What Is SSO and SAML, and Why Would You Need It?
SSO, or Single Sign-On, is an authentication process that allows a user to log in to multiple independent software systems using a single ID and password. You may want to use SSO if you are interested in increasing security by reducing attack surfaces and security risks, or if you would like to simplify your user management by only requiring a single credential set from your users to access a suite of software with which your employees interact. There are multiple SSO options for IT organizations to choose from; one of these, which Kobiton now supports, is SAML.
What’s the Difference?
SAML (Security Assertion Markup Language) is an open standard for data exchange that enables SSO for a user base. SAML verifies and authenticates a user by transferring the user’s identity from the identity provider (also known as an IdP) to the service provider via digitally signed XML documents; the user only needs to enter one set of credentials, specifically for the identity provider, and the IdP takes care of the rest. SAML therefore provides an SSO-like experience from an end-user view, with less effort and possibility of security threats on the user’s part.
Kobiton currently supports only SAML 2.0 protocol. Kobiton uses these three identity providers as our standard: Onelogin, Okta, and Azure AD. Please be aware that the use of other IdPs may result in unexpected issues.
How to Configure SAML
Below are instructions to help guide you through setting up SAML with Kobiton. In general, the configuration of SAML is two-fold: configure the SAML web application on your chosen IdP using information provided via your Kobiton portal, then provide information supplied by the IdP back to Kobiton (again via the Kobiton portal) to complete the SSO loop.
You will need to have both the IdP’s configuration page and your Kobiton portal page open to complete the configuration. The same procedure with the Kobiton portal configuration applies regardless of which IdP you choose, as described below.
Kobiton Portal and the SSO settings page
1. Navigate to your Kobiton portal and log in. In the upper-right corner beside the user module icon, click the dropdown arrow to expand the account dropdown menu. Click “Settings”.
2. Click on the “SSO Settings” tab in the banner across the top of the screen. Your screen will now display the first section of the SSO settings configuration screen. (See image below step 3.)
3. In the “Step 1: Basic configuration” box, Kobiton has already provided the Audience URL and Reply URL; you will need to copy these links and paste them in the appropriate fields in your preferred IdP’s configuration process. Input your desired name in the “Domain name” field and click “Generate”; Kobiton will generate a Default Relay State value for you, which you will also need for your IdP’s configuration.
4. In the “Step 2: User attributes (or parameters)” box, you can fill in attributes for mapping that you can then copy and paste into the corresponding fields with your IdP.
5. In the “Step 3: Set up at Kobiton side” box, you will need to copy the corresponding information from your IdP’s configuration page to these fields. You can find specific details in the guides below.
6. In the “Step 4: Verify Configuration” box, you can click the “Verify” button to have Kobiton test your SSO configuration. There is also an optional toggle that will allow you to enforce an SSO login to Kobiton for all your users, should you wish to make SSO mandatory across your organization.
7. If you do choose to utilize the login toggle in the previous step, a fifth box will appear on your SSO settings page, labeled “Step 5: Specify Organization Access Restrictions”. In this box you can define the assertion specifying an admin role; you can then test to make sure this admin role can successfully log in using your SSO/SAML configuration. There is also an optional toggle that allows you to pass your role/team assignments between your IdP and Kobiton to sync them. There is no continual or scheduled synchronization of data, but if this toggle is enabled, synchronization will occur at the time of user login.
8. Once all your configuration changes are made, be sure to click the “Save” button at the bottom of the page to confirm and apply your changes.
IMPORTANT NOTE: If you choose to enforce SSO and you wish to reverse that setting for some or all of your users, please have the affected users go to the Kobiton log in page and click “Forgot Password” to have a new password set for their account.
Below are step-by-step guides for some of the more common IdPs you may use with Kobiton.
Custom SAML 2.0 - Onelogin
1. Navigate to the Onelogin Applications page (click “Applications” in the tab banner across the top of the page). Click “Add App” in the upper-right corner.
2. In the “Find Applications” section, search for ‘SAML Test Connector’. From the results list, select “SAML Test Connector (Advanced)”.
3. Edit the Display Name and logo for the portal and click “Save”.
4. The page will update to display the “Info” tab. Navigate to the “Configuration” tab. Enter your Kobiton service provider details here, copied from the information contained in Box 1 of the Kobiton portal SSO settings page. Click “Save” in the upper-right corner of the screen.
Below is an example of the mapped fields for configuration between Kobiton and Onelogin to assist with the previous step:
5. Navigate to the “Parameters” tab. Add a new field by clicking the blue plus sign icon in the upper-right corner of the SAML Test Connector Field box.
6. In the "New Field" pop-out box, edit the “Field name” to contain the desired field attribute and click “Save”.
7. Repeat steps 5 and 6 until your parameters are complete, as seen in the image in Step 5 above. Examples of the fields you should now have are listed below.
8. Navigate to the SSO tab in Onelogin (left sidebar) and copy the "Issuer URL", "SAML 2.0 Endpoint" (HTTP), “SLO Endpoint (HTTP)” and “X.509 Certificate” data from this page. The Issuer URL and Endpoints have direct copy function buttons beside them that you can use to accurately obtain this information; the certificate will need to be downloaded by clicking the “View Details” option beneath the Certificate information box, as shown below. You will be redirected to the Standard Strength Certificate page; ensure that you have the X.509 PEM certificate selected and click "Download". Paste this information into the corresponding fields in Box 3 of the Kobiton portal SSO settings page.
9. Please remember to save any changes or additions made to your Onelogin configuration before exiting the page. Please also complete the steps in the above section "Kobiton Portal and the SSO Settings page" to verify that your configuration is functional.
Custom SAML 2.0 - OKTA
1. Navigate to OKTA and sign in with an admin account. On the OKTA admin home page, click the Applications tab in the banner at the top of the screen.
2. On the Applications page, click “Add Application”.
3. Click “Create New App”. In the Create a New Application Integration pop-up box, select “Web” in the Platform dropdown box, then select SAML 2.0 for the Sign on method. Click “Create”.
4. In the General Settings box, fill in the name and logo for your application.
5. In the SAML Settings box, fill in the information with the matching values from Box 1 of the Kobiton portal SSO settings page. The Name ID format and Application username fields are optional and can be set according to your own preferences.
When this information is completed, click the Download Okta Certificate button in the sidebar on the right side of the page (as shown in the above image). This certificate needs to be uploaded to your Kobiton portal SSO settings page in Box 3 “Set up at Kobiton side”; you can do this by clicking the Upload button beneath the Identity Provider Certificate* header. In your Okta configuration page, you can also fill out Group Attribute Statements here, as in the example provided below:
6. Click “Next”, then click “Finish”.
7. Within your SAML application’s configuration, navigate to the “Sign On” tab within the Application view. Click “View Setup Instructions” and supply the information from this page to the appropriate fields in Box 3 of your Kobiton portal SSO settings page.
8. On your Kobiton portal SSO settings page, confirm that all data looks correct and follow the steps outlined in the "Kobiton Portal and the SSO Settings page" section of this document to verify your configuration is functional.
Custom SAML 2.0 - Azure AD
1. Sign in to Azure management portal using an Azure Active Directory administrator account.
2. Navigate to Azure Active Directory > [Directory].
3. Under Sign Ins/Create, select “Enterprise Application”. Select "New Application".
4. Select “Non-gallery application”.
5. In the “Add from the gallery” section, type the name of the application and click “Add”.
6. Assign a test user to the application. (Please note that this step is required.)
7. Set up single sign-on. Select “SAML”.
8. Edit the configuration with the appropriate information. For Azure AD's Box 1 "Basic SAML Configuration", use the information from Box 1 “Basic Configuration” of your Kobiton portal SSO settings page. For Azure AD's Box 2 "User Attributes & Claims", you can copy the values from Box 2: "User attributes (or parameters)" of your Kobiton portal SSO settings page to complete the fields. The Unique User Identifier is an optional value; all other values are required.
When this information is complete, please make sure to download the "Certificate (Base64)" from the link located in Box 3 “SAML Signing Certificate” of the Azure AD setup page and click “Save”.
Please note: on the User Attributes & Claims > Manage Claim page, the namespace field needs to be removed as reflected in the image below for each mapping.
The attribute mapping for users should look like the image below when done:
9. After the above steps are completed, please fill in your IdP’s information to the appropriate fields in Box 3 of your Kobiton portal SSO settings page. This is also where you will upload the certificate downloaded in the previous step. Complete the verification steps as outlined in the "Kobiton Portal and the SSO Settings page" section of this document. You are also welcome to use Azure AD's configuration test, but please note that the configuration on Kobiton's portal page must be complete for the SSO settings to be verifiable.
Custom SAML 2.0 - GSuite
1. From the Google Admin console, select the “Apps” tile.
2. On the Apps page, select the ”SAML apps” tile.
3. You are now on the Apps > Web and mobile apps page. From here, click the “Add App” tab to toggle a dropdown menu, then select “Add custom SAML app”. GSuite offers you a step-by-step checklist for this next part of the process; we also include those steps below as part of this guide.
4. Step 1: App details. Fill in the name for the app.
5. Step 2: Google Identity Provider Details. Copy and save all of the information contained in this step, including downloading the certificate (all boxes have a copy function button, and the Certificate box has a download function button.) Paste this information and upload the certificate to the corresponding fields in Box 3 of the Kobiton portal SSO settings page.
6. Step 3: Service Provider Details. Fill in the appropriate fields with the matching information from Box 1 of the Kobiton portal SSO settings page.
7. Step 4: Attribute Mapping. Fill out the attribute sections as indicated in the image below:
If you have any questions or issues with configuring your SSO/SAML setup with Kobiton, please submit a support ticket at support.kobiton.com.