...
After finishing, apply changes
SSO login vs username-password login
When a Kiuwan account is converted to SSO-enabled, by default, all existing users :
...
How to login at Kiuwan in a Web SSO scenario
...
Info |
---|
First time you login at Kiuwan in SSO-mode, you need to specify the full URL such as: |
...
...
- Only the authentication mechanism has changed. Usernames, assgined roles, permissions, usergroups, etc are maintained.
...
- They will be authenticated by the configured IdentityProvider (IdP), not by Kiuwan.
Nevertheless, you might want certain users to being authenticated also by Kiuwan, i,e, some user might choose to authenticate either by SSO or by Kiuwan.
The Kiuwan admin can enable username-password access through User Administration page, enabling Login with password enabled to selected users
Info |
---|
Users with privilege "Login with password enabled" can then login to Kiuwan in two ways:
|
Adding a new user in a SSO-enabled account
In a SSO-enabled account, when you create a new user you can decide if that user can access Kiuwan with password (besides SSO).
Just check Enable login with password option at New User page and, of course, click on Generate password to let him/her know
Obviously, do not click on Generating password and not Enable Login with password, that password would be useless (...)
How to login at Kiuwan in a Web SSO scenario
Info |
---|
First time you login at Kiuwan in SSO-mode, you need to specify the full URL such as: |
Most commonly, in a SSO environment you will access Kiuwan from an existing link in a corporate intranet page, so the Kiuwan URL should be changed to it and you will not need to type manually such url.
Anyway, once you have successfully accessed Kiuwan for the first time, your browser will store the domain id, so you can just type https://www.kiuwan.com and everything will work.
Then, Kiuwan SSO Login page will be displayed.
Just click on Log In button and the SSO-SAML protocol will be activated.
- If you were already successfully authenticated, you will log in to Kiuwan.
- If not, you will be redirected to your organizational authentication page. Once authenticated, you will be redirected to Kiuwan dashboard.
An alternative method to login to Kiuwan is from your IdP.
If you are using ADF, you will find a URL like this:
https://<your_idp_hostname>/adfs/ls/idpInitiatedsignon.htm
Just select the site (the Display Name defined at your IdP) , you will be asked for your credentials and will be redirected to Kiuwan dashboard!!
How to configure Kiuwan clients to work with SSO - SAML
Info |
---|
After configuring SSO, you web users can immediately login to Kiuwan website using the new login URL. But, Kiuwan “clients” (i.e. Kiuwan Local Analyzer, Kiuwan 4 Developers, and any custom program using Kiuwan REST-API) need to be configured to use SSO. |
Kiuwan Local Analyzer (KLA) : SSO configuration
...
Once SSO is configured, it's mandatory to configure KLA with the SSO Domain ID.
Otherwise KLA will stop to work!!
Nevertheless, KLA will still use user/password configuration (a new KLA with SSO authentication will be released shortly).
In summary, after SSO activation:
Configure KLA with SSO Domain ID
Be sure KLA users are allowed to use username/password authentication
KLA’s SSO Domain ID configuration can be done in three different ways:
First, by using KLA GUI as the image shows:
Also, by modifying agent.properties file:
set domain.id property to your domain id
Additionally, if you are using KLA CLI you can also specify domain.id property as a command line parameter.
Kiuwan for Developers (K4D) : SSO configuration
Info |
---|
Similarly to KLA SSO configuration, K4D also needs to be configured with Domain ID Go to you IDE’s Kiuwan configuration, select Connection Properties >> Single Sign-On section/tab and enter your Domain ID. |
REST-API : SSO configuration
For custom programs using Kiuwan REST-API calls, you have to add a new header (X-KW-CORPORATE-DOMAIN-ID) to indicate the Domain ID to pass the BASIC authentication.
For example:
...
Most commonly, in a SSO environment you will access Kiuwan from an existing link in a corporate intranet page, so the Kiuwan URL should be changed to it and you will not need to type manually such url.
Anyway, once you have successfully accessed Kiuwan for the first time, your browser will store the domain id, so you can just type https://www.kiuwan.com and everything will work.
Then, Kiuwan SSO Login page will be displayed.
Just click on Log In button and the SSO-SAML protocol will be activated.
- If you were already successfully authenticated, you will log in to Kiuwan.
- If not, you will be redirected to your organizational authentication page. Once authenticated, you will be redirected to Kiuwan dashboard.
An alternative method to login to Kiuwan is from your IdP.
If you are using ADF, you will find a URL like this:
https://<your_idp_hostname>/adfs/ls/idpInitiatedsignon.htm
Just select the site (the Display Name defined at your IdP) , you will be asked for your credentials and will be redirected to Kiuwan dashboard!!
How to configure Kiuwan clients to work with SSO - SAML
Info |
---|
After configuring SSO, you web users can immediately login to Kiuwan website using the new login URL. But, Kiuwan “clients” (i.e. Kiuwan Local Analyzer, Kiuwan 4 Developers, and any custom program using Kiuwan REST-API) need to be configured to use SSO. |
Kiuwan Local Analyzer (KLA) : SSO configuration
Info |
---|
Once SSO is configured, it's mandatory to configure KLA with the SSO Domain ID. Otherwise KLA will stop to work!!
Nevertheless, KLA will still use user/password configuration (a new KLA with SSO authentication will be released shortly). |
In summary, after SSO activation:
Configure KLA with SSO Domain ID
Be sure KLA users are allowed to use username/password authentication
KLA’s SSO Domain ID configuration can be done in three different ways:
First, by using KLA GUI as the image shows:
Also, by modifying agent.properties file:
set domain.id property to your domain id
Additionally, if you are using KLA CLI you can also specify domain.id property as a command line parameter.
Kiuwan for Developers (K4D) : SSO configuration
Info |
---|
Similarly to KLA SSO configuration, K4D also needs to be configured with Domain ID Go to you IDE’s Kiuwan configuration, select Connection Properties >> Single Sign-On section/tab and enter your Domain ID. |
REST-API : SSO configuration
For custom programs using Kiuwan REST-API calls, you have to add a new header (X-KW-CORPORATE-DOMAIN-ID) to indicate the Domain ID to pass the BASIC authentication.
For example:
curl -H "X-KW-CORPORATE-DOMAIN-ID: {domain.id}" -u {username}:{password} https://api.kiuwan.com/info
SSO login vs username-password login
When a Kiuwan account is converted to SSO-enabled, by default, all existing users :
- They must use the new login URL (see How to login at Kiuwan in a Web SSO scenario )
- Previous URL login (https://www.kiuwan.com/saas/web/login.html) will not work any more
- Usernames and permissions are entirely preserved
- Only the authentication mechanism has changed. Usernames, assgined roles, permissions, usergroups, etc are maintained.
- By default, existing users (not admins) are not allowed to login to kiuwan using former Kiuwan's password
- They will be authenticated by the configured IdentityProvider (IdP), not by Kiuwan.
Nevertheless, you might want certain users to being authenticated also by Kiuwan, i,e, some user might choose to authenticate either by SSO or by Kiuwan.
The Kiuwan admin can enable username-password access through User Administration page, enabling Login with password enabled to selected users
Info |
---|
Users with privilege "Login with password enabled" can then login to Kiuwan in two ways:
|
Adding a new user in a SSO-enabled account
In a SSO-enabled account, when you create a new user you can decide if that user can access Kiuwan with password (besides SSO).
Just check Enable login with password option at New User page and, of course, click on Generate password to let him/her know
Obviously, do not click on Generating password and not Enable Login with password, that password would be useless (...)