Setting Up Single Sign-On (SSO) with SAML

Security Assertion Markup Language (SAML) is an XML-based open standard data format that links authentication information across several security domains. If SAML Authentication is used, you can single sign-on into kintone using the user account that is registered in your company’s Identity Provider (IdP).

This article explains the flow of the SSO using SAML Authentication, and how to set it up on kintone. Please note the following:
 
  • This article covers how to link kintone with an IdP using SAML Authentication. For directions on how to set your IdP, or on how to set up your device so that it can log into kintone using SAML Authentication, please contact your vendor.
  • To use kintone as the Service Provider (SP) to link with SAML Authentication, an IdP that supports SAML 2.0 is needed.
  • SAML Authentication will be ignored, and the user will log into their service with their original log-in information if:
    • they are using the Client Certificate Authentication option.
    • they are using the iPhone or Android kintone application.
  • The SessionNotOnOrAfter attribute provided by IdP will be ignored in kintone.

The Flow for SSO Using SAML Authentication

When the SAML Authentication setting is enabled, kintone will execute an SP initiated SSO. The following bindings are used for the SAML request and SAML response.

  • SAML request : HTTP Redirect Binding
  • SAML response : HTTP POST Binding
The steps below detail the authentication flow for users on kintone:
 
  1. The user accesses kintone.
  2. kintone generates a SAML request.
  3. The user receives a SAML request from the SP.
  4. The IdP authenticates the user.
  5. The IdP generates a SAML response.
  6. The user receives the SAML response from the IdP.
  7. kintone receives the SAML response and verifies it.
  8. If there are no problems with the SAML response, the user will be logged into kintone.
Linking the IdP and kintone with SAML Authentication
 
To link the IdP and kintone, settings have to be configured on both the IdP and kintone.

Registering kintone to the IdP 

To set kintone as the SP, register the following information to the IdP:

  • The endpoint URL for kintone: https://(your domain name).kintone.com/saml/acs
  • The entity ID: https://(your domain name).kintone.com
    Do not place a slash ";/" at the end of the URL.
  • An element to identify the user: NameID
  • You can use metadata files when registering kintone as the SP.
    To retrieve the metadata file, go to "kintone Administration", and click "Login" under the "Security" section of "System Administration". Select the "Enable SAML authentication" check box, and click "Download Service Provider Metadata".
Configuring SAML Authentication with kintone
 
The SAML authentication will be set with kintone, and the IdP information will be set. To set SAML authentication with kintone:
 
  1. Go to Users & System Administration, and click Login tab under the Security section of System Administration.
  2. Select the Enable SAML authentication check box.
  3. Set the following fields:
    • Login URL- Set the destination for the SAML request.
    • Logout URL- Set the URL of the IdP that will be displayed after the user logs out of kintone.
    • Certificate- Attach the public key certificate generated with either the RSA or DSA algorithm.
      Only X.509 certificates are accepted.
  4. Click Save.
  5. Check the login name of the user who will log in using SAML Authentication. Check that a value related to the NameID is registered to the login name.
  6. Check that you can SSO into kintone using SAML. If you can do the following, the configuration waas successful:
    • When you access kintone, the authentication for the IdP succeeds, and the login screen is displayed.
    • After logging in, you can log out successfully through the logout option.
    • If you are inside the Users & System Administration page, you can log out by clicking your user name, and then Logout.
    • If you are inside the portal, click the icon, and click Logout.

See Also:

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.