• Integrations

SAML Authentication

What Are Some Advantages to SAML Integration?

SAML is a standard method of authenticating against an enterprise-wide identity server. Kindling supports integration with SAML as secure single sign-on alternative to native authentication.

SAML integration leverages your existing User management infrastructure, eliminating the need to set up and maintain a separate User store for Kindling. Once integrated, Kindling is even in tune with your organization’s Group assignments, so permissions can be inherited directly from SAML claims.

SAML integration also lowers the barrier of entry for Kindling participants, who can log in without having to keep track of yet another Username and password.

Does Kindling Support Service Provider (SP) Initiated SSO or Identity Provider (IdP) Initiated SSO with SAML?

Kindling supports both SP initiated and IdP initiated SSO, however, we strongly suggest using SP-initiated authentication because of how Kindling sends out links in notification emails. These links will direct participants to a Kindling URL, not to your IdP.

Does Kindling Support Just-in-time Provisioning with SAML?

Yes, Kindling supports JIT provisioning. When a participant logs into Kindling for the first time using SAML authentication, a corresponding User account is created for them on the fly in Kindling. Administrators do not need to manually create SAML Users in Kindling. Similarly, JIT provisioning ensures that each time a User logs in, Kindling picks up on any changes that may have been made to a SAML User’s attributes.

How Do I Set Up SAML Integration?

To set up SAML for your Kindling instance, our staff needs:

  • the SSL certificate used by the SAML server
  • the IdP's login and logout URL endpoints
  • the URL for the IdP‘s metadata
  • the name of the SAML service
  • the names of your User attributes that will be mapped to Kindling, including unique User ID, first name, last name, email address, Group affiliations and optionally, department and location.

Your SAML integration staff will need:

  • our own metadata source: https://(domain).kindlingapp.com/saml/module.php/saml/sp/metadata.php/clientIDP

  • our Login endpoint: https://(domain).kindlingapp.com/saml/module.php/saml/sp/saml2-acs.php/clientIDP

  • our Logout endpoint: https://(domain).kindlingapp.com/saml/module.php/saml/sp/saml2-logout.php/clientIDP

Once those details are provided, Kindling will activate SAML for your account and have you test SAML authentication. If your SAML IdP sits behind a firewall, that firewall will need to be configured to allow Kindling access to the Identity Provider. Either the SAML assertion or SAML response should be signed by your SAML server to enable the integration.

For OneLogin Users: If you use OneLogin for SAML, you do not need to provide a list of attributes. OneLogin attributes are standardized as UID, FirstName, LastName, Email, Groups, Department, Location. Additional integration instructions can be found in OneLogin's Help Center.

For Azure Users: If you use Microsoft Azure for SAML, you do not need to provide a list of attributes. Azure attributes are standardized as:

  • UID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  • First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Additional integration instructions can be found in the MS Azure Directory.

For ADFS Users: If you use the ADFS implementation of SAML, you will need to transform the incoming claim to a specific name ID format by following these steps:

  1. Create a new claim rule to transform the incoming claim ADFS transform claim rule
  2. Name the claim rule in the Claim rule name field
  3. Select the Incoming claim type - for instance, you may choose 'E-mail Address' or another option, though it needs to be an attribute that you've mapped to in your LDAP attributes rule.
  4. For Outgoing claim type select 'Name ID'
  5. Select the Outgoing name ID format. You may use transient, persistent or email, but will need to inform us of your choice so that we can configure your Kindling accordingly.
  6. Select the Pass through all claim values option

Are there Any Options for Using SAML If I Don‘t Know How to Set It Up?

Yes. Kindling has partnered with OneLogin, a SAML provider who offers integration with your existing Active Directory or LDAP server. As part of our partnership, single sign-on setup and integration with Kindling is free of charge. For more information about using OneLogin, please see the OneLogin-Kindling Partner page.

How Do SAML Users Log In to Kindling?

Users visit the Kindling login screen where they click on a button at the top to log in with SAML.

saml button

If the user is already authenticated against your SAML server, they’ll be directed into Kindling; otherwise, the user is redirected to your authentication form where they can provide their SAML credentials.

If SAML automatic login is enabled, SAML users who are logged into your IdP and try to access Kindling will bypass the login screen and be automatically logged into Kindling.

Can I Customize the SAML Login Experience?

Kindling Administrators can customize the text on the SAML login button by contacting the Kindling Support team.

A custom message can be added to the login screen, as well, to direct users to the SAML login. Learn more about customizing the login screen in this Kindling Academy article.

Administrators may also enable automatic login for SAML by contacting the Kindling Support Team. Once enabled, Kindling users who are logged into your IdP and try to access Kindling will bypass the Kindling login screen and be automatically logged into Kindling. Built-in authentication remains accessible at YourKindlingURL.kindlingtest.com/login.

What Information Does Kindling Retrieve from SAML Login?

Kindling stores the unique User ID, email, first name, and last name from the SAML assertion, as well as any Group affiliations. Kindling may also be configured to store participants‘ department and location information.

How Do I Modify My SAML Setup?

To modify your SAML setup, have an administrator of your Kindling contact Kindling Support.

Do I Need to Take Any Action When I Add a New User to My SAML Server?

No. Once the User accesses Kindling and successfully authenticates against your SAML server, a new Kindling User account will be created for them automatically.

Do I Need to Notify Kindling If There Are Changes to a SAML User’s Attributes (E.G. Email Address)?

Any changes to SAML User‘s attributes, such as a new email or last name, will be conveyed to Kindling when the User logs in with SAML. The only time you‘d need to notify Kindling is if there is a change to the Username or any other User attribute that uniquely identifies a User.

Does Kindling Support Single Logout with SAML?

Yes, Administrators may choose to activate single logout by contacting the Kindling Support team.

By default, SAML Users logging out of Kindling are logged out of Kindling only and are returned to the Kindling login screen; they are not logged out of your IdP. If SAML SLO is enabled, logging out of Kindling will log the User out of Kindling and out of your IdP and will return the User to your SAML login screen.