Home / , / Establishing an SSO connection

Establishing an SSO connection

743 views

You can set up users in Kontainer via SSO to create a secure and seamless experience for your internal users.

We have a standard setup for Microsoft Azure, ADFS and Google. Get in touch for other setups.

We create a ‘’Trust’’ between your Active Directory groups (managed by your IT) and Kontainer. This means the user will automatically be created and assigned to predetermined groups when they log in the first time.

Like any other group in Kontainer, you can always change and manage access settings.

You can also assign extra rights to individual users that are added to the basic permissions, they inherit from their group membership.

To keep your user list manageable, you can determine rules that will deactivate or delete users that have not been logged in for a certain amount of time – like 2, 4 or 6 months. If a user logs in again after being auto-deleted, their user is simply reactivated.

Alongside SSO users, you can add other users and groups manually.

In the following, we will walk you through the setup of a Microsoft Azure SSO connection to Kontainer:

 

Azure App Registration

On Azure services home click ”Azure Active Directory”

Click ”App registrations” in right menu

Click “New registration” in top

Fill “Name” with “Kontainer”, “Redirect URI” with https://xxx.kontainer.com/login/azure where xxx are Kontainer client id.

Click “Authentication” and fill “Logout URL” with https://xxx.kontainer.com/logout and check “ID tokens”. Check account types are set to “Multitenant”. Click “Save”

Click “Certificates and secrets”. Click “New client secret”. Write “Kontainer” in “Description” and set “Never” in “Expire”. Write down secret.

Click “Token configuration”. Click “Add optional claim”. Select “ID” and check “email” and “upn”. Click “Add”.

Click “Add groups claim” and check “Security groups” and select “ID” and check “sAMAccountNamew”

Go to “API permissions” and click “Add a permission”. Choose Microsoft Graph and click “Delegated permissions”

Scroll down to “GroupMember” and check “GroupMember.Read.All”

Permissions should now be as below. Maybe administrator need to consent the permissions.

Go to “Overview” and send “Application (client) ID” and “Directory (tenant) ID” to Kontainer. Send saved secret in a safe way.