Learn how to configure and manage Single Sign-on
Kandji Standard Authentication
Standard Authentication consists of the ability to sign in with Google Login, Azure AD (multi-tenant application), and Email/Password. All instances by default have Kandji Standard Authentication enabled. Kandji Standard Authentication can be disabled once an Enterprise SSO Connection has been created.
Single Sign-On Feature Overview
Single Sign-on options are available to all customers.
Adding a Single Sign-On Connection
Kandji currently supports the following Single Sign-on connection types. Click on one of the following connection types to learn how it can be configured.
- Native Azure AD Application (Microsoft Identity Services APIv2)
- Native Google Workspace Application
- SAML based Single Sign-on (with support for SLO)
- Single Sign-on with OneLogin
Enable and Manage a Connection
Once you have configured an SSO connection in both Kandji and your identity provider (IdP), you can now enable the connection.
- Click the ellipsis (three dots) next to the connection name.
- Click Enable from the menu.
Connections can additionally be re-configured, deleted, and disabled from this menu
An SSO connection does not need to be Active in Settings > Access in order to be used for Require Authentication within Automated Device Enrollment. A connection should only be Active in Settings if you want to authenticate Kandji administrators to the web app with that connection.
Disabling or Deleting the Single Sign-On Connection
If you decide to no longer use Single Sign-on, you can delete or disable a connection as shown above. When you delete or disable your last Single Sign-on connection, Kandji Standard Authentication will automatically be re-enabled to prevent account lockout.
Enforcing Single Sign-On
Once you have configured at least one Single Sign-on connection, you can disable the Kandji Standard Authentication connection. Disabling Kandji Standard Authentication will disable the ability for Kandji administrators in your instance to authenticate via Email/Password, Google Sign in, or Office 365 Sign in.
Warning: Do not disable Kandji Standard Authentication until you have confirmed your SSO connection works. We recommend verification via a private browser window.
- Navigate to the Settings page.
- Click the Access tab.
- Find the Authentication section. If that section does not currently exist, SSO is not enabled for your instance.
- Click the ellipsis next to Standard Authentication.
- Click the Disable option.
- A confirmation modal will open. Click Disable.