Overview
With SAML Single Sign-on (SSO) authentication, Kantata customers can manage the access of their users to different systems and accounts from a central system. Identity management systems, also called Identity Providers, enable users to authenticate automatically and securely and eliminate the need for your account members to remember a password for Kantata OX.
What is SAML?
Security Assertion Markup Language (SAML) is an open standard for authentication between an Identity Provider and a Service Provider. OKTA, OneLogin, and Active Directory Federation Services are all examples of Identity Providers, and Kantata OX is a Service Provider. Using SAML, organizations can configure browser-based SSO authentication.
SAML Support in Kantata OX
Kantata OX currently supports the ability to authenticate SSO users through a SAML Identity Provider, including:
- Authenticating into Kantata OX through the SAML Identity Provider's dashboard
- Responding to logout signals to terminate the Kantata OX session
- Restricting authentication to SAML users only (Strict SSO) at the account level
Availability and Access
SSO using SAML is available for Enterprise plans that meet the minimum user license requirement. You must have custom branding enabled to utilize SSO. Specifically, a custom domain (such as yourdomain.mavenlink.com) is required for an SSO URL.
Please reach out to Customer Success or the Support team for more information.
How to Enable SAML in Kantata OX
- In the left navigation, hover over Settings, then select Security.
- From your Identity Provider, such as Okta, OneLogin, or Active Directory Federation Services, you’ll need to gather the following information and add it to these fields:
-
Identity Provider SSO URL—The Identity Provider's login URL that Kantata OX redirects your account members to. This varies with each Identity Provider.
- In OKTA, this is called the Identity Provider SSO URL, or the Postback URL.
- In OneLogin, this is called the SAML 2.0 Endpoint, or sometimes the SAML SSO URL.
- In Active Directory Federation Services, the Relaying party identifier.
- Issuer—This is a unique identifier for your identity provider. In some cases, this is called the entity id. This will typically be a URL.
-
X.509 Certificate—This is a public key for your SAML configuration and should start with
-----BEGIN CERTIFICATE-----
-
Identity Provider SSO URL—The Identity Provider's login URL that Kantata OX redirects your account members to. This varies with each Identity Provider.
- If desired, fill out the following fields that are optional, but recommended, for your Single Sign-On experience:
- Email Domain—This will be used to identify individuals who are not yet on your Kantata OX account. When such individuals are identified, we will instruct them to contact their Account Administrator to invite them to your Kantata OX account.
- Identity Provider Name—This is used on our login page to prompt users to login through their Identity Provider.
- Logout URL—If specified, this will redirect the user to a URL of your choice after they log out of Kantata OX. This is often used to redirect to a central SAML logout to sign the user out of all SAML-connected applications. Alternatively, this could be used to take the user back to the SSO homepage. You can also choose whether to restrict login access to Kantata OX to only your Identity Provider. Selecting this option enforces that all members on your account must authenticate through your SAML 2.0 Identity Provider.
- In order for Kantata OX to communicate back to your Identity Provider, you’ll need to enter in your Relaying Party SAML 2.0 SSO Service URL, such as https://yourdomain.mavenlink.com/saml/consume into all of the following fields:
- Okta: Single Sign On URL, Recipient URL, Destination URL, Audience Restriction Audience URI (SP Entity ID)
- OneLogin: SAML Consumer URL, SAML Audience, SAML Recipient
- For a successful SAML SSO configuration, make sure to verify the following:
- Account emails in Kantata OX match the email set per each user in the Identity Provider.
- Your Name ID format within the Identity Provider is set to email address.
Troubleshooting
This section outlines some of the most common issues encountered by users with SAML SSO.
- Unknown User
- SAML is not supported at this account level
- No error message. Users are just redirected to the login page and cannot log in
- Failed SAML login
- Invalid signature on SAML response
- You have been logged out
Common Exceptions
| Potential Cause | Recommended Resolution |
|---|---|
The NameID in the SAML response is incorrect. |
Check the NameID provided in the SAML response and compare with the expected user email address in Kantata OX. If it is incorrect, correct the email address in Kantata OX, or in the request. |
There is no Kantata OX user account with the provided NameID. |
If the NameID email is correct, but there is no Kantata OX user with that email address, then the user needs to be provisioned in Kantata OX before they can log in. |
SAML is not supported at this account level
| Potential Cause | Recommended Resolution |
|---|---|
| SAML is only supported for Enterprise accounts. The user may not be in the correct account. They may be in a personal free account, or a trial/test account. |
Ensure that the user is in the correct Kantata OX account. |
No error message; user is just redirected to the login page, but cannot log in.
| Potential Cause | Recommended Resolution |
|---|---|
| Mismatched X.509 certificate data in Kantata OX settings | Re-upload the X.509 Certificate data to Kantata OX Security settings |
No NameID provided |
Fix the assertion claim in the Identity Provider’s setup to send the email address as the NameID assertion. |
| User not authorized to use SSO trust with Kantata OX |
Settings > Security > Single Sign On to match the <issuer> from the response. |
| The SAML response token is encrypted | Disable token encryption on the Identity Provider setup for the Kantata OX SSO trust/app. |
Invalid SAML response. Details: Doesn't match the issuer,
expected:<issuer URL in Kantata OX>,
but was: <issuer URL from Identity Provider>
| Potential Cause | Recommended Resolution |
|---|---|
Incorrect <ISSUER> in SAML response. |
Update the Identity Provider Entity ID / Issuer Url in Kantata OX |
Invalid signature on SAML response
| Potential Cause | Recommended Resolution |
|---|---|
| The public X.509 Certificate in your SAML settings does not match the X.509 Certificate in the assertion that your server is sending to Kantata OX. |
An Account Administrator in Kantata OX needs to re-upload the X.509 Certificate data to the Kantata OX Security settings. |
| Potential Cause | Recommended Resolution |
|---|---|
| Something is not correct in the Identity Provider setup, most likely the ACS address. ACS refers to Assertion Consumer Service. This URL is an endpoint on the service provider (Kantata OX) where the identity provider will redirect to with its authentication response. This is also known as the Service Provider Single Sign-On URL. The ACS URL is case sensitive and must be typed exactly as it appears in Kantata OX under Settings > Security > Single Sign On e.g. https://subdomain.mavenlink.com/saml/consume |
Update the ACS URL on the Identity Provider setup. |
If you need further assistance with setting up SAML SSO or have any questions, please contact Support.
Comments
0 comments
Please sign in to leave a comment.