Single Sign-On with SAML 2.0 authentication (SAML2 SSO) is only available for teams on the Enterprise Plan.
How to Set Up
To enable SAML2 SSO, ask your team owner or admin to access "Settings" → "Single Sign-on." Note that enabling SSO will reset all user sessions, and will require re-authentication to log in.
1. Configure your identity provider
First, go to your identity provider's configuration panel and follow the provider's instructions to configure Single Sign-On. On the SAML form, enter the IdP supplied identifiers (Entity ID, Issuer), Login URL, and Certificate. For details on the service provider, refer to "Service Provider" on the settings page.
You can use SAML 2.0 profile-based IdPs. Currently, Kibela has verified the following identity providers:
2. Verify the connection
To verify that SSO has been set up correctly, once you enter the required information, click the "Test" button, next to "Save." If the connection is successful, you can proceed to enable SAML2 SSO.
3. Enable SAML2 SSO
To enable SAML2 SSO there are two modes, "Migration Mode" and "SSO with SAML2 Only."
"Migration Mode" allows authentication utilizing both your previous authentication method and SAML2 SSO. "Migration Mode" should only be used to verify the connection or during IdP failures. For normal operation, Kibela recommends "SSO with SAML2 Only."
Account information synchronization with IdP using SAML2 SSO
When using SAML2 SSO, Kibela cannot detect if an account has been disabled at IdP. Therefore, when an account is disabled at the IdP end, your team owner or admin must disable the respective Kibela account.
Note that when SAML2 SSO is enabled, the session will be kept open for up to 24 hours to sync the account information from the IdP. During this time, if an IdP account is disabled, the user will not be able to log into Kibela. Therefore, if you disable the IdP account but not the Kibela account, the user will not be able to access Kibela for up to 24 hours.
Mapping Roles Using Custom Attributes
You can manage your team member's roles on IdP by adding SAML2 custom attributes
<saml2: Attribute />.
On the IdP, set the attribute name to
kibela.user.role and assign the following values.
When the role attribute are set, Kibela will update the user's role with that value each time the user logs in with SSO. If no value is set for the user, no action is taken.
See Roles and Permissions for details of each role.