Third-party IdP SSO integration
SECURITY Master role
KaseyaOne supports third-party identity provider (IdP) single sign-on (SSO) integrations. Using a third-party IdP that supports SAML 2.0 (such as Okta or Microsoft Entra ID), you can centrally manage your users allowing them to access KaseyaOne via SSO. You can also connect your own custom server if it supports SAML 2.0.
The integration between KaseyaOne and third-party IdP allows users to log in to KaseyaOne from both the IdP interface and the KaseyaOne login page using the IdP credentials. This reduces the amount of user credentials in use and streamlines the login process. The integration allows automatic user provisioning to the KaseyaOne account from the IdP and in doing so reduces the amount of time spent on user administration. You can also add an extra layer of security by forcing users to log in to KaseyaOne from the IdP only.
You manage your third-party identity provider SSO integration and the following SSO-related features in the Admin Settings > Third-party IdP view:
- Require Log In with Single Sign-On. This forces users to log in with their SSO application.
- Automatic User Creation. This allows just-in-time provisioning for the third-party IdP SSO application so that user accounts are automatically created with a specified default role when new users authenticate for the first time.
- Role-based access control. This allows you to control user access for third-party IdP SSO users.
How to...
To configure SSO in KaseyaOne for third-party IdP integrations (such as Okta or Passly) so that users will be able to authenticate using the third-party IdP:
-
Navigate to the Admin Settings > Third-Party IdP view in KaseyaOne.
-
In the Single Sign-On section, enter the following information:
-
Click Upload to upload the third-party IdP certificate.
-
Turn on the Enable Single Sign-On via SAML toggle to enable SSO via SAML for the IdP.
-
Configure one or more of the following advanced SSO features as required:
-
Require Log In with Single Sign-On to force users to log in with their SSO application.
-
Automatic User Creation to allow just-in-time user provisioning for the SSO application.
-
Role-based access control to control SSO user access.
-
Currently, only one third-party IdP integration can be active in KaseyaOne.
You can configure Require Log In with Single Sign-On as shown in the following procedure to force users to log in to KaseyaOne with their SSO application.
-
Navigate to the Admin Settings > Third-Party IdP view in KaseyaOne.
-
Turn on the Require Log In with Single Sign-On toggle to enable the feature.
-
If enabled, users are forced to log in to KaseyaOne with their SSO application (and prompted to do so). Users with exceptions will still be able to log in using their local authentication.
-
If disabled, users are allowed to log in to KaseyaOne using either their SSO application or local authentication.
-
-
In the User Exceptions field, click the drop-down arrow and select one or more users who will be exempt from the Require Log In with KaseyaOne condition if enabled.
You can configure Automatic User Creation as shown in the following procedure to enable just-in-time provisioning (JIT) for the SSO application. SAML SSO users will then be provisioned on a just-in-time basis with a specified default role when they authenticate for the first time.
JIT provisioning increases efficiency and productivity, saves time and resources, and reduces administrative costs. It allows new users to access a web application in real-time, eliminating the need for manual account setup.
The prerequisites to using JIT provisioning for third-party IdP SSO are:
-
You must have SSO to enable this function. Configure the SSO connection and settings for the IdP and enable single sign-on via SAML in KaseyaOne — refer to Set up third-party IdP integrations using SAML 2.0 for KaseyaOne.
-
Pre-configure the user role and groups before switching on this feature.
To configure Automatic User Creation for third-party IdP SSO in KaseyaOne:
-
Navigate to the Admin Settings > Third-Party IdP view in KaseyaOne.
-
Turn on the Enable Automatic User Creation toggle to enable the feature.
-
If enabled, user accounts are automatically created with the specified default role when users authenticate for the first time
-
If disabled, then users must ask their administrator to create a user account for them with the required role after they authenticate.
-
Default Role is pre-populated with the value User. You can change this as required, but you must select one default role to assign to users.
-
Default Groups is pre-populated with the value All Module Access. You can change value as required but you must select at least one default group to assign to users.
-
-
In the Default Role field, click the drop-down arrow and select one role to assign to new imported and/or auto-provisioned users.
-
In the Default Groups field, click the drop-down arrow and select the group(s) where new imported and/or auto-provisioned users will be assigned.
Changes are automatically saved.
You can configure role-based access control (RBAC) for third-party IdP SSO users. This involves enabling the RBAC feature for third-party IdP SSO and then defining mapping rules to control user access for SSO users, as shown in the following procedure. The purpose of defining mapping rules is to mimic or maintain the same levels of user access defined in the third-party IdP and port them over to KaseyaOne.
IMPORTANT Currently, RBAC works only if Automatic User Provisioning is enabled. Refer to Automatic User Provisioning.
RBAC improves security by restricting access to your network based on defined roles within your organization. By preventing unauthorized access, it reduces the risk of data breaches and other security incidents. RBAC also allows administrators to easily view and manage user access across your organization.
To configure RBAC for third-party IdP SSO in KaseyaOne:
-
Navigate to the Admin Settings > Third-Party IdP view in KaseyaOne.
-
Turn on the Enable Mapping Rules toggle to enable the RBAC feature for SSO users.
-
If enabled, then you can define mapping rules to control user access to KaseyaOne for SSO users.
-
If disabled, then the default role specified if you enabled Automatic User Creation for third-party IdP SSO in KaseyaOne will apply for SSO users.
-
-
Create your mapping rules to control user access.
Map an IdP group (Group Identifier) to the same or similar KaseyaOne role/group (KaseyaOne Role/KaseyaOne Group). The IdP Group Description is optional. You can map an IdP group to more than one KaseyaOne role/group.
IMPORTANT After RBAC is enabled, if a user that is not part of the IdP group that is mapped in the RBAC mapping table attempts to log in to KaseyaOne, that user will be deactivated.
To create a mapping rule:
-
Click Add to define a new IdP Group Identifier-to-KaseyaOne Role/Group mapping rule.
-
Type in the exact name of the third-party IdP user group in the Group Identifier field. IdP group names are case-sensitive.
NOTE If you are using Microsoft Entra ID, you must enter the Entra ID Group identifier (for example, a2e68765-f908-453c-a31b-************).
-
(Optional) Type in a description of the mapping rule in the Group Description field.
-
Select one KaseyaOne Role from the drop-down field.
-
Select one or more KaseyaOne Groups from the drop-down field.
-
Click Save.
NOTE Any mapping rule(s) that you define here will override the default role specified if you enabled Automatic User Creation (JIT provisioning) for third-party IdP SSO in KaseyaOne.
-
Set up a third-party IdP SSO integration for KaseyaOne
The overall process to set up a third-party IdP integration using SAML 2.0 for KaseyaOne is similar across all IdPs and involves the following tasks:
-
Create and configure the KaseyaOne SSO application in the third-party IdP. For this task, you will need to copy the Single Sign-On URL and Company Identifier for your KaseyaOne instance from the Admin Settings > Third-Party IdP view in KaseyaOne.
-
Configure the SSO settings in KaseyaOne for the third-party IdP integration. For this task, you will need the third-party IdP's Single Sign-On URL and SSO certificate.
-
Assign users to the KaseyaOne application in your third-party IdP so that they will be able to use it.
-
Test the third-party IdP SSO integration for KaseyaOne.
Example instructions follow in Third-party IdP SSO integrations using SAML 2.0 with KaseyaOne. The prerequisites to set up a third-party IdP integration with KaseyaOne are:
-
Master user account in KaseyaOne and Administrator account in the third-party IdP
-
Users must have the same email address in KaseyaOne and the third-party IdP
-
User/user groups must be set up in the third-party IdP
After you set up the third-party IdP integration, the next time you log in to KaseyaOne you will be prompted to select your preferred method to log in — sign in with Single Sign-On or with your KaseyaOne credentials, unless Require Log In with Single Sign-On is enabled. We recommend referring to your IdP's documentation when configuring this feature as they will provide the most up-to-date documentation for their platform.
Third-party IdP SSO integrations using SAML 2.0 with KaseyaOne
Set up third-party IdP SSO integrations with KaseyaOne:
Third-party IdPs that support SAML 2.0
A non-exhaustive list of third-party IdPs that support SAML 2.0 follows.