Single Sign-on with Microsoft Entra ID (formerly Azure AD) (SAML)

By Gwynn Clark

Learn how to configure Microsoft Entra ID as a SAML-based identity provider

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)

Create a SAML Connection 

  1. In the Kandji web app, navigate to the Settings page

  2. Click the Access tab

  3. In the Authentication section, click the Add button on the bottom left (If that section does not currently exist, SSO is not enabled for your instance)

  4. In the new pane that appears, click Custom SAML

  5. Click Next


  6. Click Show Advanced Details

  7. Copy the Assertion Consumer Services URLand paste it into a text document for later use

  8. Copy the Entity ID and paste it into a text document for later use




  9. Leaving this browser tab open, continue to the AzureAD instructions below

Add the Kandji Application to Microsoft Entra ID

  1. In a new browser tab, open portal.azure.com

  2. Select the menu in the top-left corner, then click Azure Active Directory



  3. Select Enterprise applications






  4.  Select New application




  5. Select Create Your Own Application

  6. Enter a name for the custom app

  7. Select the option to Integrate any other application you don't find in the gallery (Non-gallery)

  8. Click Create



  9. Click Single Sign-on

  10. Click SAML




  11. Click Edit for Basic SAML Configuration





  12. Paste the Entity ID that you copied earlier into the Identifier (Entity ID) field (If there is an entry present already, it can be removed by clicking the trash can symbol)

  13. Paste the Assertion Consumer Services URL that you copied earlier into the Reply URL (Assertion Consumer Service URL) field

  14. Click Save, then click the X in the top right of the pane to close it

     


  15. Leave the settings in the Attributes & Claims section set to their default.

  16. In the SAML Certificate section, click Download to download the Certificate (Base64) certificate. This certificate will be used in the Custom SAML configuration in Kandji.

  17. In the Set Up [App Name] section, copy the Login URL and Logout URL and paste them into a text document for later use.




  18. In the Users and Groups section, make sure to assign either a test user or a group.





Configure the SAML Connection in Kandji

  1. Go back to the Custom SAML integration in Kandji

  2. Give the connection a Name

  3. Paste in the Sign In URL you copied from AzureAD

  4. Paste in the Sign Out URL you copied from AzureAD

  5. Upload the certificate you downloaded from AzureAD

  6. Ensure that the User ID Attribute is set to the default value of

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  7. Ensure that Sign Request is set to Yes

  8. Ensure that the Request Algorithm is set to RSA-SHA256

  9. Ensure that Sign Request Algorithm Digest is set to SHA 256

  10. Set the Protocol Binding to HTTP-POST

  11. Save the connection, then click Cancel to close the configuration pane

     


Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to the Enable and Manage a Connection section in our Single Sign-On support article for step-by-step instructions.

Enforcing Single Sign-On
Once you have configured at least one single sign-on connection, you can disable the standard authentication connection. Doing so will remove the ability for Kandji administrators in your instance to authenticate via email/password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions

Add a Test User to Kandji

  1. Add a test user to the Admin Team in Kandji by clicking New User

  2. Fill in all of the corresponding user information. This user must exist in Azure AD and must be assigned to the Enterprise App in your Azure AD tenant.

  3. Click Submit



  4. Once the invite is submitted, close the Invite User window

  5. Refresh the Access page in Kandji. You should see the user who was just added

  6. Go to the user’s email to accept the invite and log in with the new SAML SSO connection