Kandji SAML Integration Guide

Suggest an edit

Prerequisites

  • Administrator access to your Kandji tenant
  • A SplitSecure Identity Provider created and approved
  • Team members must already exist in Kandji before they can authenticate via SSO
  • A separate browser or browser profile with SplitSecure configured (for testing)

Kandji Configuration

1 Create a Custom SAML Connection

  1. Log in to the Kandji Web App
  2. In the left sidebar, click Settings
  3. Click the Access tab
  4. Scroll to the Authentication section
  5. Click Add
  6. Select Custom SAML, then click Next

Fill the form with the following fields:

Field Value
Name (e.g., “SplitSecure SAML”)
Sign-In URL https://app.splitsecure.com/saml2/sp/login
Sign-Out URL https://app.splitsecure.com/saml2/sp/logout
Signing Certificate Upload Download from SplitSecure: Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Certificate
User ID Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Sign Request On (recommended)
Sign Request Algorithm RSA-SHA256
Sign Request Algorithm Digest SHA 256
Protocol Binding HTTP-Redirect
  1. Click Save

2 Enable the Custom SAML Identity Provider

  1. The connection will appear in the Authentication section as Disabled
  2. On the right, click the ellipsis menu (⋮) and select Enable

3 Create a New User

  1. In Kandji, go to Settings → Access
  2. Click New User in the Admin Team section
  3. Enter the user’s information
  4. Click Submit
  5. The user will receive an invitation email

SplitSecure Configuration

1 Create the Kandji Secure Account

  1. In SplitSecure, navigate to Secure Accounts → Create Account → Kandji
  2. Enter a name for your account
  3. Select the Identity Provider used in the Kandji configuration
  4. Configure the Service Provider details:
Field Value/Description
Name (e.g., “My Kandji Account”)
Identity Provider Select the Identity Provider used in the Kandji configuration
Metadata URL Corresponds to Service Provider Metadata File (found when configuring the IdP on Kandji, looks like: https://auth.kandji.io/samlp/metadata?connection=)
Default Email Optional
  1. Click Create Account

2 Enforce SSO (Optional)

Once SSO is working, you can disable standard authentication to enforce SSO-only access.

Disable Standard Authentication

  1. In Kandji, go to Settings → Access → Authentication
  2. Find the Standard Authentication connection
  3. Click the ellipsis menu (⋮)
  4. Select Disable

Test Authentication

1 Test Authentication (SP-Initiated)

  1. Navigate to your Kandji tenant URL
  2. Click Sign in with your Identity Provider (or select the SSO connection)
  3. You should be redirected to SplitSecure
  4. Enter your email address when prompted (should correspond to an existing email in the admin team)
  5. Click Request Access
  6. Complete the authentication flow
  7. Upon success, you’ll be logged into the Kandji Web App

Troubleshooting

Issue Possible Cause Solution
User cannot log in User doesn’t exist in Kandji Add the user as a team member before they attempt SSO
“User not found” error Email mismatch Ensure SAML NameID email matches the Kandji team member email exactly
Certificate error Invalid or expired certificate Re-download the certificate from SplitSecure and update in Kandji
SSO button doesn’t appear Connection not enabled Enable the SSO connection in Settings → Access → Authentication
Signature validation failed Algorithm mismatch Verify Sign Request Algorithm matches between Kandji and SplitSecure
Locked out of Kandji SSO misconfigured after disabling standard auth Contact Kandji Support to re-enable standard authentication
Attributes not updating Missing surname/givenname claims Configure SplitSecure to send the required attribute URIs
SLO not working Sign-Out URL misconfigured Verify SLO is configured in both Kandji and SplitSecure

External Resources