How to Set Up Single Sign-On (SSO) for the Kaiterra Web App

Note: Single Sign-On is available for Kaiterra Subscription users only. If you are not a Kaiterra Subscription user and require SSO, please contact your sales representative for more information.

Single Sign On (SSO) allows users to log in to 3rd party applications or websites using an Identity Provider (IdP).

Security Assertion Markup Language (SAML) is a security standard for managing authentication and access.

Kaiterra supports SAML 2.0 and acts as the Service Provider (SP).

This article describes the SAML configuration process for both IdP-initiated and SP-initiated login flows.

Overview

SAML allows your users to sign in to a Service Provider (SP), such as Kaiterra, using your enterprise SSO Identity Provider (IdP) instead of their email and password.

Your organization can run its own SAML server to authenticate users. You control password strength, two-factor authentication, and access for all of your SAML-enabled SaaS apps in one place.

Requirements

SAML authentication has the following requirements:

SAML SSO Access enabled on your current Kaiterra subscription
A SAML Admin that is able to manage your IdP configuration

Configure SAML SSO

SAML SSO is enabled for Kaiterra subscription customers. Each IdP has different steps for setting up its platform and for extracting and uploading metadata. Refer to your IdP for specific instructions on how to add Kaiterra as an SP.

This is what Kaiterra needs from your IdP:

IdP Entity ID: This lets us know which identity provider you are using

IdP SSO Target URL: Kaiterra uses this link to connect to your identity provider when someone from your organization attempts to log in via SAML SSO

Signing Certificate: This is also known as an X.509 certificate. Kaiterra will use this to verify your organization via your IdP

Setting up SAML SSO in Kaiterra

Log in to Kaiterra and head to your Organization Settings page. If your Kaiterra subscription is enabled and you are an administrator, you will see a tab called “SSO”.

If you do not see this page, you are either A) not on a Kaiterra Subscription or B) not an administrator. For A, contact your sales representative for more information; for B, contact your Kaiterra Web App Account Administrator for proper credentials.
Enter the details from your identity provider:
1. IdP Entity ID
2. IdP SSO Target URL
3. Your Identity Provider X509 Certificate as raw text
Check the “Enabled” checkbox. This will enable SSO for your entire organization.

Note: If you want to make SSO mandatory, also check the “Login with SSO only” checkbox.

Important: It is common for our customers to give 3rd party contractors guest accounts for installing Air Quality monitors. Since contractors don’t typically have an email associated with your Organization, they would not be able to log in if you have made SSO login mandatory.

If you would like to add 3rd party guests to your account, leave “Login with SSO only” unchecked.

Add Kaiterra to your Identity Provider

To add Kaiterra as a Service Provider with your Identity Provider, you will need:

The SP ACS URL (the re-direct your IdP will use after authentication)
"Organization Settings" --> "SSO" --> "Service Provider URL"
The SP Entity ID
This is the ID found at the end of the "Service Provider URL"
The SP Signing Certificate

For Azure Active Directory users, refer to our Azure Active Directory Setup Guide