Learn how to configure and manage Single Sign-On
Kandji Standard Authentication
Standard Authentication consists of the ability to sign in with Google Login, Azure AD (multi-tenant application), and Email/Password. All instances by default have Kandji Standard Authentication enabled. Kandji standard authentication can be disabled once an Enterprise SSO Connection has been created.
Single Sign-On Feature Overview
Single Sign-On options are available to customers in 500+ device pricing plans. Customers below the 500 device tier can purchase SSO as an add-on for $150/month through their Customer Success Manager (billed annually). By default, all instances have Kandji Standard Authentication enabled. Below is an overview of what can be accomplished with different licensing types.
| Feature | Single Sign-On not enabled | Single Sign-on enabled (500+ Device Tier) |
| Google Login | ✅ | ✅ |
| Azure AD Login | ✅ | ✅ |
| Multiple SSO connections | ❌ | ✅ |
|
SAML SSO |
❌ | ✅ |
| Custom Google Workspace App | ❌ | ✅ |
|
Custom Azure AD (Native) |
❌ | ✅ |
|
Ability to disable Standard Authentication options |
❌ | ✅ |
Adding a Single Sign-On Connection
Kandji currently supports the following Single Sign-On connection types. Click on one of the following connection types to learn how it can be configured.
- Native Azure AD Application (Microsoft Identity Services APIv2)
- Native Google Workspace Application
- SAML based Single Sign-On (with support for SLO)
Enable and manage a connection
Once you have configured an SSO connection in both Kandji and your identity provider (IDP), you can now enable the connection. This can be done using the following steps:
- Click the ellipsis (three dots) next to the connection name.
- Click Enable from the menu.
Connections can additionally be re-configured, deleted, and disabled from this menu
Disabling or deleting the Single Sign-On connection
If you decide to no longer use Single Sign-On you can delete or disable a connection as shown above. When you delete or disable your last Single Sign-On connection, Kandji Standard Authentication will automatically be re-enabled to prevent account lockout.
Enforcing Single Sign-On
Once you have configured at least one Single Sign-On connection, you can disable the Kandji Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authenticate via Email/Password, Google Sign in, or Office 365 Sign in.
Warning: Do not disable Kandji Standard Authentication until you have confirmed your SSO connection works. We recommend verification via a private browser window.
- Navigate to the Settings page.
- Click the Access tab.
- Find the Authentication section. If that section does not currently exist, SSO is not enabled for your instance.
- Click the ellipsis next to Standard Authentication.
- Click the Disable option.
- A confirmation modal will open. Click Disable.
