Single Sign-On with OneLogin (SAML)

By Gwynn Clark

Learn how to configure OneLogin as a SAML-based identity provider

Create a SAML Connection 

    1. Navigate to the Settings page.
    2. Click the Access tab.
    3. Find the Authentication section. If that section does not currently exist, SSO is not enabled for your tenant.
    4. Click the Add button on the bottom left of the authentication table.
    5. In the new blade, select the Custom SAML connection option.
    6. Click Next
    7. Click Show Advanced Details.
    8. Copy the contents of the Assertion Consumer Service URL.
    9. Copy the contents of the Entity ID after the urn:auth0:kandji-prod: portion of the string.
    10. Leave this tab open, and continue to the OneLogin instructions below.

Add the Kandji application to OneLogin

    1. Navigate to the following OneLogin configuration page, or find the Kandji app in the catalog. http://{YourSubdomain}
    2. Click the Save button in the upper right hand corner.
    3. Click on the Configuration tab.
    4. Paste in the Assertion Consumer Service URL you previously copied in the Consumer (ACS) URL field.
    5. Paste in the ending of the Entity ID you previously copied in the Kandji Connection Name field. Note only enter the part after "urn:auth0:kandji-prod:"
    6. For EU tenants only: Copy the contents of the encryption certificate below and paste it into the Public Key box in the SAML Encryption section.

      If you have a US tenatn, you can skip this step and continue to step 7.

      -----BEGIN CERTIFICATE-----


















      -----END CERTIFICATE-----

    7. Click Save.
    8. Click on the SSO tab.
    9. Change the signature algorithm to SHA-256.
    10. Copy the Sign In URL, under SAML 2.0 Endpoint (HTTP)
    11. Copy the Sign Out URL, under SLO Endpoint (HTTP).
    12. Click Save in the upper right-hand corner.
    13. Click View Details under the certificate section in the SSO tab.
    14. Download the certificate in a X.509 PEM format.
    15. You may now assign users to this OneLogin application and close the tab.

Configure the SAML connection in Kandji

    1. Set the Connection Name to OneLogin.
    2. Paste in the Sign In URL you copied from OneLogin.
    3. Paste in the Sign Out URL you copied from OneLogin.
    4. Upload the Certificate you downloaded from OneLogin.
    5. Save the connection (do not modify any other settings).

Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to our Single Sign-On support article for step-by-step instructions.

Enforcing Single Sign-On
Once you have configured at least one Single Sign-On connection, you can disable the Standard Authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your tenant to authentication via Email/Password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-On support article for step-by-step instructions

Add a Test User to Kandji

  1. Add a test user to the Admin Team in Kandji by clicking New User.

  2. Fill in all of the corresponding user information. This user must exist in OneLogin and must be assigned to the Kandji SSO app in your OneLogin tenant.

  3. Click Submit.

  4. Once the invite is submitted, close the Invite User window.

  5. Refresh the Access page in Kandji. You should see the user you just added.

  6. Go to the user’s email to accept the invite and log in with the new SAML SSO connection.