Single Sign-On with Okta (SAML)

By Nick Bickhart

Learn how to configure Okta as a SAML-based identity provider

Create a SAML Connection 

  1. In Kandji, navigate to the Settings page

  2. Click the Access tab

  3. Find the Authentication section and click the Add button on the bottom left of the authentication section (If that section does not appear, SSO is not enabled for your instance)

  4. In the Add SSO Connection pane, select the Custom SAML option

  5. Click Next

  6. Select Show Advanced Details

  7. Copy the Assertion Consumer Service URL and save it in a text document for later use

  8. Copy the Entity ID and save it too


  9. Leave this browser tab open as you proceed with the instructions below

Configure the Kandji App in Okta

  1. In a new browser tab, log in to your Okta tenant
  2. On the left-hand side, click the reveal triangle next to Applications
  3. Click Applications

  4. Click Create App Integration

  5. Select SAML 2.0 as the app integration type and click Next
  6. Enter an App name
  7. Upload an optional App logo
  8. Click Next
  9. In the Single sign-on URL field, paste the Kandji Assertion Consumer Service URL that was copied earlier
  10. In the Audience URI (SP Entity ID) field, paste the Kandji Entity ID that was copied earlier
  11. Ensure that the Name ID format is set to Unspecified
  12. Ensure that the Application username is set to Okta username
  13. Ensure that the Update application username on is set to Create and update
  14. Select Next
  15. Select I'm an Okta customer adding an internal app
  16. Select This is an internal app that we have created
  17. Click Finish. 

  18. Back at the Sign On tab, find the link to View SAML setup instructions and open it in a new browser tab

  19. Copy the Single Sign-On URL and save it in a text document for later use in Kandji
  20. Download the certificate file and save it for use in Kandji

Add a test user to the Okta app

  1. Go back to the Okta app and click the Assignments tab
  2. Click the Assign dropdown menu and click Assign to People
  3. Search for a test user to Assign
  4. Once the user is assigned, click Done


  5. You should see the user that you have selected in the list

Configure the SAML connection in Kandji

  1. Go back to the Custom SAML integration in Kandji

  2. Give the connection a Name

  3. Paste the Single Sign-On URL you copied from Okta into the Sign In URL text field

  4. Upload the Okta certificate you downloaded earlier

  5. Ensure that the User ID Attribute is set to the default value of

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  6. Ensure Sign Request is set to Yes
  7. Ensure Request Algorithm is set to RSA-SHA256

  8. Ensure Sign Request Algorithm Digest is set to SHA 256

  9. Set the Protocol Binding to HTTP-Redirect

  10. Save the connection and click Cancel to close the configuration pane

Enable the SAML Connection

Once you have configured the SAML connection in both Kandji and your identity provider, you can now enable the connection. Please refer to the Enable and Manage a Connection section in our Single Sign-on support article for step-by-step instructions. 

Enforcing Single Sign-on

Once you have configured at least one Single Sign-on connection, you can disable the standard authentication connection. Disabling Kandji standard authentication will disable the ability for Kandji administrators in your instance to authenticate via email/password, Google Sign in, or Office 365 Sign in. Please refer to our Single Sign-on support article for step-by-step instructions.

Add a Test User to Kandji

  1. Add a test user to the Admin Team in Kandji by clicking New User

  2. Fill in all of the corresponding user information. This user must exist in Okta and must be assigned to the Okta SSO app in your Okta tenant

  3. Click Submit

  4. Once the invite is submitted, close the Invite User window

  5. Refresh the Access page in Kandji. You should see the user who was just added

  6. Go to the user’s email to accept the invite and log in with the new SAML SSO connection