...
SSO login vs username-password login
When a Kiuwan account is converted to SSO-enabled, by default, all existing users :
- They must use the new login URL (see How to login at Kiuwan in a Web SSO scenario )
- Previous URL login (https://www.kiuwan.com/saas/web/login.html) will not work any more
- Usernames and permissions are entirely preserved
- Only the authentication mechanism has changed. Usernames, assgined roles, permissions, usergroups, etc are maintained.
- By default, existing users (not admins) are not allowed to login to kiuwan using former Kiuwan's password
- They will be authenticated by the configured IdentityProvider (IdP), not by Kiuwan.
Nevertheless, you might want certain users to being authenticated also by Kiuwan, i,e, some user might choose to authenticate either by SSO or by Kiuwan.
The Kiuwan admin can enable username-password access through User Administration page, enabling Login with password enabled to selected users
| Info |
|---|
Users with privilege "Login with password enabled" can then login to Kiuwan in two ways:
|
Adding a new user in a SSO-enabled account
In a SSO-enabled account, when you create a new user you can decide if that user can access Kiuwan with password (besides SSO).
Just check Enable login with password option at New User page and, of course, click on Generate password to let him/her know 
Obviously, do not click on Generating password and not Enable Login with password, that password would be useless (...)
Appendix - Azure Active Directory configuration : How to configure Kiuwan as Service Provider
You must configure your Idp (Azure AD) so it recognizes Kiuwan as a SP (Service Provider).
In Azure AD, you should create an Enterprise Application (Kiuwan SSO, in this example).
To do it, select Azure Active Directory >> Enterprise applications
and click on New application
Select Non-gallery application and fill in the app name (Kiuwan SSO in our example) and click Add button
Just created, you will see a page like this.
Next, you will need to add users that will be allowed to login at Kiuwan SSO application.
Select the users from your Azure Active Directory that will be allowed to login to Kiuwan SSO application.
Now that some user has been added, you need to configure the Single sign-on
First, you need to export the Azure Active Directory metadata and import it to Kiuwan.
To export AAD metadata, click on Download link at Federation Metadata XML.
| Info |
|---|
Downloaded XML file needs to be imported into your Kiuwan account , as shown before. After importing AAD metadata into Kiuwan, your Kiuwan account will be ready to generate its own metadata that you will import into AAD. |
To export Kiuwan metadata, go to Account Management >> Organization and you will see the URL to download Kiuwan metadata.
Just type the URL in a browser and save the content as a XML file.
| Info |
|---|
Now, you can import (upload) the Kiuwan metadata XML file into AAD. |
| Info |
|---|
IMPORTANT: you must fill in Sign on URL field with the Kiuwan login URL |
Once done, you need to set your Claims policy. To do it, click on User Attributes & Claims
Select Name identifier value
and setup the policy on how to manage your ADA usernames to Kiuwan usernames.
In this example, we take the first part of email.
For example, an AAD user with email john.doe@domain.com will be mapped to john.doe when sent to Kiuwan.
Now, you can test Single Sign-On with Kiuwan SSO app.
Just click to Test button.
Select the user (the current or someone else)
And a new browser window will present the Kiuwan SSO Login page.
Obviously, you don’t need to type your username, just click on Log in button and you will be redirected to Azure AD login page.
You need to type credentials, Azure AD will authenticate you and (if sucessfull) you will be forwarded directly to Kiuwan app.
