Learn how to configure Microsoft Entra ID as a SAML-based identity provider
Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)
Create a SAML Connection
In the Kandji web app, navigate to the Settings page
Click the Access tab
In the Authentication section, click the Add button on the bottom left (If that section does not currently exist, SSO is not enabled for your instance)
In the new pane that appears, click Custom SAML
Click Next
Click Show Advanced Details
Copy the Assertion Consumer Services URLand paste it into a text document for later use
Copy theEntity IDand paste it into a text document for later use
Leaving this browser tab open, continue to the AzureAD instructions below
Add the Kandji Application to Microsoft Entra ID
In a new browser tab, open portal.azure.com
Select the menu in the top-left corner, then click Azure Active Directory
Select Enterprise applications
- Select New application
Select Create Your Own Application
Enter a name for the custom app
Select the option to Integrate any other application you don't find in the gallery (Non-gallery)
Click Create
Click Single Sign-on
Click SAML
Click Edit for Basic SAML Configuration
Paste the Entity ID that you copied earlier into the Identifier (Entity ID) field (If there is an entry present already, it can be removed by clicking the trash can symbol)
Paste the Assertion Consumer Services URL that you copied earlier into the Reply URL (Assertion Consumer Service URL) field
Click Save, then click the X in the top right of the pane to close it
Leave the settings in the Attributes & Claims section set to their default.
In the SAML Signing Certificate section, click Download to download the Certificate (Base64) certificate. This certificate will be used in the Custom SAML configuration in Kandji.
In the Set Up [App Name] section, copy the Login URL and Logout URL and paste them into a text document for later use.
In the Users and Groups section, make sure to assign either a test user or a group.
Configure the SAML Connection in Kandji
Go back to the Custom SAML integration in Kandji
Give the connection a Name
Paste in the Sign In URL you copied from AzureAD
Paste in the Sign Out URL you copied from AzureAD
Upload the certificate you downloaded from AzureAD
Ensure that the User ID Attribute is set to the default value of
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Ensure that Sign Request is set to Yes
Ensure that the Request Algorithm is set to RSA-SHA256
Ensure that Sign Request Algorithm Digest is set to SHA 256
Set the Protocol Binding to HTTP-POST
Save the connection, then click Cancel to close the configuration pane
Enable the SAML Connection
Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to the Enable and Manage a Connection section in our Single Sign-On support article for step-by-step instructions.
Enforcing Single Sign-On
Once you have configured at least one single sign-on connection, you can disable the standard authentication connection. Doing so will remove the ability for Kandji administrators in your instance to authenticate via email/password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions
Add a Test User to Kandji
Add a test user to the Admin Team in Kandji by clicking New User
Fill in all of the corresponding user information. This user must exist in Azure AD and must be assigned to the Enterprise App in your Azure AD tenant.
Click Submit
Once the invite is submitted, close the Invite User window
Refresh the Access page in Kandji. You should see the user who was just added
Go to the user’s email to accept the invite and log in with the new SAML SSO connection