How to Set Up Single Sign-On (SSO) for the Kaiterra Web App

Note: Single Sign-On is available for Kaiterra Subscription users only. If you are not a Kaiterra Subscription user and require SSO, please contact your sales representative for more information.

Single Sign On (SSO) allows users to log in to 3rd party applications or websites using an Identity Provider (IdP). 

Security Assertion Markup Language (SAML) is a security standard for managing authentication and access. 

Kaiterra supports SAML 2.0 and acts as the Service Provider (SP).

This article describes the SAML configuration process for both IdP-initiated and SP-initiated login flows.

Overview

SAML allows your users to sign in to a Service Provider (SP), such as Kaiterra, using your enterprise SSO Identity Provider (IdP) instead of their email and password.

Your organization can run its own SAML server to authenticate users. You control password strength, two-factor authentication, and access for all of your SAML-enabled SaaS apps in one place.

Requirements

SAML authentication has the following requirements:

  • SAML SSO Access enabled on your current Kaiterra subscription
  • A SAML Admin that is able to manage your IdP configuration

Configure SAML SSO

SAML SSO is enabled for Kaiterra subscription customers. Each IdP has different steps for setting up its platform and for extracting and uploading metadata. Refer to your IdP for specific instructions on how to add Kaiterra as an SP.

This is what Kaiterra needs from your IdP:

  • IdP Entity ID: This lets us know which identity provider you are using
  • IdP SSO Target URL: Kaiterra uses this link to connect to your identity provider when someone from your organization attempts to log in via SAML SSO
  • Signing Certificate: This is also known as an X.509 certificate. Kaiterra will use this to verify your organization via your IdP

Setting up SAML SSO in Kaiterra

  1. Log in to Kaiterra and head to your Organization Settings page. If your Kaiterra subscription is enabled and you are an administrator, you will see a tab called “SSO”.

    If you do not see this page, you are either A) not on a Kaiterra Subscription or B) not an administrator. For A, contact your sales representative for more information; for B, contact your Kaiterra Web App Account Administrator for proper credentials.
  2. Enter the details from your identity provider:
    1. IdP Entity ID
    2. IdP SSO Target URL
    3. Your Identity Provider X509 Certificate as raw text
  3. Check the “Enabled” checkbox. This will enable SSO for your entire organization.

Note: If you want to make SSO mandatory, also check the “Login with SSO only” checkbox.

Important: It is common for our customers to give 3rd party contractors guest accounts for installing Air Quality monitors. Since contractors don’t typically have an email associated with your Organization, they would not be able to log in if you have made SSO login mandatory. 

If you would like to add 3rd party guests to your account, leave “Login with SSO only” unchecked.


Add Kaiterra to your Identity Provider

To add Kaiterra as a Service Provider with your Identity Provider, you will need: 

  • The SP ACS URL (the re-direct your IdP will use after authentication)
    "Organization Settings" --> "SSO" --> "Service Provider URL"
  • The SP Entity ID
    This is the ID found at the end of the "Service Provider URL"
  • The SP Signing Certificate
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIULlixG582vuOC2ve6ciiBw+S/QDUwDQYJKoZIhvcNAQEL
BQAwOzELMAkGA1UEBhMCQ0gxFTATBgNVBAoMDEthaXRlcnJhIEx0ZDEVMBMGA1UE
AwwMa2FpdGVycmEuY29tMB4XDTIzMDMwNzA0NTkwMloXDTMzMDMwNDA0NTkwMlow
OzELMAkGA1UEBhMCQ0gxFTATBgNVBAoMDEthaXRlcnJhIEx0ZDEVMBMGA1UEAwwM
a2FpdGVycmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRo9
zVV6APeX3oybNdEf0gbt6+M4SPq7Z1GAtvYUKeBzWzvtvJeQbti0gweXYTQLQKnB
C+BCNXk3qNADbXlDu0iJrPiJ0Fb/ux9w4F7qhkwX3MpXKGc3oz7nIgTy5rbR3Wdb
IDfM1AxtdmLUqh7V4tkXEyULxjjPHwOTg1TVzaQMJcGyvTNlC5JcgyqBmvL/o7y/
FgcrLHLi3BfvJh04OvShfQ28pPebdtEy70dxZHzFKzIWXjQf0FhEp6IkCfXJBd1v
Lxk0ok9FUM/ruujCH9qlf24eHgnzjPmxnk4sx7mZ+CEse5w3HfY/anCIGLJ7aNsg
CpGNi0+EacXMyJJLcwIDAQABo1MwUTAdBgNVHQ4EFgQU6+irwq9lregFi8WXlFf8
BkcA4G8wHwYDVR0jBBgwFoAU6+irwq9lregFi8WXlFf8BkcA4G8wDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAWmmQ8lZRxKBTF4WYE2DqSwAARF3I
FY56pa+cuC14JAvImxd7+oOWlG057+ipMDZrPe0r5SzQE7Tz8kY4jgZNaxfk2+nW
xknqzqLFg5VPb4GJcZQs3s9m1kGOfZw/MlWuxD2AAzTFL7CxeCYR1Rc+IKJEXhGc
T85qLI7E3r6Bn1DObOevaDorqjjL5k9DL9R0lW38YBIdegZccxeXjBYuRzTEbK3d
4qwjQGlvy5Ol7COsv3LztU9XFhYPYAPfj6eM+qLYta8mvfGLTJcdwadJqJ1adMZj
XJfSM8H/K86d6huuqwy9USiaD9pD73nTQmqzGoC2rQy5LqjZPUltOSTuAw==
-----END CERTIFICATE-----

For Azure Active Directory users, refer to our Azure Active Directory Setup Guide