Versions Compared

Old Version 11

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version 12

changes.mady.by.user Kiuwan Editor User

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can find SSO configuration page at Account Management >> Organization and clicking on Configure SSO button.


Image Modified



Please read carefully the notes:

...

In a typical ADFS installation you can commonly get it at: https://<your_idp_domainname>/FederationMetadata/2007-06/FederationMetadata.xml


Image Modified



Info

If your IdP is Azure AD, please be sure to check My IdP is Azure AD.



Image Modified


Once it’s loaded, click on Continue button

 

Image Modified



At this moment, you should have received an email with an activation code as well as Domain Id and Login URL. Enter the activation code and click Activate SSO button.

...

Info

After SSO activation, you will get the URL you need to configure Kiuwan as a SP in your IdP  (see section Kiuwan’s metadata configuration in ADFS here ).



Image Modified



Close the page and .. voilà ! Your Kiuwan SSO configuration is done!!

...

In case you further need to update existing metadata with new IdP metadata just to SSO initial configuration page and Upload a new IdP Metadata.


Image Modified


Click on Save to complete the update


Image Modified



Image Modified




After metadata configuration, you will see the following data into your Kiuwan account.

At Account Management >> Profile you will see :


Image Modified


Domain ID field only appears when your Kiuwan account is configured to use SSO.

...

Then you must provide the address that can be found at your Kiuwan website at Account Management >> Organization page (see image below)


Image Modified


In case your ADFS cannot reach the Kiuwan server, you can upload the XML metadata document by selecting Import data .. from a file.

...

Then, Kiuwan SSO Login page will be displayed.

Image Modified



Just click on Log In button and the SSO-SAML protocol will be activated.

...

https://<your_idp_hostname>/adfs/ls/idpInitiatedsignon.htm



Image Modified


Just select the site (the Display Name defined at your IdP) , you will be asked for your credentials and will be redirected to Kiuwan dashboard!!

...

Info

Once SSO is configured, it's mandatory to configure KLA with the SSO Domain ID.

Otherwise KLA will stop to work!!

 

Nevertheless, KLA will still use user/password configuration (a new KLA with SSO authentication will be released shortly).

...

Info

Similarly to KLA SSO configuration, K4D also needs to be configured with Domain ID

Go to you IDE’s Kiuwan configuration, select Connection Properties >> Single Sign-On section/tab and enter your Domain ID.



Image Modified



REST-API : SSO configuration

...

curl -H "X-KW-CORPORATE-DOMAIN-ID: {domain.id}" -u {username}:{password} https://api.kiuwan.com/info


 

SSO login vs username-password login

  

 

When a Kiuwan account is converted to SSO-enabled, by default, all existing users :

 
  1. They must use the new login URL (see How to login at Kiuwan in a Web SSO scenario )
    1. Previous URL login (https://www.kiuwan.com/saas/web/login.html) will not work any more 
  2. Usernames and permissions are entirely preserved
    1. Only the authentication mechanism has changed. Usernames, assgined roles, permissions, usergroups, etc are maintained.
  3. By default, existing users (not admins) are not allowed to login to kiuwan using former Kiuwan's password
    1. They will be authenticated by the configured IdentityProvider (IdP), not by Kiuwan.
 


 

Nevertheless, you might want certain users to being authenticated also by Kiuwan, i,e, some user might choose to authenticate either by SSO or by Kiuwan.

 

The Kiuwan admin can enable username-password access through User Administration page, enabling Login with password enabled to selected users 

 

 

 

 
Info

Users with privilege "Login with password enabled" can then login to Kiuwan in two ways:

  1. Authenticated by SSO 
    1. https://www.kiuwan.com/saas/web/login.html?sso=on&domain=<my_domain_id>
  2. Authenticated by Kiuwan (by password)
    1. https://www.kiuwan.com/saas/web/login.html?sso=off&domain=<my_domain_id>
 

 

 

Adding a new user in a SSO-enabled account

 

In a SSO-enabled account, when you create a new user you can decide if that user can access Kiuwan with password (besides SSO).

 

Just check Enable login with password option at New User page and, of course, click on Generate password to let him/her know (wink)

 

 

Obviously, do not click on Generating password and not Enable Login with password, that password would be useless (...)

 
 

Appendix  - Azure Active Directory configuration : How to configure Kiuwan as Service Provider


You must configure your Idp (Azure AD) so it recognizes Kiuwan as a SP (Service Provider).


In Azure AD, you should create an Enterprise Application (Kiuwan SSO, in this example).

To do it, select Azure Active Directory >> Enterprise applications 


 


and click on New application 




Select Non-gallery application and fill in the app name (Kiuwan SSO in our example) and click Add button



Just created, you will see a page like this.

 



Next, you will need to add users that will be allowed to login at Kiuwan SSO application.

 


Select the users from your Azure Active Directory that will be allowed to login to Kiuwan SSO application.






Now that some user has been added, you need to configure the Single sign-on 



First, you need to export the Azure Active Directory metadata and import it to Kiuwan.


To export AAD metadata, click on Download link at Federation Metadata XML.


 

 

Info

Downloaded XML file needs to be imported into your Kiuwan account , as shown before.

After importing AAD metadata into Kiuwan, your Kiuwan account will be ready to generate its own metadata that you will import into AAD.

 

 

To export Kiuwan metadata, go to Account Management >> Organization and you will see the URL to download Kiuwan metadata.


 

Just type the URL in a browser and save the content as a XML file.



 

Info

Now, you can import (upload) the Kiuwan metadata XML file into AAD.




 

Info

IMPORTANT: you must fill in Sign on URL field with the Kiuwan login URL 




Once done, you need to set your Claims policy. To do it, click on User Attributes & Claims



Select Name identifier value



and setup the policy on how to manage your ADA usernames to Kiuwan usernames.


In this example, we take the first part of email.

For example, an AAD user with email john.doe@domain.com will be mapped to john.doe when sent to Kiuwan.




Now, you can test Single Sign-On with Kiuwan SSO app.

Just click to Test button.




Select the user (the current or someone else)

 



And a new browser window will present the Kiuwan SSO Login page.





Obviously, you don’t need to type your username, just click on Log in button and you will be redirected to Azure AD login page.

 


You need to type credentials, Azure AD will authenticate you and (if sucessfull) you will be forwarded directly to Kiuwan app.






 

 

 

...