Single Sign On, or SSO, makes it so that when you log into your company's network, you can log into all of your apps at once, including Kapost. Please note, SSO is only available for Enterprise customers and Kapost only supports SAML based identity providers.
Using SSO is more secure because each time a user logs in to an external application the login process occurs from the SSO provider with the application using an encrypted key. It's also easier for users because they only needs to login to one application to access all other applications.
Logging in to Kapost using SSO can happen two ways. The first is by going to the Kapost application and clicking Sign in with SSO:
This will redirect to the SSO provider that was configured. The user will need to enter in their credentials, or if they have already logged in with the SSO provider they will not need to sign in again. Once the user has been authenticated with the SSO provider, the appropriate key will get sent to Kapost automatically and the user will have access to Kapost.
Please note, once you log in through SSO, your computer will always log you in via SSO and you will not have the option to log in via username and password unless you clear your cache.
The other way to sign into Kapost using SSO is to go directly to the SSO provider's application, find the Kapost icon, and click on it. This will send the key to Kapost, authenticate, and then redirect the user to the Kapost application.
Setting Up SSO
To configure Single Sign On, go to Settings -> Single Sign On. You will be taken to the Single Sign On Setup page. Below is an explanation of each of the fields on that page, and an overview of what is needed for each field.
The Different Fields In the Single Sign On Page In Kapost
Enable Single Sign On: If this is checked, single sign on will be enabled for this instance of Kapost.
Autocreate Users: If this is checked, anytime a user tries to sign in from the SSO provider it will create them as a user in Kapost using the email address from the SSO provider.
Role for auto-created users: This field allows you to choose permission setting selected in the role for auto-created Users. These users can get a different permission setting later from a Kapost Admin.
Audience Validation (optional): Check to enable strict verification of the "Audience" attribute of the SAML assertion
Destination Validation: Check to enable strict verification of the "Destination" attribute of the SAML assertion
Issuer Serial: We recommend this to always be checked, and only to disable for testing or troubleshooting purposes. Check to enable verification of the Issuer certificate.
Subject Confirmation: We recommend this to always be checked, and only to disable for testing or troubleshooting purposes. Check to enable strict verification of Subject ID attribute
Remember Sessions: This will remember users’ sessions for a period of time (they will have to re-sign in once in a while for security reasons).
Issuer URL: Your SSO Admin will be able to provide this. This is the website that the service you use to handle your SSO (your identity provider) uses to log you into your company network. Kapost will redirect to this URL to when a user clicks the Sign in with SSO button in the screen shot above.
Issuer Public Cert/Issuer Cert Fingerprint: This is the public certificate that signs the SSO assertion. The SSO admin will provide this. The public certificate is required to verify the authenticity of the login request.
Full name attribute or First/Last name attribute: You need to specify the label/attribute you use to identify the username - first, specify whether you use a full name username or a first name-last name username. Again, your SSO admin can provide this.
Logout URL (optional): The last thing you need to do is specify where you would like to be redirected after logging out. To do this, add the URL you would like to be redirected to to the field labeled "Logout URL."
Audience URL (optional): This is used in two ways: 1) when "Audience validation" checkbox is enable, or 2) when using SP initiated login. On SP initiated login, the Audience URL will be sent to the SP as the issuer of the SAML request from Kapost, and provided the return path for the signed login assertion from your SSO system. If using SP initiated login, set the Audience URL to https://myinstance.kapost.com/users/saml/auth
SAML Consumer URL and SAML Metadata URL: Your IT contact will configure your Kapost SSO with whatever service your company uses to handle this feature, and when doing so he or she will need to know what URL's to connect to to enable Kapost SSO. These are the SAML Consumer URL and the SAML Metadata URL, and you can find them on your Single Sign On page. The SAML Consumer URL is also known as the ACS URL.
The rest of the fields are for different security configurations, and will be setup by the SSO admin and Kapost Support.
Note: When utilizing SSO, Kapost receives user information from your SSO provider and has no ability to modify it, including display name.
To learn about how to set up SSO across multiple instances in and organization, read this article.