...
At this moment, you should have received an email with an activation code as well as Domain Id and Login URL. Enter the activation code and click Activate SSO button.
| Info |
|---|
IMPORTANT: Is your users are using Kiuwan Local Analyzer, DO NOT CHECK THIS OPTION, because all the users will be forced to use SSO. Because KLA still does not fully support SSO, if checked you will need to manually activate user/password auth for all KLA’s users !!
Admin users can ALWAYS login both ways. Other users can be managed individually as using Kiuwan auth or SSO (see Users Administration page). |
If you want to avoid currently existing Kiuwan users to login using former credentials (username and password), check Disable login with password for all my users. By checking this option, all the users will be forced to login through SSO (using the provided URL).
If you don’t check that option, existing users can still login using user/password, but using the new URL. Older Kiuwan URL will not work any more because all the users have been migrated to SSO.
IMPORTANT: Is your users are using Kiuwan Local Analyzer, DO NOT CHECK THIS OPTION, because all the users will be forced to use SSO. Because KLA still does not fully support SSO, if checked you will need to manually activate user/password auth for all KLA’s users !!
Admin users can ALWAYS login both ways. Other users can be managed individually as using Kiuwan auth or SSO (see Users Administration page).
Example mail Email with activation code:
| Info |
|---|
After SSO activation, you will get the URL you need to configure Kiuwan as a SP in your IdP |
...
(see section Kiuwan’s metadata configuration in ADFS here ). |
Close the page and .. voilà ! Your Kiuwan SSO configuration is done!!
In case you further need to update existing metadata with new IdP metadata just to SSO initial configuration page and Upload a new IdP Metadata.
Click on Save to complete the update
After metadata configuration, you will see the following data into your Kiuwan account.
At Account Management >> Profile you will see :
Domain ID field only appears once when your Kiuwan account is configured to use SSO.
- This ID is needed to login to your kiuwan account and it’s shared by all users of a Kiuwan account, but unique for every Kiuwan account.
Username field contains your Kiuwan username and it matches the Claim mapping (Name ID) defined in your IdP when you defined Kiuwan as Service Provider (see image above for ADFS).
...
IdP configuration : How to configure Kiuwan as Service Provider
| Info |
|---|
You must configure your IdP (Identity Provider) so it can recognize Kiuwan as a SP (Service Provider). |
Any SAML-compliant IdP (Active Directory FS, Azure AD, CA Single Sign-On, etc) follows its own configuration method, although steps are similar.
We provide a detailed example on how to configure Active Directory Federation Services (ADFS). For other IdPs please refer to you sysadmins or product documentation.
...
You can use ADFS’s Add Relying Party Trust wizard
Select Claims aware option and Start.
Then, ADFS will ask you about Kiuwan’s identity metadata.
Ideally, if your ADFS can reach Kiuwan servers, you will select the first option (Import data .. online).
Then you must provide the address that can be found at your Kiuwan website at Account Management >> Organization page (see image below)
In case your ADFS cannot reach the Kiuwan server, you can upload the XML metadata document by selecting Import data .. from a file.
In this case, you must previously download the XML document from the KIuwan URL above. Just paste the URL in a browser that can access the Kiuwan server
...
Next step is to provide a Display name for Kiuwan.
You can choose any name, it doesn’t have to be a domain hostname.
...
Next step is to choose the Access Control Policy that will govern the access rules of your organization’s users to Kiuwan.
After choosing a policy, just confirm (or change) and click next Next.
Review the information from the SP (relying party) and click next to finish the SP configuration in ADFS.
Notice that “Configure “Configure claims issuance policy ..” is checked.
When checked, you will define how to map/transform your organization’s users to Kiuwan users.
Edit Claim Issuance Policy dialog will pop up:
Clicking on Add Rule will open Add Transform Claim Rule Wizard.
First, you must select the template rule most adequate to your organization.
In the example, we select to map a LDAP attribute
| Info |
|---|
You can |
...
select whatever LDAP attribute that it’s unique |
...
to every user. In this example we are using the user’s email address |
...
And map that attribute to |
...
the Name ID |
...
claim type. Do not select any other claim type, Kiuwan will only use Name ID. Doing this way, Kiuwan will store as username the selected attribute value. |
.
After finishing, apply changes
SSO login vs username-password login
| Info |
|---|
When a Kiuwan account is converted to SSO-enabled, all existing users are disabled to access Kiuwan using username-password. From now on, all the users will have to login through SSO. Nevertheless, |
...
the Kiuwan admin can always access using both mechanisms, i.e. through SSO and username-password. The Kiuwan admin can |
...
also enable username-password access to any user |
...
through User Administration |
...
page, enabling selected users to login using any of both methods. |
How to login at Kiuwan in a Web SSO scenario
| Info |
|---|
First time |
...
you login at Kiuwan in SSO-mode, you need to specify the full URL |
...
such as: |
Most commonly, in a SSO environment you will access Kiuwan from an existing link in a corporate intranet page, so the Kiuwan URL should be changed to it and you will not need to type manually such url.
Anyway, once you have successfully accessed Kiuwan for the first time, your browser will store the domain id, so you can just type https://www.kiuwan.com and everything will work.
...
Then, Kiuwan SSO Login page will be displayed.
Just click on Log In button and the SSO-SAML protocol will be activated.
- If you were already successfully authenticated, you will log in to Kiuwan.
- If not, you will be redirected to your organizational authentication page.
...
- Once authenticated, you will be redirected to Kiuwan dashboard.
An alternative method to login to Kiuwan is from your IdP.
If you are using ADF, you will find a URL like this:
https://<your_idp_hostname>/adfs/ls/idpInitiatedsignon.htm
Just select the site (the Display Name defined at your IdP) , you will be asked for your credentials and will be redirected to Kiuwan dashboard!!
...
How to configure Kiuwan clients to work with SSO - SAML
| Info |
|---|
After configuring SSO, you web users can immediately login to Kiuwan website using the new login URL. But, Kiuwan “clients” (i.e. Kiuwan Local Analyzer, Kiuwan 4 Developers, and any custom program using Kiuwan REST-API) need to be configured to use SSO. |
Kiuwan Local Analyzer (KLA) : SSO configuration
| Info |
|---|
Once SSO is configured, it's mandatory to configure KLA with the SSO Domain ID. Otherwise KLA will stop to work!!
Nevertheless, KLA will still use user/password configuration (a new KLA with SSO authentication will be released shortly). |
In summary, after SSO activation:
Configure KLA with SSO Domain ID
Be sure KLA users are allowed to use username/password authentication
KLA’s SSO Domain ID configuration can be done in three different ways:
First, by using KLA GUI as the image shows:
Also, by modifying agent.properties file:
set domain.id property to your domain id
...
Additionally, if you are using KLA CLI you can also specify domain.id property as a command line parameter.
...
Kiuwan for Developers (K4D) : SSO configuration
| Info |
|---|
Similarly to KLA SSO configuration, K4D also needs to be configured with Domain ID |
...
Go to |
...
you IDE’s Kiuwan configuration, |
...
select Connection Properties |
...
>> Single Sign-On |
...
section/tab |
...
and enter |
...
your Domain ID. |
REST-API : SSO configuration
For custom programs using Kiuwan REST-API calls, you have to add a new header (X-KW-CORPORATE-DOMAIN-ID) to indicate the Domain ID to pass the BASIC authentication.
...