Kiplot Help CenterHelp
Generated with DocsHound AI
Technology and Security

SSO Configuration (SAML & OIDC)

What is SSO?

Single Sign-On (SSO) is an authentication process that enables users to access multiple applications or systems with a single set of login credentials, simplifying the sign-in process and enhancing user experience.

In the context of "Joiners, Movers, Leavers" (JML), SSO plays a crucial role in managing user permissions efficiently, ensuring that new employees gain timely access, current employees have their permissions adjusted as they move roles, and departing employees have their access promptly revoked, thereby maintaining security and compliance throughout the user lifecycle.

How does SSO work?

The common configuration for Single Sign-On (SSO) uses Just-In-Time (JIT) access provisioning, typically facilitated by an identity protocol such as SAML or OIDC, with detailed permissions managed within Kiplot.

In simple terms, your Identity and Access Management (IAM) solution (e.g., Azure AD) maintains a group named "Kiplot Access." When a user attempts to authenticate with Kiplot, the platform uses the configured identity protocol (SAML or OIDC) to confirm the user's permissions, verifying if they are authorized to access Kiplot. If the user has the required permissions and is accessing Kiplot for the first time, an account is created for them using JIT provisioning. For users who have previously accessed Kiplot, authentication into their existing account occurs, along with any pre-assigned permissions.

Configuring SSO

Below are step-by-step instructions to set up Single Sign-On (SSO) for Kiplot. SAML and OIDC are the most commonly used SSO methods, and Kiplot supports both configurations. If you require a different setup, please contact us for assistance.

OIDC Configuration

1. Request your Redirect URI from Kiplot

This will look something like this:

https://{tenant_name}.kiplot.com/auth/realms/{tenant_name}/broker/{idp_alias}/endpoint

2. Set Up Identity Provider (IDP) in Azure

  1. Create a New App Registration

  2. Navigate to “Authentication” on the side panel

  3. Click “Add a platform”

  4. Choose “Web”

  5. Populate the Redirect URI provided by Kiplot

3. Copy the OpenID Connect metadata document

  1. Go to “Overview” → “Endpoints”

  2. Copy the “OpenID Connect metadata document” URL and share it with Kiplot

4. Create New Client Secret

  1. Go to “Overview” and click on the link in front of “Client credentials” (it should say 0 certificate, 0 secret)

  2. Click “New client secret”

  3. Set “Description” with Kiplot OIDC

  4. Set the Expiration date appropriately

  5. Click “Add”

  6. Copy the “Value” (client secret) and provide it to Kiplot

  7. Copy the “Expires” date and provide it to Kiplot

5. Share Application ID

  1. Return to the “Overview” page

  2. Copy “Application (client) ID” and provide it to Kiplot

  3. We will confirm once SSO has been configured

  4. Please identify a user to act as tester

SAML Configuration

1. Request Kiplot for the service provider metadata file

This will include:

  • Identifier (Entity ID)

  • Reply URL (Assertion Consumer Service URL)

  • Sign on URL

  • SAML Request Signature Verification certificate (also provided as a separate file for easier setup)

2. Login to the Azure Portal

  • Navigate to the Azure Portal and sign in with an account that has been assigned at least the User administrator role in the Azure AD organization

3. Choose Azure Active Directory

  • In the left-hand navigation pane, click on "Azure Active Directory" service

4. Enterprise Applications

  • In the Azure AD blade, click on "Enterprise applications" from the menu

5. New Application

  1. Click on "+ New application" at the top

  2. Click on "+ Create your own application" at the top

  3. Name the application, "Kiplot"

  4. Keep the default "Integrate any other application you don't find in the gallery (Non-gallery)" option checked

  5. Click on "Create" at the bottom

6. Configure Single Sign-On

  1. Once the application is created, click on "Single sign-on" from the application's left-hand navigation menu.

  2. Choose the "SAML" option.

7. SAML-based Sign-on Settings

You'll have to set up a few things here:

Basic SAML Configuration:

Use the metadata XML file provided by Kiplot to help fill out this section by using the “Upload metadata file” button.

Manually fill the “Sign on URL (Optional)” property with the tenant URL:

https://[yourtenantname].kiplot.com.

Attributes & Claims

Required Claim

This should be correct by default, but please ensure that under "Attributes and Claims" and within "Required Claim," the following setup is in place. Note that in this example, user.userprincipalname represents the user's email (as is typically the case). If it is different for your organization, please select the appropriate value for the email.

Claim Name

Type

Value

Unique User Identifier (Name ID)

SAML

user.userprincipalname [nameid-format:emailAddress]

Additional Claims

Claim Name

Type

Value

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

SAML

user.mail

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

SAML

user.givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

SAML

user.userprincipalname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

SAML

user.surname

SAML Certificates

Token signing certificate

Share the "App Federation Metadata Url" value with Kiplot.

Verification certificates (optional)

Verification certificates are used to verify requests coming from Kiplot to Microsoft Entra ID.

  1. Click on "Edit"

  2. Check the "Require verification certificates" check box

  3. Click on "Upload certificate"

  4. Choose the certificate file provided by Kiplot

  5. Click on "Ok"

  6. Click on "Save" at the bottom

Visit the “Properties” section in the left-hand navigation bar and update the logo for the Kiplot Application. You can download the Kiplot Logo from this link:

https://www.kiplot.com/kiplot-azure-ad-logo/

9. Download the XML Metadata file

  1. In the same "Single sign-on" SAML configuration page, scroll down to the "SAML Certificates" section

  2. Click on "Federation Metadata XML" - "Download" to get the XML file. This is the file you'll need to share back with Kiplot

  3. Copy the "App Federation Metadata Url" value and share it with Kiplot

9. Share XML file back with Kiplot

  • We will confirm once SSO has been configured

  • Please identify a user to act as tester

FAQs

  • Yes. Note that this is optional.

  • No - Kiplot must be created as a custom application, however configuration is extremely straightforward.

  • Yes - though this must be configured by Kiplot support. Please make sure you let your Activation Lead know that you want this set up.

  • Yes. If you wish, parts of your user population may authenticate via SSO, and parts may authenticate directly with Kiplot. However, we advise for security reasons to require all users to login via SSO.