain} with your Kanbanize account’ subdomain. E.g. if you access Kanbanize at https://acme.kanbanize.com your subdomain is acme.
In the end, it should look something like this:
6. (optional) In the ‘Attribute Statements’ section add two attributes named 'firstName' and 'lastName' and choose ‘user.firstName’ and 'user.lastName' from the ‘Value’ dropdown:
7. With this the setup of the app is complete. Click ‘Next’ and ‘Finish’ and you will be taken to a page with details about your new app:
8. Click ‘View Setup Instructions’ to open a page with the info you will need when configuring Kanbanize:
9. With this, our work at Okta is done. Now head over to your Kanbanize account, open the administration panel, and select Integrations > Applications > Single Sign-On:
10. Turn on the toggle next to 'Single Sign-On' and fill the fields below with the info from Okta like this:
Identity Provider Issuer goes to IdP Entity Id
Identity Provider Single Sign-On URL goes to IdP Login Endpoint
X.509 Certificate goes to IdP X.509 Certificate
11. Leave Attribute name for Email empty. If completed step 6, enter 'firstName' and 'lastName' in Attribute name for First Name and Attribute name for Last Name respectively. This information is utilized when a user logs in for the first time in Kanbanize. An account is automatically provisioned for that user (if you have turned on the respective setting) and, if the above-mentioned attributes are present, the user’s name will be filled in the account.
12. Click ‘Save Settings’ and you are almost done!
13. The only thing left is to give users of your IdP access to Kanbanize. Go back to the app’s page in Okta and select the ‘Assignments’ tab:
16. From here, you can add the people and groups you wish to give access to Kanbanize.
17. That’s it! Your users should now be able to log in to Kanbanize through your Okta account!
Provisioning (using SCIM)
If you would like to also utilize automatic provisioning of users via SCIM, follow the instructions below:
1. In your Kanbanize SSO settings, ensure that the Enable User provisioning option is enabled.
2. Open your existing app in Okta, and from the 'general' tab, click on 'Edit'.
3. On the provisioning section, select SCIM.
4. A new 'Provisioning' tab should now be available in your application.
You would need to use the following parameters there:
SCIM connector base URL: https://subdomain.kanbanize.com/scim
Unique identified field for users: email
Supported provisioning actions: Push Profile Updates and Push New Users.
Notes:
- If Push New Users, is selected, the moment you add a new user in Okta, the integration will also invoke registration and email invitation for the user in Kanbanize.
- If you want to have the behavior to only "de-provision" users from Kanbanize, but get them invited explicitly from the Kanbanize Admins and not from your IdP, then use only "Push Profile Updates"
Authentication mode: HTTP Header
HTTP Authorization header: can be retrieved from the Kanbanize SSO settings (bearer token).
5. After saving the settings, a new page should open:
6. Make sure the 'deactivate users' option is enabled on it, if you would like to de-provision users.
7. If there are any existing users that were granted access to the application before the provisioning settings were configured, they will need to be removed and re-added to the application for the de-provisioning to work. The users would also need to have the same emails in both Okta and Kanbanize.
8. Once a user gets deactivated in the application in Okta, this should also disable the user in Kanbanize.
Be sure to try the integration, and don’t hesitate to contact our support if you have any trouble.