Third-party IdP SSO integration

To configure SSO in KaseyaOne for third-party IdP integrations (such as Okta or Passly) so that users will be able to authenticate using the third-party IdP:

1. Navigate to the Admin Settings > Third-Party IdP view in KaseyaOne.

2. In the Single Sign-On section, enter the following information:

   • Identity Provider Single Sign-On URL. Enter the third-party IdP SSO URL in this field and then click the check mark icon.

   • Identify Provider Issuer. Enter the third-party IdP issuer in this field and then click the check mark icon.

     

3. Click Upload to upload the third-party IdP certificate.

4. Turn on the Enable Single Sign-On via SAML toggle to enable SSO via SAML for the IdP.

5. Configure one or more of the following advanced SSO features as required:

   • Require Log In with Single Sign-On to force users to log in with their SSO application.

   • Automatic User Creation to allow just-in-time user provisioning for the SSO application.

   • Role-based access control to control SSO user access.

Currently, only one third-party IdP integration can be active in KaseyaOne.

You can configure Require Log In with Single Sign-On as shown in the following procedure to force users to log in to KaseyaOne with their SSO application.

1. Navigate to the Admin Settings > Third-Party IdP view in KaseyaOne.

2. Turn on the Require Log In with Single Sign-On toggle to enable the feature.

   • If enabled, users are forced to log in to KaseyaOne with their SSO application (and prompted to do so). Users with exceptions will still be able to log in using their local authentication.

   • If disabled, users are allowed to log in to KaseyaOne using either their SSO application or local authentication.

     

3. In the User Exceptions field, click the drop-down arrow and select one or more users who will be exempt from the Require Log In with KaseyaOne condition if enabled.

You can configure Automatic User Creation as shown in the following procedure to enable just-in-time provisioning (JIT) for the SSO application. SAML SSO users will then be provisioned on a just-in-time basis with a specified default role when they authenticate for the first time.

JIT provisioning increases efficiency and productivity, saves time and resources, and reduces administrative costs. It allows new users to access a web application in real-time, eliminating the need for manual account setup.

The prerequisites to using JIT provisioning for third-party IdP SSO are:

• You must have SSO to enable this function. Configure the SSO connection and settings for the IdP and enable single sign-on via SAML in KaseyaOne — refer to Set up third-party IdP integrations using SAML 2.0 for KaseyaOne.

• Pre-configure the user role and groups before switching on this feature.

To configure Automatic User Creation for third-party IdP SSO in KaseyaOne:

1. Navigate to the Admin Settings > Third-Party IdP view in KaseyaOne.

2. Turn on the Enable Automatic User Creation toggle to enable the feature.

   • If enabled, user accounts are automatically created with the specified default role when users authenticate for the first time

   • If disabled, then users must ask their administrator to create a user account for them with the required role after they authenticate.

     

   • Default Role is pre-populated with the value User. You can change this as required, but you must select one default role to assign to users.

   • Default Groups is pre-populated with the value All Module Access. You can change value as required but you must select at least one default group to assign to users.

3. In the Default Role field, click the drop-down arrow and select one role to assign to new imported and/or auto-provisioned users.

4. In the Default Groups field, click the drop-down arrow and select the group(s) where new imported and/or auto-provisioned users will be assigned.

   Changes are automatically saved.

You can configure role-based access control (RBAC) for third-party IdP SSO users. This involves enabling the RBAC feature for third-party IdP SSO and then defining mapping rules to control user access for SSO users, as shown in the following procedure. The purpose of defining mapping rules is to mimic or maintain the same levels of user access defined in the third-party IdP and port them over to KaseyaOne.

IMPORTANT  Currently, RBAC works only if Automatic User Provisioning is enabled. Refer to Automatic User Provisioning.

RBAC improves security by restricting access to your network based on defined roles within your organization. By preventing unauthorized access, it reduces the risk of data breaches and other security incidents. RBAC also allows administrators to easily view and manage user access across your organization.

To configure RBAC for third-party IdP SSO in KaseyaOne:

1. Navigate to the Admin Settings > Third-Party IdP view in KaseyaOne.

2. Turn on the Enable Mapping Rules toggle to enable the RBAC feature for SSO users.

   • If enabled, then you can define mapping rules to control user access to KaseyaOne for SSO users.

   • If disabled, then the default role specified if you enabled Automatic User Creation for third-party IdP SSO in KaseyaOne will apply for SSO users.

3. Create your mapping rules to control user access.

   Map an IdP group (Group Identifier) to the same or similar KaseyaOne role/group (KaseyaOne Role/KaseyaOne Group). The IdP Group Description is optional. You can map an IdP group to more than one KaseyaOne role/group.

   IMPORTANT  After RBAC is enabled, if a user that is not part of the IdP group that is mapped in the RBAC mapping table attempts to log in to KaseyaOne, that user will be deactivated.

   

   To create a mapping rule:

   1. Click Add to define a new IdP Group Identifier-to-KaseyaOne Role/Group mapping rule.

   2. Type in the exact name of the third-party IdP user group in the Group Identifier field. IdP group names are case-sensitive.

      NOTE  If you are using Microsoft Entra ID, you must enter the Entra ID Group identifier (for example, a2e68765-f908-453c-a31b-************).

   3. (Optional) Type in a description of the mapping rule in the Group Description field.

   4. Select one KaseyaOne Role from the drop-down field.

   5. Select one or more KaseyaOne Groups from the drop-down field.

   6. Click Save.

   NOTE  Any mapping rule(s) that you define here will override the default role specified if you enabled Automatic User Creation (JIT provisioning) for third-party IdP SSO in KaseyaOne.