Enabling Single Sign-On

Enabling Single Sign-On

KODE Labs platforms utilize industry standard procedures for active SSO integration. This allows corporations to integrate their existing authentication platforms in their KODE Labs organization in order to have SSO functionality.


If your KODE Labs workspace has SSO enabled, users will be able to log-in to the organization through your corporate identity provider credentials, instead of using KODE Labs account credentials. This will eliminate the need to login through normal process and enable secure access to your apps. 

Available Sign-in Method Integration Functionalities 

KODE Labs allows IdP integration via the following methods:


  1. OpenID Connect Authentication (OIDC) 

  2. Security Assertion Markup Language (SAML)

Steps to enable SSO 

In order to enable SSO for your organization, you would need the following:


  • Access to your identity provider’s configuration settings

  • Admin Role in your KODE Labs workspace


Set up SSO in Launchpad

To set up SSO for your organization with any IdP, follow these steps:


  1. Login to KODE Launchpad > go to the Sign-in Methods under Company section, click + Add Sign-in Method > select an existing Sign-in Method or add a custom one (OIDC or SAML).




  1. Based on the IdP you choose to add there are different required fields. 

    1. In the Sign-in Method Name field Enter an SSO name of your choice. 

      1. Note: Name should be unique. Can’t be updated after it is saved.

    2. On the “Add Sign-in Method” page you will see the Assertion Consumer Service URL generated and other information such as SP Entity ID, Subject NameID Format, Protocol Binding, Signature Algorithm and Attributes Configuration.


You will need the above details to configure the KODE Labs app in your Identity Provider.


Setup KODE Labs app in your IdP

  1. Login to your IdP account.

  2. Create a new application (or connector in some IdPs).

  3. In your IdP account settings, you need to provide the SSO Configuration details that you received from the Sign-in method in Launchpad (Set up SSO in Launchpad - above section).

  4. In your IdP, provide the following details:

    1. In the Single Sign-on URL field, provide the Assertion Consumer Service URL that was generated for your organization in KODE Launchpad.

    2. Use the Entity ID (generated in Launchpad) in your IdP in Audience URI, SP Entity ID, SAML Issuer ID, or fields similar to these.

    3. In the NameID Format, select or enter EmailAddress. This defines the parameter that your IdP should use to identify KODE Labs users. 

    4. In the Signature Algorithm field select RSA-SHA256.

    5. For Protocol Binding field select HTTP-POST.


  1. Under Attribute Mapping add the following attributes. If you want to map IdP groups/roles to KODE Labs roles, you need  to add a new attribute called “roles” under Attribute Mapping, and return your IdP users’ roles or groups to KODE Labs - Launchpad.

    1. For SAML IdP:

      1. firstName attribute

      2. lastName attribute


  1. For OIDC IdP:

    1. firstName claim

    2. lastName claim


  1. Return the below information to KODE Labs:

    1. roles claim for OIDC IdP

    2. roles attribute for SAML IdP


  1. Once you enter all the details and save your settings in IdP, you should receive IdP Single Sign-On URL and x509Certificate or MetaData file.



Configure IdP Details in KODE Launchpad

  1. Go back to “Add Sign-in Method” page in Launchpad.

  2. At Upload MetaData field upload the MetaData file or:

    1. In the IdP URL field, paste the IdP Single Sign-On URL that you received from IdP (Step 6 - Setup KODE Labs app in your IdP).

    2. In the Certificate field, upload the x509Certificate that you received from your IdP.

  3. Fill in the Attributes Configuration.

  4. Click Save to save IdP configuration.

Security Assertion Markup Language (SAML)

SAML Required Fields

Parameter Name

Type

Description

IdP Entity ID

Set by Client

A public unique identifier of the active directory

IdP URL

URL

Location to which KODE OS will send SAML requests to and where users will authenticate

x509Certificate

.pem or .der

A public certificate used to validate the digital signature of provider’s SAML responses

 

OpenID Connect Authentication (OIDC) 

OIDC Required Fields

Parameter Name

Type

Description

OpenID Well-Known URL

URL 

The authentication URL of the active directory instance

Client ID

Hex String

A public identifier of the active directory application

Client Secret

Set by Client (Commonly a 256-bit value)

A secret generated by client for authorization between KODE OS and active directory platform

 

KODE OS User Role Mapping

With active directory integration, while client user authentication will occur on the active directory platform, KODE Labs also allows client user permissions to automatically be passed through as part of the integration. To achieve the above, some configurations are to be made as part of the integration, parameters for which can be found in table below:

This is not a requirement, and user permissions can be set natively on KODE OS independent of the manner of user authentication. 

Field

Description

First Name

What is the callback field in integration that specifies the first name of a user?

Last Name

What is the callback field in integration that specifies the last name of a user?

Role

What is the callback field in integration that specifies the role of a user?

Role Name Mapping

If roles are not native to KODE OS, what is the mapping of user roles to KODE’s own set of roles? 

 

Configuring Role Mapping

Before you add new role mappings, you must add the “roles” attributes in the “Attribute Mappings” section in your IdP, and then return the information in KODE Labs.

After enabling IdP Role Mapping, the role management (in KODE Labs) for the users of your IdP will be handled from your IdP, instead of from KODE Labs.

You can manage your role mappings by adding the ability to Create, Update and Assign users to buildings on login.



  1. Create user on first login

    1. To allow automatic user creation on first login enable the toggle button

      1. Fill in the First Name attribute, Last Name attribute and Roles attribute

  2. Default Role

  1. Enable the toggle button to set the role for users without having a role mapped in this Sign in Method. Other roles can be added after you save the Sign In Method

  1. Click on + Assign Role(s) button

  2. Choose the Launchpad Role (required)

  3. Choose myMSI and KODE OS role (optional)

  4. Click on Assign Role(s)

  1. Update user role on login

    1. Enable the toggle button to change user roles when they login

      1. This means that the existing roles assigned to the users will be overridden by the roles assigned to IdP groups

  2. Site Mapping

    1. Enable the toggle button to allow access to the site's map. You can add more after you save the Sign In Method

Technical Support & Experience

KODE Labs works with the client to configure the active directory integration as is needed for a seamless integration and experience for end users. KODE Labs has already integrated with the following commonly found active directory / identity management platforms:


  1. CyberArk

  2. Azure Active Directory (Azure AD)

  3. Okta

  4. Auth0

  5. JumpCloud


To edit SSO configuration:

  1. Login to KODE Launchpad

  2. Go to the Sign-in Methods under Company section

  3. Select the SSO application that you want to modify from the list of applications listed

  4. The Sign-in Method page appears.

  5. Click the edit icon at the top right of the SSO details secion.

  6. The Edit Single Sign-On page appears.

  7. Update the configuration as needed.

  8. Edit the attribute fields (for example SP Enity ID, IdP URL or IdP Entity ID)

  9. Update and Upload

    1. the metadata which will autofill all of the required fields or enter the information manually.

    2. the signing certificate that is used to encrypt the SAML assertion

  10. Click Save to save the changes. If you want to discard your changes, click Cancel instead.








    • Related Articles

    • Navigate and add new IAM methods

      KODE OS allows you to add a number of Identity and Access Management (IAM) sign-in methods. To add these methods follow the below steps: Click on the “Company” icon in the left hand navigation bar in Launchpad. This will open up your company’s ...

    • Setting up Two Factor Authentication - SMS Method

      The purpose of any Two-Factor Authentication functionality is to increase the security of one or more user accounts by enabling a second method of authentication, in addition to the password. To enable your Two-Factor Authentication functionality, ...

    • Logging in through Single Sign On

      KODE Labs supports all implementation of identity and access management (IAM) tools, in order to make it easier for you to login into your workspace and start exploring the platform. Whether your organization uses Microsoft Azure AD, Google IAM, ...

    • Setting up Two Factor Authentication - App Method

      The purpose of any Two-Factor Authentication functionality is to increase the security of one or more user accounts by enabling a second method of authentication, in addition to the password. To enable your Two-Factor Authentication functionality via ...

    • Identity Management

      Adding New Users You will be able to manage your KODE OS and myMSI users from Launchpad. In order to have access to Launchpad you will need to get an access link which will be provided to you by KODE Labs or one of its channel partners. To add a user ...