Setting Up Single Sign-On with SAML Authentication

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication data between different security domains.
With SAML authentication enabled, users can single sign-on (SSO) into Kintone by using user accounts registered with your corporate identity provider (IdP).
Kintone supports SAML 2.0 and acts as a service provider (SP).

This section describes the flow of SSO with SAML authentication and how to configure Kintone.

Flow of SSO with SAML Authentication

With SAML authentication enabled, Kintone uses SP-initiated SSO. The following bindings are used for the SAML request and SAML response:

  • SAML request: HTTP Redirect Binding
  • SAML response: HTTP POST Binding

The following illustrates steps for Kintone to authenticate a user:

Figure to explain the flow of SSO using SAML authentication
  1. The user accesses Kintone.
  2. Kintone generates an SAML request.
  3. The user receives the SAML request from the SP.
  4. The IdP authenticates the user.
  5. The IdP generates an SAML response.
  6. The user receives the SAML response from the IdP.
  7. Kintone receives and verifies the SAML response.
  8. If the SAML response is OK, the user has completed the login to Kintone.

Connecting Kintone with the Identity Provider through SAML Authentication

To connect Kintone with the IdP through SAML authentication, you must configure both the IdP and Kintone appropriately.

Registering Kintone with the IdP

Register the following information with the IdP so that Kintone can act as an SP:

  • Endpoint URL of Kintone
    https://(subdomain_name).kintone.com/saml/acs

  • Entity ID
    https://(subdomain_name).kintone.com
    Do not add a slash mark (/) at the end of the URL.

  • Element to identify a user
    NameID

Getting Metadata Files

To register Kintone as an SP, you can also use a metadata file.

  1. Click gear shaped administration menu icon in the header.

  2. Click "Kintone Users & System Administration".

  3. Click Login.

  4. Select "Enable SAML authentication".

  5. Button Click Download Service Provider Metadata.

  6. Save the resulting xml file to a target folder.

Configuring SAML Authentication for Kintone

On Kintone, enable SAML authentication and set the information of the IdP.

  1. Click gear shaped administration menu icon in the header.

  2. Click "Kintone Users & System Administration".

  3. Click Login.

  4. Select "Enable SAML authentication".

  5. Fill in the fields as needed.

    • SSO endpoint URL of the Identity Provider (HTTP-Redirect)
      Specify the destination of SAML requests.

    • URL redirected to, after logout from Kintone
      Specify the URL of a page from the IdP that appears after users log out from Kintone.

    • Public key certificate used by the Identity Provider when signing
      Attach a public key certificate generated with either the RSA or DSA algorithm.
      For RSA, you can use the following hush values.
      • SHA-1
      • SHA256
  6. Click Save.

  7. Confirm the login names of users who will log in through SAML authentication.
    Ensure that the login names of Kintone users correspond to values associated with NameID.

  8. Confirm that, as a user, you can single sign-on into Kintone through SAML authentication.
    Your configuration is complete if you can perform the following actions successfully:

    • When you access Kintone, you are authenticated by the IdP successfully and directed to a page that appears for logged-in users.
    • After you have logged in, you can log out successfully by clicking the user name at the upper right and then "Logout".
      If you are on a Kintone page, click Image and then click "Logout".

What Will Happen to the Logged-in Users if SAML Authentication Is Enabled?

Enabling SAML authentication does not require currently logged-in users of Kintone to log in again, as long as their login sessions are active.
SAML authentication will be required in one of the following situations:

  • When a user's login session is expired
  • When a user logs in again after logging out