SSO Integration Steps

Kevel customers work with Kevel support in order to set up and configure Single Sign On.

This page provides an overview of the steps you will need to take in order to prepare for a successful SSO integration. These instructions will work for any identity provider (IdP) that supports SAML 2.0.

First steps

Before setting up the Kevel app/integration in your identity provider, you will need to take the following steps:

  • If you have already created users via the Kevel UI or API, confirm that their email addresses all match the corresponding user's email address in your identity provider. (If you need assistance with this step, let us know. We're happy to help!)

    • If there are any email addresses on our side that don't match the email address that you have on your side, please contact Kevel to update them so that the users will be linked correctly.
  • Determine which network(s), if any, you would like users to automatically have access to when they are added to Kevel from within your IdP. Communicate this preference to Kevel.

Integrating your identity provider with Kevel using SAML 2.0

In your identity provider, create an app/integration that will allow your users to log into Kevel.

📘

Note

If you want your Kevel app/integration to have a logo, you can download the Kevel logo here.

  • Configure the following endpoint for SAML 2.0 POST binding in your SAML identity provider:

    • https://auth.kevel.co/saml2/idpresponse
  • Provide the SP URN / Audience URI / SP Entity ID, with this value:

    • urn:amazon:cognito:sp:us-east-1_Ml1DytqrI
  • Provide attribute values for email and name, using these attribute names:

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    • Both attributes are required. Kevel uses the values of these attributes to create a user in our system with the same email address and name.
  • Send Kevel a public URL that points to the metadata document—this URL must be globally accessible from the public internet. Here are directions for locating your metadata document for major IdPs:

Identity ProviderWhere to find metadata document
Microsoft Active Directory Federation Services (AD FS)The SAML metadata document for your ADFS federation server can be found at the following address: https://<yourservername>/FederationMetadata/2007-06/FederationMetadata.xml.
OktaOnce you have configured Kevel as an application in Okta, you can find the metadata document in the Admin section of the Okta dashboard. Choose the application, select the Sign On section, and look under the Settings for SAML for a link labeled "Identity Provider metadata".

The URL should look like https://<your-domain-prefix>.okta.com/app/<application-id>/sso/saml/metadata.
Auth0In the Auth0 dashboard, choose Clients, and then choose Settings. Scroll down, choose Show Advanced Settings, and then look for your SAML Metadata URL.

The URL should look like https://<your-domain-prefix>.auth0.com/samlp/metadata/<your-auth0-client-id>.

Testing & validation

After you provide Kevel with the information above, we will provide you with a URL that you can use to test that the SSO integration is working so that your users will be able to log into Kevel successfully.

If everything is set up correctly, you will see a message telling you that authentication was successful, and to contact Kevel to finish the setup process. Kevel will then enable SSO for your organization.

User access

You should ensure that your IdP is appropriately configured to allow users to log into Kevel. For example, this may require you to configure a Kevel application in your IdP and assign the desired users or groups to it.

Kevel does not support IdP-initiated sign on. That is, you will not be able to click on the app icon or "tile" on your IdP account (e.g. Okta) to start the authentication process. Instead, you will need to initiate single sign on by going to your organization's sign in URL: https://app.kevel.co/?orgcode=yourorgcode

If your SSO provider supports configuring a "bookmark" or "secure web authentication (SWA)" app, you can workaround this limitation by doing the following:

  • Hide the app icon to users for the configured Kevel SAML SSO app
  • Configure a bookmark / SWA for https://app.kevel.co/?orgcode=yourorgcode, where yourorgcode is generally the name of your organization. Ask your Kevel account manager if you aren't sure what your organization code is
  • Assign the configured bookmark / SWA to the same users/groups that have been assigned the Kevel SAML app

User roles

Users accessing Kevel for the first time will be granted Read-only permissions. Users with Admin permissions can manage permission levels of new users as needed. Learn more about User Permission Levels.