Kisi wordmark

HelpSpace

search
close

Try searching for

integrations

getting started

apple watch app

blinkup

arrow up arrow down

navigate

esc to close

SSO: Configuring Azure for use with Kisi

Updated

This content is being deprecated.
Please see our new Kisi Docs portal at docs.kisi.io
Relevant section: Azure Active Directory

SSO requires a Kisi Organization license. Please contact Kisi Support to learn more and upgrade your account.

Kisi supports SSO (Single Sign-On) with Microsoft Azure as a way of authentication for your Organization. Below are the steps to our self-service SSO configuration. You may also want to check our step-by-step tutorial on the Azure website.

Setting up SSO with Azure

To set up SSO, you must be the Kisi Organization Owner. For additional guidance on SSO setup, please refer to our Kisi API documentation.

  1. Sign in to Azure Portal
  2. On the left navigation pane, select the Azure Active Directory service.
    sso-azure-ad.png
  3. Navigate to Enterprise Applications and then select All Applications.
    sso-azure-ent-applications.png
  4. To add a new application, select New application.
    sso-azure-new-app.png
  5. In the Add from the gallery section, type Kisi Physical Security in the search box.
  6. Select Kisi Physical Security from the results panel and click on Create.
    sso-azure-kisi-app.png
  7. Wait a few seconds while the app is added to your tenant. Once the Kisi app is added, on the Kisi Physical Security application integration page, find the Manage section and select Single sign-on.
    sso-azure-kisi-app-sso.png

  8. On the Select a single sign-on method page, select SAML.
    sso-azure-saml.png

  9. On the Set up Single sign-on with SAML page, click on Edit under the Basic SAML Configuration.
    sso-azure-saml-edit.png

  10. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields:

    sso-azure-basic-saml.png

    • In the Identifier text box, type a URL using the following pattern: https://api.kisi.io/saml/metadata

    • In the Reply URL text box, type a URL using the following pattern: https://api.kisi.io/saml/consume/<DOMAIN>

       
      Every Organization in Kisi has a domain. It's an alphanumeric string that can also contain "-" character used to uniquely identify your organizations and required during signing in. If you do not remember your Kisi Domain, you can use Find My Organizations feature.

       

  11. Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode:
    • In the Sign-on URL text box, type a URL using the following pattern: https://web.kisi.io/organizations/sign_in?domain=<DOMAIN>

  12. Kisi expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration under User Attributes & Claims. The following screenshot shows the list of default attributes.

    sso-azure-attributes.png

  13. In addition to the above, Kisi application expects few more attributes to be passed back in SAML response which is shown below. These attributes are also pre-populated but you can review them as per your requirements.

    • FirstName - user.givenname
    • LastName - user.surname
    • Email - user.userprincipalname

  14. Under SAML Signing Certificate, copy the App Federation Metadata Url and save it on your computer.

    sso-azure-federation.png

Create an Azure AD test user

To create an Azure AD test user:

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. Fill in the Name field.
    2. In the User name field, the user email.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Click Create.

Assign the Azure AD test user

To assign the Azure AD test user:

  1. In the Azure Portal, click on Azure Active Directory select Enterprise Applicationssso-azure-ent-applications.png

  2. Select All applications and click on the Kisi Physical Security app.
    sso-azure-kisi-app-physical-security.png

  3. In the app's overview page, find the Manage section and select Users and groups.

    sso-azure-kisi-users.png

  4. Select Add user/groupsso-azure-add-user.png

  5. In the Add Assignment dialogue, select the desired user(s) from the Users listsso-azure-assign.png

  6. If you're expecting any role value in the SAML assertion, in the Select Role field, select the appropriate role for the user from the list and then click the Select button at the bottom of the screen.

  7. Click the Assign button (at the bottom).

In Kisi:

  1. Sign in to your Kisi Organization account
  2. Under Setup, click on SSO & SCIM and paste the Metadata URL
    kisi-sso-setup.png
  3. Click Save

Provisioning and Deprovisioning Members with Azure (SCIM)

To configure SCIM (System for Cross-domain Identity Management) provisioning and deprovisioning of Kisi members, please follow the steps in this article.

Written by Joao,

Was this article helpful?
Have more questions? Submit a request

Related articles