Azure AD - Single Sign-On (Native)

Learn how to configure Native Azure AD SSO connections

Note: Because client secrets have a maximum life of 24 months, we recommend that you configure SAML based Single Sign-On instead of using the method described in this document.

Create an Azure Active Directory Application  

  1. Login to the Azure Active Directory admin console.
  2. Click App Registrations on the left-hand navigation bar.
  3. Click New Registration to register a new application.
    Kandji-Support-KB-azure-sso-config1@2x
  4. Specify a name for the application (such as "Kandji").
  5. Select Accounts in this organization directory only as the supported account types.
  6. Specify the following URI for the redirect URI.
    https://auth.kandji.io/login/callback
  7. Click Register.Kandji-Support-KB-azure-ad-sso@2x
  8. On the new page, copy the Client ID, save this for later.
  9. Click Certificates and Secrets.
    Kandji-Support-KB-azure-ad-sso 3@2x
  10. Click New Client Secret.
  11. Give the client secret a name such as "Kandji SSO".
  12. Set the expiration to 24 months.
  13. Click Add.
    Azure-AD-SSO-Secret@2x
  14. Copy the value of the client secret (save this for later).
    Kandji-Support-KB@2x

Create an Azure Active Directory Connection 

  1. Navigate to the Settings page.
  2. Click the Access tab.
  3. Find the Authentication section. If that section does not currently exist, SSO is not enabled for your instance.
  4. Click the Add button on the bottom left of the authentication table.

    Kandji-Support-KB-sso-step1-2@2x-2
  5. In the new blade, click on the Azure Active Directory connection option.Kandji-Support-KB-azure-sso-Kandji@2x-2
  6. Customize or use the default Name for the azure connection (this will be shown on the login page).
  7. Enter the Azure Active Directory Domain that the application was registered within.
  8. Enter the Client ID you previously copied from Azure AD.
  9. Enter the Client Secret you previously copied from Azure AD.
  10. Click Save.
    Kandji-Support-KB-azure-ad-sso-blade2 2@2x
  11. After saving, a new dialougue box will appear with a link to authorize your connection. An Azure AD administrator for your domain will need to click the link and complete this process to authorize the application. This box will not go away after authorization is completed.
    Kandji-Support-KB-azure-ad-sso-auth@2x
  12. In the new window that launches, sign in, and click accept
    Kandji-Support-KB-azure-sso-accept@2x
  13. After clicking Accept you will be brought to an authorization success page. 
  14. Your connection has now been successfully configured and may be enabled and tested. 

Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to our Single Sign-On support article for step-by-step instructions. 

Enforcing Single Sign-On

Once you have configured at least one Single Sign-On connection, you can disable the Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authentication via Email/Password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions.