Single Sign On (SSO) makes it so that when you log into your company's network, you can log into all of your apps at once, including Kapost.
Using SSO is more secure because each time a user logs in to an external application the login process occurs from the SSO provider with the application using an encrypted key. It's also easier for users because they only needs to log into one application to access all other applications.
- SSO is only available for enterprise customers, and Kapost only supports SAML based identity providers.
Logging in to Kapost using SSO can happen two ways. The first is by going to your Kapost instance URL and clicking Sign in with SSO:
This will redirect to the SSO provider that was configured. The user will need to enter in their credentials, or if they have already logged in with the SSO provider they will not need to sign in again. Once the user has been authenticated with the SSO provider, an encrypted response is sent to Kapost that validates the user's identity and provides the necessary information to map the SSO user to a Kapost user.
Once you log in through SSO, your computer will always log you in via SSO and you will not have the option to log in via username and password unless you clear your cache.
The other way to sign into Kapost using SSO is to go directly to the SSO provider's application, find the Kapost icon, and click on it. This will send an encrypted response to Kapost that describes the validated users identity and the necessary to log them into Kapost.
For information on whitelisting users for non-SSO login, please visit this help article. This is often utilized for parter users who will not be able to login through your company's SSO portal.
Setting Up SSO
To configure Single Sign On, go to Settings - Single Sign On. You will be taken to the Single Sign On Setup page. Below is an explanation of each of the fields on that page, and an overview of what is needed for each field.
The Different Fields In the Single Sign On Page In Kapost
Enable Single Sign On: If this is checked, single sign on will be enabled for this instance of Kapost.
Autocreate Users: If this is checked, anytime a user succeeds in signing in through SSO from the SSO provider, Kapost will create them as a user in Kapost using the email address from the SSO provider.
Default Role for auto-created users: This field allows you to choose the default role for autocreated users. This role only affects the membership the user has within the Kapost instance that SSO is granting them access to. Kapost Admins can change this role later as well.
This default will be used for users that do not have a group attribute that assigns them a different role in Kapost. For more information on user roles within Kapost, see this article.
- Each Kapost user must have a unique email address. There is only one user per email address. However each user can have multiple instance memberships. Presently, if a Kapost user exists within Kapost and they do not have access to an instance, if they can authenticate through SSO to the instance, they will be given membership access that matches the role defined in the Auto-Created User Default Role option.
Audience Validation (optional): Check to enable strict verification of the "Audience" attribute of the SAML assertion
Destination Validation: Check to enable strict verification of the "Destination" attribute of the SAML assertion
Issuer Serial: We recommend this to always be checked, and only to disable for testing or troubleshooting purposes. Check to enable verification of the Issuer certificate.
Subject Confirmation: We recommend this to always be checked, and only to disable for testing or troubleshooting purposes. Check to enable strict verification of Subject ID attribute.
Remember Sessions: This will remember users’ sessions for a period of time (they will have to re-sign in once in a while for security reasons).
SAML 2.0 Endpoint (HTTP): Your SSO Admin will be able to provide this. This is the website that the service you use to handle your SSO (your identity provider) uses to log you into your company network. Kapost will redirect to this URL to when a user clicks the Sign in with SSO button in the screen shot above.
Issuer Public Cert/Issuer Cert Fingerprint: This is the public certificate that signs the SSO assertion. The SSO admin will provide this. The public certificate is required to verify the authenticity of the login request.
Full name attribute or First/Last name attribute: You need to specify the label/attribute you use to identify the username - first, specify whether you use a full name username or a first name-last name username. Again, your SSO admin can provide this.
Logout URL: (optional) The last thing you need to do is specify where you would like to be redirected after logging out. To do this, add the URL you would like to be redirected to to the field labeled "Logout URL."
Audience URL: (optional) This is used in two ways:
- When "Audience validation" checkbox is enabled.
- When using SP initiated login. On SP initiated login, the Audience URL will be sent to the SP as the issuer of the SAML request from Kapost, and provided the return path for the signed login assertion from your SSO system.
If using SP initiated login, set the Audience URL to:
SAML Consumer URL and SAML Metadata URL: Your IT contact will configure your Kapost SSO with whatever service your company uses to handle this feature, and when doing so he or she will need to know what URL's to connect to to enable Kapost SSO. These are the SAML Consumer URL and the SAML Metadata URL, and you can find them on your Single Sign On page. The SAML Consumer URL is also known as the ACS URL.
- When utilizing SSO, Kapost receives user information from your SSO provider and has no ability to modify it, including users' display names.
- With SSO enabled, users can’t edit their names on their profiles. Users can edit their profile picture, bio and notification settings, regardless of SSO. If users edit their profile picture or bio with SSO on, this will ‘lock’ SSO out in terms of any name updates. If users want to edit their name with SSO on, they have to edit it from the SSO side, not within Kapost.
- If users are in multiple instances, this effectively ‘unlocks’ SSO editing again and they can make changes to their names in Kapost.
Setting up Instance Membership Rules
Instance Membership Rules allow you assign users to specific Member Groups or Roles based on the attributes passed over from your SSO provider. Configuring rules to assign users to groups is very useful for automatically adding access to Gallery Collections, ensuring that users have access to the appropriate collections during their first visit to your Kapost Gallery.
Please Note: Instance Membership rules will only be checked and applied during each login session through SSO. As a result, users membership roles and membership groups will only be modified during the login process, despite changes being made to membership rules, meaning that logged in users will not have their group memberships, roles, or access changed until they log out and log back into Kapost through SSO.
Please Note: Group Membership rules override manual group memberships. On SSO login, if a user's attributes match a membership rule where groups are specified, the groups they are part of currently will be overwritten by the groups assigned by the rule. This is configured so that if a user's attributes is downgraded from access to a group, Kapost will reflect this change in permissions.
Instance Membership Rule Settings
Instance Membership Rules can be configured and applied when the SAML response contains the field specified by Attribute Name, and that field contains at least one of the values specified in Attribute Values.
Enable Membership Rules: If this is checked, membership rules will be enabled for this instance.
Attribute Name: Add the name of the attribute that will mapped to the rule(s) here. This is the field that Kapost will examine for a specific attribute value that is set within the attribute values section.
Attribute Values: In the attribute values text box, add the add the comma-separated values that will be used to assign the instance, role, and/or group to members.
Example of Attribute Name and Attribute Values: If attribute name is set to the value
groups and the attribute values contains the following options:
testing, marketing, admins, this rule will be triggered if your SSO profile contains the attribute
groups and there is a value of
admins within the
groups attribute, indicating that you are a member of one of these groups.
Instance: This field is visible on all instances, however on Org instances, this allows you to apply rules specifically to individual child instances.
Role: This field allows you to assign a membership role for any users matching this attribute rule.
Membership Groups: This field allows you to assign users to a membership group for any users matching this attribute rule.
SSO with Org Instances and Child instances
If you have multiple Kapost instances (child instances), under one Organization instance, enabling SSO on the Org instance will also enable SSO on the child instances underneath this Org.