Single Sign-On with OneLogin (SAML)

Learn how to configure OneLogin as a SAML-based identity provider.

Create a SAML Connection 

    1. Navigate to the Settings page.
    2. Click the Access tab.
    3. Find the Authentication section. If that section does not currently exist, SSO is not enabled for your instance.
    4. Click the Add button on the bottom left of the authentication table.

    5. In the new blade, click on the SAML connection option.Kandji-Support-KB-samlstep5 2@2x-2
        1. Click Advanced Details.
        2. Copy the contents of the Entity ID after the authurn:auth0:kandji-prod: portion of the string.
        3. Leave this tab open, and continue to the OneLogin instructions below. 

      Add the Kandji application to OneLogin

          1. Navigate to the following OneLogin configuration page, or find the Kandji app in the catalog.
          2. Click the Save button in the upper right hand corner.
          3. Click on the Configuration tab.
          4. Paste in the ending of the Entity ID you previously copied.
          5. Click Save.
          6. Click on the SSO tab.
            Kandji-Support-KB-onelogin-screen2 3@2x
          7. Copy the Sign In URL.
          8. Copy the Sign Out URL.
          9. Change the signature algorithm to SHA-256.
          10. Click Save in the upper right-hand corner.
          11. Click View Details under the certificate section.
          12. Copy the certificate contents, you may now assign users to this OneLogin application and close the tab. 

        Configure the SAML connection in Kandji

          1. Set the Connection Name to OneLogin.
          2. Paste in the Sign In URL you copied from OneLogin.
          3. Paste in the Sign Out URL you copied from OneLogin.
          4. Paste in the Certificate you copied from OneLogin.
          5. Save the connection (do not modify any other settings).

        Enable the SAML Connection

        Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to our Single Sign-On support article for step-by-step instructions. 


        Enforcing Single Sign-On

        Once you have configured at least one Single Sign-On connection, you can disable the Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authentication via Email/Password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions.