SSO Login (SAML)



You must be subscribed to the premium or enterprise plan to access this integration

SAML / SSO integration makes it easy for your company to centrally manage user access to Kintaba.

Browse to the integrations panel

Kintaba integrations manage programmatic access to your incidents. To create a new integration, you'll first need to access the Integrations section of the Admin panel.


Add the SAML Integration

Click the "Add Integration" button on the SAML item in the integrations library.


You can then fill out the Login URL, Logout URL, whether or not you want to force non-admin users to log in using SAML, and your certificate


Click "ADD" to enable this integration.

SSO Sign-In Experience

You can sign-in using SSO through two methods:

  1. Sign-in through your SSO identity provider's portal.
  2. Sign in as you regularly would on Kintaba, we'll forward you to sign-in using SSO if it's enabled for you.


Is SSO Misconfigured?

If you set up SSO incorrectly, you may not be able to sign in anymore. Administrators can access: to sign-in using passwords.

Bypassing SSO as an Admin in cases of SSO provider failure

In case of a misconfiguration or 3rd party downtime, admins may bypass the SSO login process and use a backup password by accessing:

ADFS Configuration

Extracting your certificate for uploading to Kintaba

  1. In the AD FS management tool, select the Certificates folder in the left pane.

  2. Right click the Token-signing certificate and select View Certificate... from the context menu

  1. In the certificate window, select the Details tab and then click Copy to File... to export your certificate.
  1. The export wizard will appear. Select Base-64 encoded X.509 (.CER) as the export format.
  1. Upload this certificate to Kintaba when prompted in the Create SSO Integration modal, then add your ADFS Login URL and click ADD
  1. Keep this window open, you will need the SP URLs for the next steps.

Configuring AD FS for SSO

  1. In the AD FS management tool, right click "Relying Party Trust" and select "Add Relying Party Trust"
  1. On the Welcome screen, select Claims aware and click Next
  1. On the Select Data Source screen, select Enter data about the relying party manually and click Next
  1. On the Specify Display Name screen, set an appropriate display name, such as "Kintaba"
  1. Click Next until you reach the "Configure URL" step and check the Enable support for the SAML 2.0 WebSSO protocol and enter your SP Single Sign On URI from Kintaba in the input box. Then click Next.
  1. On the Configure Identifiers* step, enter your SP Audience URI from Kintaba and click Next**
  1. Continue clicking Next until you reach the finish and make sure Configure claims issuance policy for this application is selected. Then click *Clos
  1. The Edit Claim Issuance Policy for Kintaba window will appear. Click the Add Rule... button.
  1. In the Choose Rule Type step, select Send LDAP Attributes as Claims and click Next
  1. Name the rule something like KintabaLDAP and enter E-Mail-Addresses as the LDAP Attribute and E-Mail-Address as the Outgoing Claim Type. Then click Finish to save the rule.
  1. Once again, click the Add Rule... button
  1. This time, select the Transform an Incoming Claim option from the dropdown in the Choose Rule Type step.
  1. Give your rule a name like "KintabaEmailIDRule" and set the Incoming claim type to be "E-Mail Address", set the Outgoing claim type to be "Name ID", and set the Outgoing name ID format to be "Email".

Leave all other settings as-is and click Finish

  1. You should now have two Issuance Transform Rules. Click theOK button to close this window.
  1. Now returning to the ADFS management tool, right click the newly created Kintaba Relying Party Trust and select Properties
  1. In the Advanced tab, select the "SHA-256" Secure hash algorithm.
  1. In the Signature tab, add the Kintaba signature found within the Kintaba SAML Metadata.

Just in Time (JIT) SAML Provisioning

If you'd like any user who authenticates through SSO to have access to Kintaba without manually adding them or using a SCIM integration, you can enable Just in Time (JIT) provisioning for your SAML integration by following these steps:

  1. When creating the SAML integration, check the "Provision Kintaba accounts for valid users when signing in (SAML just-in-time provisioning)?" checkbox.
  1. In your identity provider's SAML configuration, add a mapping for the first_name and last_name app attributes (the following example shows the mapping in Google Workspace).