SSO Login (SAML)

🚧

PREMIUM INTEGRATION

You must be subscribed to the premium or enterprise plan to access this integration

SAML / SSO integration makes it easy for your company to centrally manage user access to Kintaba.

Browse to the integrations panel

Kintaba integrations manage programmatic access to your incidents. To create a new integration, you'll first need to access the Integrations section of the Admin panel.

430430

Add the SAML Integration

Click the "Add Integration" button on the SAML item in the integrations library.

15761576

You can then fill out the Login URL, Logout URL, whether or not you want to force non-admin users to log in using SAML, and your certificate

12041204

Click "ADD" to enable this integration.

SSO Sign-In Experience

You can sign-in using SSO through two methods:

  1. Sign-in through your SSO identity provider's portal.
  2. Sign in as you regularly would on Kintaba, we'll forward you to sign-in using SSO if it's enabled for you.

❗️

Is SSO Misconfigured?

If you set up SSO incorrectly, you may not be able to sign in anymore. Administrators can access: https://app.kintaba.com/signin?sso=recovery to sign-in using passwords.

Bypassing SSO as an Admin in cases of SSO provider failure

In case of a misconfiguration or 3rd party downtime, admins may bypass the SSO login process and use a backup password by accessing: https://app.kintaba.com/signin?sso=recovery

ADFS Configuration

Extracting your certificate for uploading to Kintaba

  1. In the AD FS management tool, select the Certificates folder in the left pane.

  2. Right click the Token-signing certificate and select View Certificate... from the context menu

22662266
  1. In the certificate window, select the Details tab and then click Copy to File... to export your certificate.
816816
  1. The export wizard will appear. Select Base-64 encoded X.509 (.CER) as the export format.
10701070
  1. Upload this certificate to Kintaba when prompted in the Create SSO Integration modal, then add your ADFS Login URL and click ADD
12041204
  1. Keep this window open, you will need the SP URLs for the next steps.
27782778

Configuring AD FS for SSO

  1. In the AD FS management tool, right click "Relying Party Trust" and select "Add Relying Party Trust"
22642264
  1. On the Welcome screen, select Claims aware and click Next
14301430
  1. On the Select Data Source screen, select Enter data about the relying party manually and click Next
14321432
  1. On the Specify Display Name screen, set an appropriate display name, such as "Kintaba"
14641464
  1. Click Next until you reach the "Configure URL" step and check the Enable support for the SAML 2.0 WebSSO protocol and enter your SP Single Sign On URI from Kintaba in the input box. Then click Next.
15041504
  1. On the Configure Identifiers* step, enter your SP Audience URI from Kintaba and click Next**
14941494
  1. Continue clicking Next until you reach the finish and make sure Configure claims issuance policy for this application is selected. Then click *Clos
14321432
  1. The Edit Claim Issuance Policy for Kintaba window will appear. Click the Add Rule... button.
972972
  1. In the Choose Rule Type step, select Send LDAP Attributes as Claims and click Next
14301430
  1. Name the rule something like KintabaLDAP and enter E-Mail-Addresses as the LDAP Attribute and E-Mail-Address as the Outgoing Claim Type. Then click Finish to save the rule.
14341434
  1. Once again, click the Add Rule... button
978978
  1. This time, select the Transform an Incoming Claim option from the dropdown in the Choose Rule Type step.
14361436
  1. Give your rule a name like "KintabaEmailIDRule" and set the Incoming claim type to be "E-Mail Address", set the Outgoing claim type to be "Name ID", and set the Outgoing name ID format to be "Email".

Leave all other settings as-is and click Finish

14361436
  1. You should now have two Issuance Transform Rules. Click theOK button to close this window.
976976
  1. Now returning to the ADFS management tool, right click the newly created Kintaba Relying Party Trust and select Properties
22622262
  1. In the Advanced tab, select the "SHA-256" Secure hash algorithm.
798798
  1. In the Signature tab, add the Kintaba signature found within the Kintaba SAML Metadata.
800800

Just in Time (JIT) SAML Provisioning

If you'd like any user who authenticates through SSO to have access to Kintaba without manually adding them or using a SCIM integration, you can enable Just in Time (JIT) provisioning for your SAML integration by following these steps:

  1. When creating the SAML integration, check the "Provision Kintaba accounts for valid users when signing in (SAML just-in-time provisioning)?" checkbox.
916916
  1. In your identity provider's SAML configuration, add a mapping for the first_name and last_name app attributes (the following example shows the mapping in Google Workspace).
21222122