Technology and Security

SSO Configuration (SAML & OIDC)

What is SSO?

Single Sign-On (SSO) is an authentication process that enables users to access multiple applications or systems with a single set of login credentials, simplifying the sign-in process and enhancing user experience.

In the context of "Joiners, Movers, Leavers" (JML), SSO plays a crucial role in managing user permissions efficiently, ensuring that new employees gain timely access, current employees have their permissions adjusted as they move roles, and departing employees have their access promptly revoked, thereby maintaining security and compliance throughout the user lifecycle.

How does SSO work?

The common configuration for Single Sign-On (SSO) uses Just-In-Time (JIT) access provisioning, typically facilitated by an identity protocol such as SAML or OIDC, with detailed permissions managed within Kiplot.

In simple terms, your Identity and Access Management (IAM) solution (e.g., Azure AD) maintains a group named "Kiplot Access." When a user attempts to authenticate with Kiplot, the platform uses the configured identity protocol (SAML or OIDC) to confirm the user's permissions, verifying if they are authorized to access Kiplot. If the user has the required permissions and is accessing Kiplot for the first time, an account is created for them using JIT provisioning. For users who have previously accessed Kiplot, authentication into their existing account occurs, along with any pre-assigned permissions.

Configuring SSO

Below are step-by-step instructions to set up Single Sign-On (SSO) for Kiplot. SAML and OIDC are the most commonly used SSO methods, and Kiplot supports both configurations. If you require a different setup, please contact us for assistance.

SAML Configuration

A) Request your service provider metadata file from Kiplot. This will include:

Identifier (Entity ID)
Reply URL (Assertion Consumer Service URL)
Sign on URL

B) Login to the Azure Portal:

Navigate to the Azure Portal and sign in with an account that has been assigned at least the User administrator role in the Azure AD organization.

C) Choose Azure Active Directory:

In the left-hand navigation pane, click on "Azure Active Directory" service.

D) Enterprise Applications:

In the Azure AD blade, click on "Enterprise applications" from the menu.

E) New Application:

Click on "+ New application" at the top.
In the "Add from the gallery" section, choose "Non-gallery application".
Name the application, “Kiplot”.

F) Configure Single Sign-On:

Once the application is created, click on the "Single sign-on" from the application's left-hand navigation menu.
Choose the "SAML" option.

G) SAML-based Sign-on Settings:

Basic SAML Configuration:
Use the information below to complete this section. Note that you must replace [yourdomain] with the name of the subdomain that has been assigned to your organisation’s Kiplot instance.

Identifier (Entity ID)	`[yourdomain].kiplot.com`
Reply URL (Assertion Consumer Service URL)	`https://[yourdomain].kiplot.com/api/auth/oauth/saml2/callback`
Sign on URL (Optional)	`https://[yourdomain].kiplot.com` .

User Attributes & Claims:
Required Claim
This should be correct by default, but please make sure that within “Attributes and Claims” under “Required Claim”, the following is set up. Note that in this example, user.userprincipalname is their email (which is typically the case). If it is different for your organisation, please select the correct value for email.
Additional Claims (Optional)
givenname → user.givenname
surname → user.surname
emailaddress → user.mail
name → user.userprincipalname
Unique User Identifier → user.userprincipalname

Visit the “Properties” section in the left hand nav bar and update the logo for the Kiplot Application. You can download the Kiplot Logo from this link: https://www.kiplot.com/kiplot-azure-ad-logo/

H) Download the XML Metadata file:

In the same "Single sign-on" SAML configuration page, scroll down to the "SAML Signing Certificate" section.
Click on "Federation Metadata XML" - "Download" to get the XML file. This is the file you'll need to share back with Kiplot.

I) Share XML file back with Kiplot

We will confirm once SSO has been configured
Please identify a user to act as tester

OIDC Configuration

A) Request your Redirect URI from Kiplot. This will look something like this:

https://{tenant_name}.kiplot.com/auth/realms/{tenant_name}/broker/{keycloak_idp_alias}/endpoint

B) Set Up Identity Provider (IDP) in Azure

Create a New App Registration
Navigate to “Authentication” on the side panel
Click “Add a platform”
Choose “Web”
Populate the Redirect URI provided by Kiplot

C) Copy the OpenID Connect metadata document

Go to “Overview” → “Endpoints”
Copy the “OpenID Connect metadata document” URL and share it with Kiplot

D) Create New Client Secret

Go to “Overview” and click on the link in front of “Client credentials” (it should say 0 certificate, 0 secret)
Click “New client secret”
Set “Description” with Kiplot OIDC
Set the Expiration date appropriately
Click “Add”
Copy the “Value” (client secret) and provide it to Kiplot
Copy the “Expires” date and provide it to Kiplot

E) Share Application ID

Return to the “Overview” page
Copy “Application (client) ID” and provide it to Kiplot

We will confirm once SSO has been configured
Please identify a user to act as tester

FAQs

Do you support token encryption for SSO?
Yes. Note that this is optional.
Is there an Azure gallery app?
No - Kiplot must be created as a custom application, however configuration is extremely straightforward.
Can I prevent users from logging in without SSO?
Yes - though this must be configured by Kiplot support. Please make sure you let your Activation Lead know that you want this set up.
Can I allow users to log in via SSO and directly to Kiplot without SSO?
Yes. If you wish, parts of your user population may authenticate via SSO, and parts may authenticate directly with Kiplot. However, we advise for security reasons to require all users to login via SSO.