SAML Support in Kenna for Single Sign On

 
 
Kenna Support for SAML requires configuration on both the Kenna and customer side of the connection including the exchange of Issuer and Identity Provider information. 
 
Some basic requirements of our implementation:
 
1. NameID is required as part of the SAMLReponse object.
2. The assertion must contain an email address. Attribute field names must be one of the following:
 
email
mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
EmailAddress
 
Users are created in Kenna using the email address that corresponds with the SAML userid. An email is sent to the user advising them that they have been added to the platform and can connect using their SAML credentials. 
 
Configuring this authentication service:
 
From your SAML provider, you will need to configure Kenna's "entity ID (sometimes referred to as "issuer"), which should be:

https://www.kennasecurity.com/sp

You will also need to send us a copy of your public X.509 certificate, or the URL for your metadata.xml, which contains it.  We will use that to generate a fingerprint to validate your SAML responses.

You will need to provide us with your IdP SSO Target URL, which is the URL we will route your unauthenticated users to for authentication.

There will also be an "assertion consumer service (ACS) URL", which is where your SAML provider will post back to, which is:

https://YOUR_SUBDOMAIN.kennasecurity.com/auth/saml/YOUR_CLIENTID/callback

Once you've sent us your X.509 cert and IdP SSO Target URL, we can complete the fingerprinting and enable SAML on our side.  By default, we only allow either password or SAML authentication, but not both.  Support can help temporarily enable both authentication methods during your transition period.
 
Contact support@kennasecurity.com (or click here to submit a ticket through the Help Center) to retrieve your Client ID and to enable SAML for your account.

 

Powered by Zendesk