Learn how to configure and manage Single Sign-On
Kandji Standard Authentication
Standard Authentication consists of the ability to sign in with Google Login, Azure AD (multi-tenant application), and Email/Password. All instances by default have Kandji Standard Authentication enabled. Kandji standard authentication can be disabled once an Enterprise SSO Connection has been created.
Single Sign-On Feature Overview
Single Sign-On options are available to customers in 500+ device pricing plans. Customers below the 500 device tier can purchase SSO as an add-on for $150/month through their Customer Success Manager (billed annually). By default, all instances have Kandji Standard Authentication enabled. Below is an overview of what can be accomplished with different licensing types.
Feature | Single Sign-On not enabled | Single Sign-on enabled (500+ Device Tier) |
Google Login | ✅ | ✅ |
Azure AD Login | ✅ | ✅ |
Multiple SSO connections | ❌ | ✅ |
SAML SSO |
❌ | ✅ |
Custom Google Workspace App | ❌ | ✅ |
Custom Azure AD (Native) |
❌ | ✅ |
Ability to disable Standard Authentication options |
❌ | ✅ |
Adding a Single Sign-On Connection
Kandji currently supports the following Single Sign-On connection types. Click on one of the following connection types to learn how it can be configured.
- Native Azure AD Application (Microsoft Identity Services APIv2)
- Native Google Workspace Application
- SAML based Single Sign-On (with support for SLO)
Enable and manage a connection
Once you have configured an SSO connection in both Kandji and your identity provider (IDP), you can now enable the connection. This can be done using the following steps:
- Click the ellipsis (three dots) next to the connection name.
- Click Enable from the menu.
Connections can additionally be re-configured, deleted, and disabled from this menu
Disabling or deleting the Single Sign-On connection
If you decide to no longer use Single Sign-On you can delete or disable a connection as shown above. When you delete or disable your last Single Sign-On connection, Kandji Standard Authentication will automatically be re-enabled to prevent account lockout.
Enforcing Single Sign-On
Once you have configured at least one Single Sign-On connection, you can disable the Kandji Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authenticate via Email/Password, Google Sign in, or Office 365 Sign in.
Warning: Do not disable Kandji Standard Authentication until you have confirmed your SSO connection works. We recommend verification via a private browser window.
- Navigate to the Settings page.
- Click the Access tab.
- Find the Authentication section. If that section does not currently exist, SSO is not enabled for your instance.
- Click the ellipsis next to Standard Authentication.
- Click the Disable option.
- A confirmation modal will open. Click Disable.