Kinesis provides support for SSO to customers on request. All Kinesis SSO configurations are based on standard protocols and approaches, and utilise a Service Provider (SP) initiated approach.
Kinesis will automatically provision users via your SSO connection, but all role and subsequent administration is in-application. Kinesis regularly re-authenticates and any decommissioned uses will lose the ability to authenticate with Kinesis.
Kinesis partners with Auth0 to provide SSO connections and will support any of there Enterprise connection options, however the most common connections are:
Google Workspace
SAML
Azure Active Directory
Google Workspace Configuration Requirements
Kinesis will provide you with the following to configure your systems:
Our authentication domain
Our redirect URI
You will need to configure an App and provide Kinesis with:
A client id: Unique identifier for your registered Azure AD application. Enter the saved value of the Application (client) ID for the app you just registered in Azure AD.
A client secret: String used to gain access to your registered Azure AD application. Enter the saved value of the Client secret for the app you just registered in Azure AD.
Google Workspace Domain: Google Workspace domain name for your organization.
SAML Configuration Requirements
The Security Assertion Markup Language (SAML) protocol is an open-standard, XML-based framework for authentication and authorization between two entities without a password:
Service provider (SP) agrees to trust the identity provider to authenticate users.
Identity provider (IdP) authenticates users and provides to service providers an authentication assertion that indicates a user has been authenticated.
Kinesis uses SAML for SP initiated SSO. In order to configure A SAML connection:
Kinesis will provide you with:
The key for verifying our signed requests to your identity provider.
Assertion Consumer Service URL, which will be:
https://kinesis.au.auth0.com/login/callback?connection=YOUR_ORGANISATION_CODE
Entity ID:
urn:auth0:kinesis:YOUR_ORGANISATION_CODE
Our request mechanism:
Protocol Binding: Signed HTTP-POST requests
Signed Request Algorithm: RSA-SHA256 (RSA-SHA1 available on request)
Signed Request Algorithm Digest: SHA256 (SHA1 available on request)
Kinesis can provide an SAML metadata link for import, but only after the below sign-in URL and signing certificates have been provided.
You will need to provide Kinesis with:
Sign In URL: Enter the Sign In URL that you obtained from the IdP.
X509 Signing Certificate: Provide the X509 Signing Certificate file (in
.pemor.cerformat) that you obtained from the IdP.
The following attributes are used:
nameemailgiven_namefamily_name
Kinesis can map these from your attributes on request.
Azure Active Directory Configuration Requirements
Azure Active Directory configuration uses OpenID Connect (OIDC), if you would like to use SAML for connecting to Azure Active Directory, see the SAML configuration requirements.
Kinesis will provide you with:
Our Redirect URI
You will need to configure an App and provide Kinesis with:
A client id: Unique identifier for your registered Azure AD application. Enter the saved value of the Application (client) ID for the app you just registered in Azure AD.
A client secret: String used to gain access to your registered Azure AD application. Enter the saved value of the Client secret for the app you just registered in Azure AD.
Microsoft Azure AD Domain: Your Azure AD domain name. You can find this on your Azure AD directory's overview page in the Microsoft Azure portal.
SSO Configuration Process
Kinesis manages all SSO configuration internally, you will be requested to provide your email domain, and the appropriate keys and URLs depending on your configuration. Kinesis will configure the system to support this, and notify when you can test the configuration. You are able to use Kinesis managed users to test the system whilst this configuation is being made if immediate access is required.