Single Sign On, or SSO, makes it so that when you log into your company's network, you can log into all of your apps at once, including Kapost. Please note, SSO is only available for Enterprise customers and Kapost only supports SAML based identity providers.
To configure Single Sign On, go to Settings -> Single Sign On. Enable Single Sign On by checking the box at the top.
Choose a member role from the dropdown menu for auto-created users. You can always change the member role once the user is in Kapost.
Your IT contact will configure your Kapost SSO with whatever service your company uses to handle this feature, and when doing so he or she will need to know what URL's to connect to to enable Kapost SSO. These are the SAML Consumer URL and the SAML Metadata URL, and you can find them on your Single Sign On page.
Next, your IT person needs to figure out your SAML 2.0 endpoint and enter into the relevant field - this is the website that the service you use to handle your SSO (your identity provider) uses to log you into your company network.
We also need a way to verify any login request we get - we do this using either your SHA1 Fingerprint of X.509 Certificate, either of which you can paste into the relevant field. Make sure you use the drop down menu to choose which item you are pasting into the field.
The last thing you need to specify is the label/attribute you use to identify the username - first, specify whether you use a full name username or a first name-last name username. Your IT person should know this info.
The last thing you need to do is specify where you would like to be redirected after logging out. To do this, add the URL you would like to be redirected to to the field labeled "Logout URL."
- The user account format Kapost uses is email
- If possible, we would like SSO to be enabled BEFORE you invite users.
Organizations & Memberships
If you have several instances and need to control which ones users will have access to when they log in, you can use the "Instance Membership Rules".
First, you'll need to check the box to enable membership rules. Then, specify the attribute name that your SSO provider will be using to provide the list of groups. Finally, you can specify as many rules as you like.
Choose which instance the rule will apply to, and what role you'd like the users to have. Then, provide a comma-separate list of group names that should match the groups provided by your SSO provider.
For example, if your SSO provider will be sending groups like "instance1-admin", "instance2-contrib" for a particular set of users, you can create Rules to match those groups names like this:
Then, whenever a user logs in, they will have memberships created at those instances according to the rules.
- If a user's groups change at the SSO provider, or you make a change to these rules, such that the rules no longer match, then the memberships that previously matched will also be removed. If no rules match, then all the user's memberships will be removed.
- The memberships for a user are only updated when the user logs in. If you make a change to the SSO provider, and then view the Kapost memberships, the change will not be reflected right away. Have the user log in first, and then the membership should be listed.
If you have any questions, don't hesitate to email support at kapost.com