Overview
With SAML Single Sign-on (SSO) authentication, Kantata customers can manage the access of their users to different systems and accounts from a central system. Identity management systems, also called Identity Providers, enable users to authenticate automatically and securely and eliminate the need for your account members to remember a password for Kantata OX.
What is SAML?
Security Assertion Markup Language (SAML) is an open standard for authentication between an Identity Provider and a Service Provider. OKTA, OneLogin, and Active Directory Federation Services are all examples of Identity Providers, and Kantata OX is a Service Provider. Using SAML, organizations can configure browser-based SSO authentication.
SAML Support in Kantata OX
Kantata OX currently supports the ability to authenticate SSO users through a SAML Identity Provider, including:
- Authenticating into Kantata OX through the SAML Identity Provider's dashboard
- Responding to logout signals to terminate the Kantata OX session
- Restricting authentication to SAML users only (Strict SSO) at the account level
Availability and Access
SSO using SAML is available for Enterprise plans that meet the minimum user license requirement. You must have custom branding enabled to utilize SSO. Specifically, a custom domain (such as yourdomain.mavenlink.com
) is required for an SSO URL.
Please reach out to Customer Success or the Support team for more information.
How to Enable SAML in Kantata OX
- In the left navigation, hover over Settings, then select Security.
- From your Identity Provider, such as Okta, OneLogin, or Active Directory Federation Services, you’ll need to gather the following information and add it to these fields:
-
Identity Provider SSO URL—The Identity Provider's login URL that Kantata OX redirects your account members to. This varies with each Identity Provider.
- In OKTA, this is called the Identity Provider SSO URL, or the Postback URL.
- In OneLogin, this is called the SAML 2.0 Endpoint, or sometimes the SAML SSO URL.
- In Active Directory Federation Services, the Relaying party identifier.
- Issuer—This is a unique identifier for your identity provider. In some cases, this is called the entity id. This will typically be a URL.
-
X.509 Certificate—This is a public key for your SAML configuration and should start with
-----BEGIN CERTIFICATE-----
-
Identity Provider SSO URL—The Identity Provider's login URL that Kantata OX redirects your account members to. This varies with each Identity Provider.
- If desired, fill out the following fields that are optional, but recommended, for your Single Sign-On experience:
- Email Domain—This will be used to identify individuals who are not yet on your Kantata OX account. When such individuals are identified, we will instruct them to contact their Account Administrator to invite them to your Kantata OX account.
- Identity Provider Name—This is used on our login page to prompt users to login through their Identity Provider.
- Logout URL—If specified, this will redirect the user to a URL of your choice after they log out of Kantata OX. This is often used to redirect to a central SAML logout to sign the user out of all SAML-connected applications. Alternatively, this could be used to take the user back to the SSO homepage. You can also choose whether to restrict login access to Kantata OX to only your Identity Provider. Selecting this option enforces that all members on your account must authenticate through your SAML 2.0 Identity Provider.
- In order for Kantata OX to communicate back to your Identity Provider, you’ll need to enter in your Relaying Party SAML 2.0 SSO Service URL, such as https://yourdomain.mavenlink.com/saml/consume into all of the following fields:
- Okta: Single Sign On URL, Recipient URL, Destination URL, Audience Restriction Audience URI (SP Entity ID)
- OneLogin: SAML Consumer URL, SAML Audience, SAML Recipient
- For a successful SAML SSO configuration, make sure to verify the following:
- Account emails in Kantata OX match the email set per each user in the Identity Provider.
- Your Name ID format within the Identity Provider is set to email address.
Troubleshooting
This section outlines some of the most common issues encountered by users with SAML SSO.
- Unknown User
- SAML is not supported at this account level
- No error message. Users are just redirected to the login page and cannot log in
- Failed SAML login
- Invalid signature on SAML response
- You have been logged out
Common Exceptions
If you need further assistance with setting up SAML SSO or have any questions, please contact Support.
Comments
0 comments
Please sign in to leave a comment.