Single Sign-On with OneLogin (SAML)

Learn how to configure OneLogin as a SAML-based identity provider.

Create a SAML Connection 

    1. Navigate to the Settings page.
    2. Click the Access tab.
    3. Find the Authentication section. If that section does not currently exist, SSO is not enabled for your instance.
    4. Click the Add button on the bottom left of the authentication table.

      Kandji-Support-KB-sso-step1-2@2x-2
    5. In the new blade, click on the SAML connection option.Kandji-Support-KB-samlstep5 2@2x-2
        1. Click Advanced Details.
        2. Copy the contents of the Assertion Consumer Service URL.
        3. Copy the contents of the Entity ID after the urn:auth0:kandji-prod: portion of the string.
          OneLogin_KB@2x
        4. Leave this tab open, and continue to the OneLogin instructions below. 

      Add the Kandji application to OneLogin

          1. Navigate to the following OneLogin configuration page, or find the Kandji app in the catalog.
            http://{YourSubdomain}.onelogin.com/apps/new/146199
          2. Click the Save button in the upper right hand corner.
            Kandji-Support-KB-onelogin-s1@2x
          3. Click on the Configuration tab.
          4. Paste in the Assertion Consumer Service URL you previously copied in the Consumer (ACS) URL field.
          5. Paste in the ending of the Entity ID you previously copied in the Kandji Connection Name field.OneLogin_KB2v3_filled
          6. For EU instances only: Copy the contents of the encryption certificate below and paste it into the Public Key box in the SAML Encryption section.

            If you have a US instance, you can skip this step and continue to step 7.

            -----BEGIN CERTIFICATE-----
            MIIDCzCCAfOgAwIBAgIJWeMEs9FJlx7pMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
            BAMTGGthbmRqaS1wcm9kLmV1LmF1dGgwLmNvbTAeFw0yMTEwMDYyMTM2NTJaFw0z
            NTA2MTUyMTM2NTJaMCMxITAfBgNVBAMTGGthbmRqaS1wcm9kLmV1LmF1dGgwLmNv
            bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANcZbctdPHfmhFi1sAlO
            qjbL+1xG456EYakTle+5kAckTj9BAC0hLTxrrnjMVpm4ESqFaYIN+xwL0CLfxWlw
            HyfOm2fCGuEmcdeA3EGYDAcDHHG3nNDGgOU0iDL5UFJWewzrdSwEQJiczgw+vGod
            AXP29tBww4zOyt4CC/JvQeCR85yTFNN+Dca8fdqTvjCtQ0IEvREECTSiM5mcCvqL
            V3acqFAm78GsVG7S9Zw4lsvTtlmBZfMJ2XkMyvFcDT38FKWrR+PtW5h5+/G/l7+v
            FayXL12RJTLOS+hSKZFyfZypUL8I4q1d0C5Qgl6/RtvfFTX1C7ghI9OhMlB27BjE
            QX8CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUhXf4eBrfVFai
            K1DzoiwXFDmn6YEwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQCo
            mHVUh6CYf8SXHs/GzbqPc2s82XY5FmHC/PrxHuESu8CQomRwFk4iyCbB0lLKUJ6P
            a81F1jlrA5x0F745YCY9d5R5FUkzVn3oO9nGTf5PlYIQHGDbZZCKnq7c+5AbQNEa
            fUrWpvyUJhgPGxeD0P6u8PnBKmevhdJQjzwImAtt+JfZWm+tjBAqzYCwjhQ5wxsn
            h6cINHabdqyHG7frcfDbT165b1m2InAPre8u+/q8O9W+0HD7xpLZ5LDXzg9g/sIF
            OrT8a6Nmy9UJrfGjwdflYGxQnR/jwFS+I3AfhhtQBXqdyaMcsPzYprEEt8ZUp6gz
            EdQ5HLz8x/51w1JOZA9Q
            -----END CERTIFICATE-----
          7. Click Save.OneLogin_KB4v2_filled
          8. Click on the SSO tab.
          9. Change the signature algorithm to SHA-256.
          10. Copy the Sign In URL, under SAML 2.0 Endpoint (HTTP)
          11. Copy the Sign Out URL, under SLO Endpoint (HTTP).
          12. Click Save in the upper right-hand corner.
          13. Click View Details under the certificate section.Kandji-Support-KB-0501PM@2x_filled
          14. Download the certificate in a X.509 PEM format.
          15. You may now assign users to this OneLogin application and close the tab. 

        Configure the SAML connection in Kandji

          1. Set the Connection Name to OneLogin.
          2. Paste in the Sign In URL you copied from OneLogin.
          3. Paste in the Sign Out URL you copied from OneLogin.
          4. Upload the Certificate you downloaded from OneLogin.
          5. Save the connection (do not modify any other settings).
            Kandji-Support-KB-1217PM@2x

        Enable the SAML Connection

        Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to our Single Sign-On support article for step-by-step instructions. 

        Enforcing Single Sign-On

        Once you have configured at least one Single Sign-On connection, you can disable the Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authentication via Email/Password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions.

         

        Add a Test User to Kandji

        1. Add a test user to the Admin Team in Kandji by clicking New User.

        2. Fill in all of the corresponding user information. This user must exist in OneLogin and must be assigned to the Kandji SSO app in your OneLogin tenant.

        3. Click Submit.


          Kandji-Support-KB-0516PM@2x

        4. Once the invite is submitted, close the Invite User window.

        5. Refresh the Access page in Kandji. You should see the user you just added.

        6. Go to the user’s email to accept the invite and log in with the new SAML SSO connection.