Single Sign-On with Okta (SAML)

Learn how to configure Okta as a SAML-based identity provider.

Create a SAML Connection 

1. In Kandji, navigate to the Settings page

2. Click the Access tab

3. Find the Authentication section and click the Add button on the bottom left of the authentication section (If that section does not appear, SSO is not enabled for your instance)

4. In the Add SSO Connection pane, select the Custom SAML option

5. Click Next

   

6. Select Show Advanced Details

7. Copy the Assertion Consumer Service URL and save it in a text document for later use

8. Copy the Entity ID and save it too

    

9. Leave this browser tab open as you proceed with the instructions below

Configure the Kandji App in Okta

1. In a new browser tab, log in to your Okta tenant
2. On the left-hand side, click the reveal triangle next to Applications
3. Click Applications
   
   
4. Click Create App Integration
   
   
5. Select SAML 2.0 as the app integration type and click Next
   
   
6. Enter an App name
7. Upload an optional App logo
8. Click Next
   
   
9. In the Single sign on URL field, paste the Kandji Assertion Consumer Service URL that was copied earlier
10. In the Audience URI (SP Entity ID) field, paste the Kandji Entity ID that was copied earlier
11. Ensure that the Name ID format is set to Unspecified
12. Ensure that the Application username is set to Okta username
13. Ensure that the Update application username on is set to Create and update
14. Select Next
    
    
15. Select I'm an Okta customer adding an internal app
16. Select This is an internal app that we have created
17. Click Finish. 
    
    
18. Back at the Sign On tab find the link to View SAML setup instructions and open it in a new browser tab
    
    
19. Copy the Single Sign-On URL and save it in a text document for later use in Kandji
20. Download the certificate file and save it for use in Kandji
    
    

Add a test user to the Okta app

1. Go back to the Okta app and click the Assignments tab
2. Click the Assign dropdown menu and click Assign to People
   
   
3. Search for a test user to Assign
4. Once the user is assigned click Done
   
   
5. You should see the user that you have selected in the list
   
   

Configure the SAML connection in Kandji

1. Go back to the Custom SAML integration in Kandji

2. Give the connection a Name

3. Paste the Single Sign-On URL you copied from Okta into the Sign In URL text field

4. Upload the Okta certificate you downloaded earlier

5. Ensure that the User ID Attribute is set to the default value of

   http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

6. Ensure Sign Request is set to Yes

7. Ensure Request Algorithm is set to RSA-SHA256

8. Ensure Sign Request Algorithm Digest is set to SHA 256

9. Set the Protocol Binding to HTTP-Redirect

10. Save the connection and click Cancel to close the configuration pane

    

Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to the Enable and Manage a Connection section in our Single Sign-on support article for step-by-step instructions. 

1. Add a test user to the Admin Team in Kandji by clicking New User

2. Fill in all of the corresponding user information. This user must exist in Okta and must be assigned to the Okta SSO app in your Okta tenant

3. Click Submit

   
   

   

4. Once the invite is submitted, close the Invite User window

5. Refresh the Access page in Kandji. You should see the user who was just added

6. Go to the user’s email to accept the invite and log in with the new SAML SSO connection