Add a SAML 2 IDMS
SAML 2.0 provides authentication between a service provider and an identity provider. Kion is the service provider that will use your identity provider (Azure AD, Okta, OneLogin, PingFederate, Google, etc.) to authenticate the users into the application.
These instructions assume the Kion (service provider) URL is https://Kion.example.com and the identity provider URL is https://idp.domain.com. When you see these example URLs, replace them with the URLs specific to your environment.
Obtaining Information from your Identity Provider
Before creating a SAML IDMS in Kion, you must obtain the following information from your identity provider. This process varies from provider to provider. See your specific identity provider's help documentation for more information.
- Generate the metadata from the identity provider. This should not require any information from Kion.
- Generate a new application in the identity provider. The information required from Kion will typically be the Service Provider Issuer and the Service Provider ACS URL.
Creating a New SAML IDMS in Kion
Once you have obtained the metadata and created a new application in your identity provider, you can create a new SAML IDMS in Kion. This process involves entering information about your identity and service providers, configuring connection options, configuring assertion mapping, adding validation and access rules, and creating user group associations.
To create a new SAML 2.0 IDMS in Kion:
- In Kion, navigate to Users > Identity Management Systems.
- Click Add New.
- For the IDMS Type, select SAML 2.0.
The following sections describe how to configure your SAML 2.0 IDMS. Unless marked otherwise, all of the following configurations are required.
- For the IDMS Name, enter a name to describe the IDMS. Users see this name when selecting the IDMS on the Kion login page.
- For the Identity Provider Issuer, enter the URL that will issue the SAML 2.0 security token (https://idp.domain.com). This is typically known as the Entity ID for the identity provider and it can be found in the metadata.
- For the Identity Provider Metadata, paste in the metadata from the identity provider. It should be in XML format.
- For the Service Provider Issuer, enter the Kion URL. Typically, this value will end in 1 and doesn't need to be changed (https://Kion.example.com/api/v1/saml/auth/1). This value is the Entity ID for Kion.
- The Service Provider ACS URL automatically populates the callback URL (https://Kion.example.com/api/v1/saml/callback). This is the callback/redirect URL the identity provider should use when sending the SAML assertions to Kion.
If you need to reset this, click the Reset Service Provider ACS URL button, which will change the service provider ACS URL to match the current domain of your Kion environment.
- For the Service Provider Binding, leave the field as-is.
- (Optional) For the Audience URI, enter the SP Entity ID (https://Kion.example.com/api). This should be set to the same value as the Service Provider ACS URL if there are errors during initial configuration.
- (Optional) For the Allowed Auth Context, enter an allowed value. This is the auth context from the specification that is required to login to Kion (urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken).
- (Optional) For the Auth Context for Privilege Elevation, enter an allowed value that will provide the user with the ability to access the cloud console (urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI). If this field is blank, console access will not be limited by auth context.
- (Optional) For the Name ID Format, enter a format to use for name IDs (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified). This is the first field you should try changing when testing.
- If requests are signed, enable Should Sign AuthN Requests.
- Enable Enable Single Logout to automatically invalidate and end the SAML session when a user logs out of Kion.
- Enable Enable Custom Login URL to direct users to log in using an external URL. Once enabled, add your custom URL in the Custom Login URL field.
- Select a Canonicalizer.
- For the First Name, enter the field from the IDP that will be mapped to the user first name (first_name).
- For the Last Name, enter the field from the IDP that will be mapped to the user last name (last_name).
- For the Email, enter the field from the IDP that will be mapped to the user email (email).
- (Optional) For the Phone Number, enter the field from the IDP that will be mapped to the user phone number.
- For the Username field, enter the field from the IDP that will be mapped to the user username (username).
Validation and Access Rules
Create Validation Rules and Access Rules as necessary. All of these fields read the SAML assertions by name and then apply the regular expression to the value of the assertion. The regex simply returns either a true or false based on the expression.
- Validation Rules. Control which users can log into Kion via SAML assertions. If any of the expressions returns false, the user cannot log into Kion.
- Access Rules. Set the level of console access available to users via SAML assertions. If no access rules are specified, then all users have Full Access. If any access rules are specified, then all users have No Access.
- Full Access. Users may use cloud access roles to access the cloud consoles. This access only applies to cloud access roles, not other functions within Kion.
- Restrict Console Access. Users can log in and use the Kion application, but they cannot access any cloud consoles.
This is useful if you have a SAML provider that allows users to login with a SmartCard instead of a password. Typically, users with a SmartCard would be granted Full Access while users with just a password would be granted Restrict Console Access.
- No Access. Users are not allowed to log into Kion.
User Group Associations
Automatically add users to user groups in Kion based on SAML assertions. This is useful for dynamically determining user permissions. For more information, see SAML User Group Associations.
Service Provider Icon
You can upload a custom icon to show on the login screen next to this IDMS.
You can also select if you would like to hide this IDMS as an option on the login page.