Versions Compared

Old Version 14

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version 15

changes.mady.by.user Kiuwan Editor User

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

 

Appendix  - Azure Active Directory configuration : How to configure Kiuwan as Service Provider


You must configure your Idp (Azure AD) so it recognizes Kiuwan as a SP (Service Provider).


In Azure AD, you should create an Enterprise Application (Kiuwan SSO, in this example).

To do it, select Azure Active Directory >> Enterprise applications 


 


and click on New application 




Select Non-gallery application and fill in the app name (Kiuwan SSO in our example) and click Add button



Just created, you will see a page like this.

 



Next, you will need to add users that will be allowed to login at Kiuwan SSO application.

 


Select the users from your Azure Active Directory that will be allowed to login to Kiuwan SSO application.






Now that some user has been added, you need to configure the Single sign-on 



First, you need to export the Azure Active Directory metadata and import it to Kiuwan.


To export AAD metadata, click on Download link at Federation Metadata XML.


 

 

Info

Downloaded XML file needs to be imported into your Kiuwan account , as shown before.

After importing AAD metadata into Kiuwan, your Kiuwan account will be ready to generate its own metadata that you will import into AAD.

 

 

To export Kiuwan metadata, go to Account Management >> Organization and you will see the URL to download Kiuwan metadata.


 

Just type the URL in a browser and save the content as a XML file.



 

Info

Now, you can import (upload) the Kiuwan metadata XML file into AAD.


 

Once uploaded, click con Save.



Once done, you need to set your Claims policy. To do it, click on User Attributes & Claims



Select Name identifier value



and setup the policy on how to manage your ADA usernames to Kiuwan usernames.


In this example, we take the first part of email.

For example, an AAD user with email john.doe@domain.com will be mapped to john.doe when sent to Kiuwan.




Now, you can test Single Sign-On with Kiuwan SSO app.

Just click to Test button.




Select the user (the current or someone else)

 


 

Because you are already logged in ADD (and therefore authenticated) you will be forwarded directly to Kiuwan app.




 

 

 

  


Login from Kiuwan site

Login from Kiuwan site


To login at Kiuwan site, you must go to SSO URL (remember to set sso=on and set the domain)
You will be presented with the login page (without need to write your credentials)

Image Added


When you click on Login button, you will be forwarded to Azure login page:

 

Image Added


 

Type your credentials (AAD will authenticate you), and (if succesfull)  you will be logged in at Kiuwan site

 

 

 Image Added

 
Probalby, you are worndering why do you need to authenticate if you are already logged at AAD..

This second authentication has been deliberately forced by Kiuwan, because very often IdPs (AAD, ADFS, etc) send to Kiuwan "old" auth tokens, making SSO fail.
To prevent these situations, Kiuwan force IdP to perform the auth process and send to Kiuwan a "fresh" tocket, that's the reason AAD asks you to authenticate.