Skip to main content

Integrate Kisi with Microsoft Entra ID SSO

info

This is a Kisi-built integration, maintained and supported by Kisi.

As a Kisi organization owner you can set up Microsoft Entra ID single sign-on (SSO) for your Kisi users. In addition to your SSO integration, you can:

Prerequisites

  • a Kisi organization owner account
  • a valid and activated SSO license

Before setting up the integration, ensure you are logged in as the Kisi organization owner and have a valid, activated SSO license. If these prerequisites are met and the SSO & SCIM option is still not visible on the dashboard, please reach out to Kisi Support for assistance.

Set up the integration in Microsoft Entra ID

  1. Sign in to your Microsoft Entra ID portal
  2. Navigate to Manage > Enterprise Applications and select All Applications
  3. Click on New application
  4. Start typing Kisi Physical Security in the search field
  5. Select Kisi Physical Security from the list and click on Create
  6. On the Kisi Physical Security application integration page navigate to the Manage section
  7. Click on Single sign-on
  8. When prompted to Select a single sign-on method, select SAML
  9. Under the Basic SAML Configuration section, click on Edit
  10. Here, if you want to configure the application in IDP initiated mode, enter the following values for the following fields:
    • In the Identifier field, type the following URL: https://api.kisi.io/saml/metadata
    • In the Reply URL field, type the following URL: https://api.kisi.io/saml/consume/<DOMAIN> (You can find your Kisi organization domain under Settings > General)
  11. If you want to configure the application in SP initiated mode, click Set additional URLs and in the Sign-on URL field type the following URL: https://web.kisi.io/organizations/sign_in?domain=<DOMAIN>
  12. Click Save
  13. Review the Attributes and Claims. Kisi expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration under User Attributes & Claims. Here is the list of default attributes:
User attributesClaims
givennameuser.givenname
surnameuser.surname
emailaddressuser.mail
nameuser.userprincipalname
Emailuser.userprincipalname
FirstNameuser.givenname
LastNameuser.surname
Unique User Identifieruser.userprincipalname
  1. Under SAML Signing Certificate, copy the App Federation Metadata URL and save it on your computer

Set up the integration in Kisi

  1. Sign in to Kisi as the organization owner
  2. Under Settings, click on SSO & SCIM and paste the App Federation Metadata URL that you saved in the step above
  3. Click Save

Complete the configuration in Microsoft Entra ID

Before testing the SSO setup, make sure that relevant users and groups in Microsoft Entra ID are assigned to the Kisi application.

  1. In Microsoft Entra ID, navigate to your Kisi app
  2. Click on Manage > Users and Groups
  3. Click on Add user/group
  4. Search for users and groups and click Select
  5. Click Assign
info
  • For Microsoft Entra ID SSO to function properly, ensure that token encryption is disabled.
  • You don't need any additional encryption certificate to set up SSO on Microsoft Entra ID.
  • For more information, check out the Microsoft's tutorial on how to integrate Kisi with Microsoft Entra.
tip

To further control your SSO integration, you can set up SCIM provisioning. This will help you to easily and securely sync identities between your IdP and Kisi.

Flexible authentication: SSO or password

Kisi organizations with Single Sign-On (SSO) enabled can, if needed, also enable authentication with password for users. If enabled, the user will be able to log in with email and password. If the user is in the organizations' IdP directory, an SSO login will also be available.

User removal impact on event logs

If you're utilizing a Single Sign-On (SSO) platform and an employee is removed, upon reviewing the Event history, the logs related to that user will continue displaying the user's name, even though they've been removed from the system.