Single Sign-on with Azure AD (SAML)

Learn how to configure Azure AD as a SAML-based identity provider.

Create a SAML Connection 

  1. In the Kandji web app, navigate to the Settings page.

  2. Click the Access tab.

  3. In the Authentication section, click the Add button on the bottom left. (If that section does not currently exist, SSO is not enabled for your instance.)

  4. In the new pane that appears, click Custom SAML.

  5. Click Next.

  6. Click Show Advanced Details.

  7. Copy the Assertion Consumer Services URL and paste it into a text document for later use.

  8. Copy the Entity ID and paste it into a text document for later use.

  9. Leaving this browser tab open, continue to the AzureAD instructions below. 

Add the Kandji Application to Azure AD

  1. In a new browser tab, open portal.azure.com.

  2. Select the menu in the top-left corner, then click Azure Active Directory.

  3. Select Enterprise applications.

  4.  Select New application.
  5. Select Create Your Own Application.

  6. Enter a name for the custom app.

  7. Select the option to Integrate any other application you don't find in the gallery (Non-gallery).

  8. Click Create.

  9. Click Single Sign-on.

  10. Click SAML.

  11. Click Edit for Basic SAML Configuration.  

  12. Paste the Entity ID that you copied earlier into the Identifier (Entity ID) field. (If there is an entry present already, it can be removed by clicking the trash can symbol.)

  13. Paste the Assertion Consumer Services URL that you copied earlier into the Reply URL (Assertion Consumer Service URL) field.

  14. Click Save, then click the X in the top right of the pane to close it.

     

  15. Leave the settings in the Attributes & Claims section set to their defaults.

  16. In the SAML Signing Certificate section, click Download to download the Certificate (Base64) certificate. This certificate will be used in the Custom SAML configuration in Kandji.

  17. In the Set Up [App Name] section, copy the Login URL and Logout URL and paste them into a text document for later use.

  18. In the Users and Groups section make sure to assign either a test user or group. 

Configure the SAML Connection in Kandji

  1. Go back to the Custom SAML integration in Kandji.

  2. Give the connection a Name.

  3. Paste in the Sign In URL you copied from AzureAD.

  4. Paste in the Sign Out URL you copied from AzureAD.

  5. Upload the certificate you downloaded from AzureAD.

  6. Ensure that the User ID Attribute is set to the default value of

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  7. Ensure that Sign Request is set to Yes.

  8. Ensure that the Request Algorithm is set to RSA-SHA256.

  9. Ensure that Sign Request Algorithm Digest is set to SHA 256.

  10. Set the Protocol Binding to HTTP-POST.

  11. Save the connection, then click Cancel to close the configuration pane.

     

Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to the Enable and Manage a Connection section in our Single Sign-On support article for step-by-step instructions. 

Enforcing Single Sign-On

Once you have configured at least one single sign-on connection, you can disable the standard authentication connection. Doing so will remove the ability for Kandji administrators in your instance to authenticate via email/password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions.

Add a Test User to Kandji

  1. Add a test user to the Admin Team in Kandji by clicking New User.

  2. Fill in all of the corresponding user information. This user must exist in AzureAD and must be assigned to the Azure SSO app in your Azure tenant

  3. Close out of the user window once the invitation is submitted.

  4. Refresh the Access page in Kandji. You should see the user that was just added.

  5. Go to the user’s email to accept the invite and log in with the new SAML SSO connection.