Third-party IdP SSO integration

NAVIGATION  Header > Admin Settings > Single Sign-On

NAVIGATION  Home > Admin Settings > Single Sign-On

SECURITY  Master role

To configure SSO in KaseyaOne for third-party IdP integrations (such as Okta or Passly) so that users will be able to authenticate using the third-party IdP:

1. Navigate to the Single Sign-On page. Refer to Security and navigation.
2. In the Single Sign-On with Identity Providers section, click Add configuration.
   
3.  Enter the following information:
   • Identity Provider Single Sign-On URL: Enter the third-party IdP SSO URL in this field.
   • Identify Provider Issuer: Enter the third-party IdP issuer in this field.
4. Click Upload Certificate to upload the third-party IdP certificate. Enter the Certificate Information.
5. Click Save.
   
6. In the Single Sign-On with Identify Providers section, turn on the Enable Single Sign-On via SAML toggle to enable SSO via SAML for the IdP.
7. Click Save. You will see a check mark and the word Configured after successfully configuring SSO.
   

   NOTE  Secure Assertion Markup Language (SAML) provides a way to authenticate users once and then communicate that authentication to multiple other applications.

8. Configure one or more of the following Advanced Single Sign-On Settings as required:
   • Enforce Log In with SSO to force users to log in with their SSO application. Refer to Configure Enforce Log In with SSO in KaseyaOne.
   • Enable Automatic User Creation to allow just-in-time (JIT) user provisioning for the SSO application. Refer to Configure Enable Automatic User Creation for a third-party IdP SSO in KaseyaOne.
   • IdP Groups Access Control to control access to KaseyaOne using your IdP group user assignments. Refer to Configure third-party IdP Groups Access Control in KaseyaOne.

IMPORTANT  Advanced Single Sign-On Settings cannot be enabled until Enable Single Sign-On via SAML is configured and enabled.

NOTE  Currently, only one third-party IdP integration can be active in KaseyaOne.

You can configure Enforce Log In with SSO functionality as shown in the following procedure to require users to log in to KaseyaOne with their SSO application.

NOTE  This functionality cannot be enabled until Enable Single Sign-On via SAML is configured and enabled.

1. In the Advanced Single Sign-On Settings section, turn on the Enforce Log In with SSO toggle to enable the feature.
   • If enabled, users are forced to log in to KaseyaOne with their SSO application (and prompted to do so).
   • If disabled, users are allowed to log in to KaseyaOne using either their SSO application or local authentication.
2. From the User Exceptions drop-down menu, select one or more users who will be exempt from the Enforce Log In with SSO condition, if enabled.
   

   NOTE  To prevent locking yourself out of your account, make sure the SSO configuration is functioning correctly before enabling Enforce Log In with SSO. Additionally, ensure that you have added at least yourself to the User Exceptions list.
   

   NOTE  Users enabling Enforce Log In with SSO in KaseyaOne, if not a Master Root user, are notified that they have been added to the User Exceptions list, with the option to remove themselves.
   

You can configure Enable Automatic User Creation as shown in the following procedure to enable just-in-time provisioning (JIT) for the SSO application. SAML SSO users will then be provisioned on a just-in-time basis with a specified default role when they authenticate for the first time.

JIT provisioning increases efficiency and productivity, saves time and resources, and reduces administrative costs. It allows new users to access a web application in real-time, eliminating the need for manual account setup.

The prerequisites to using JIT provisioning for third-party IdP SSO are:

• You must have SSO to enable this function. Configure the SSO connection and settings for the IdP and toggle on Enable Single Sign-On via SAML in KaseyaOne. Refer to Setting up a third-party IdP SSO integration for KaseyaOne.
• Preconfigure the user role and groups before turning on this feature.

To configure Enable Automatic User Creation for third-party IdP SSO in KaseyaOne:

1. In the Advanced Single Sign-On Settings section, turn on the Enable Automatic User Creation toggle to enable the feature.

   • If enabled, user accounts are automatically created with the specified default role when users authenticate for the first time
   • If disabled, users must ask their administrator to create a user account for them with the required role after they authenticate.
     
   • Default Role Select one default role to assign to users. You can select Master, Billing, User, or Co-Managed User.
   • Default Groups is pre-populated with the value All Module Access. You can change value as required but you must select at least one default group to assign to users.
2. In the Default Role field, click the drop-down arrow and select one role to assign to auto-provisioned users.
3. In the Default Groups field, click the drop-down arrow and select the group(s) where auto-provisioned users will be assigned.
4. Changes are automatically saved.

You can configure role-based access control (RBAC) for third-party IdP SSO users in KaseyaOne. This involves enabling the IdP Groups Access Control feature for third-party IdP SSO and then defining mapping rules to control user access for SSO users as shown in the following procedure. The purpose of defining mapping rules is to mimic or maintain the same levels of user access defined in the third-party IdP and port them over to KaseyaOne.

IdP Groups Access Control provides automatic correct user permission assignments based on IdP groups. This streamlines user management and reduces the time spent on it. IdP Groups Access Control ensures that the correct permissions are automatically assigned to the users that are coming from IdP based on their IdP group memberships.

IMPORTANT  Currently, IdP Groups Access Control only works if Automatic User Provisioning is enabled.

NOTE  IdP Group Access Control cannot be enabled until at least one Mapping Rule is enabled and Enable Single SIgn-On via SAML is enabled.

Prerequisite

• Ensure that the group names specified in the mapping rules are an exact match with your IdP Group Names.

To configure IdP Groups Access Control for third-party IdP SSO in KaseyaOne:

1. In the Mapping Rules section, select either Stop at first match or Process all rules.
   
2. Click Add Rule.
   
3. Enter the exact name of the third-party IdP user Group Identifier in the IdP Group Name field. IdP group names are case-sensitive.

   NOTE  If you are configuring Microsoft Entra ID, please use Group Identifier instead of Group Name. For example, a2e68765-f908-453c-a31b-************).
   

4. Select one KaseyaOne Role from the drop-down list. You can map an IdP group to more than one KaseyaOne Role.
   
5. Select a KaseyaOne Group from the dropdown list. You can select more than one KaseyaOne Group.
6. (Optional) Type in a description of the mapping rule in the Mapping Description field.
7. Hover over the mapping rule and drag to reorder.
8. Turn on the IdP Groups Access Control toggle to enable the RBAC feature for SSO users.
9. Click the Save check mark.

IMPORTANT  If a user does not belong to the IdP group or the IdP group is not defined in the Mapping Rules, the user's KaseyaOne account will be deactivated and revoked access to KaseyaOne.

NOTE  Any mapping rule(s) that you define here will override the default role specified in Configure Enable Automatic User Creation for a third-party IdP SSO in KaseyaOne.