Submit a request

Articles in this section

KanbanBOX Single Sign-On (SSO) with SAML 2.0

This guide explains how to enable SAML 2.0 Single Sign-On (SSO) in KanbanBOX.

SSO activation is managed by KanbanBOX Support and must be requested via support ticket.

Scope

Use this document when your company wants to authenticate KanbanBOX users through a SAML 2.0 Identity Provider (IdP), such as Microsoft Entra ID, Okta, ADFS, or similar.

Supported features

The KanbanBOX SAML SSO implementation supports the following features:

  • SP-initiated SSO: users start login from KanbanBOX and are redirected to the IdP for authentication.
  • IdP-initiated SSO: users start login from the IdP and are redirected to KanbanBOX with a predefined RelayState.
  • SP-initiated SLO (Single Logout): users can log out from KanbanBOX and the IdP in a single flow.

Just-in-time user provisioning is currently not supported. Users must have a pre-existing account in KanbanBOX. Identity Management can be automated through the KanbanBOX API, but this is outside the scope of this document.

Roles and responsibilities

Role Responsibility
Customer IT team Configure the IdP application, provide metadata, perform validation tests
KanbanBOX Support Configure SSO in KanbanBOX for each required Plant and confirm activation

Prerequisites

Before opening the ticket, make sure you have:

  • A SAML 2.0 compatible IdP
  • Admin access to your IdP
  • The list of KanbanBOX Plants where SSO must be enabled
  • A unique SSO domain name to associate with the Tenant/Plants
  • At least one test user already present in KanbanBOX with a valid email

Configuration Steps

1. Configure KanbanBOX Service Provider (SP) in your Identity Provider (IdP)

In most cases, you can use these standard KanbanBOX Service Provider (SP) configurations:

  • KanbanBOX-production.sp for KanbanBOX Production environment
  • KanbanBOX-testing.sp for KanbanBOX Test environment

You can find the SP metadata XML files, as well as all the SAML configuration details, from inside the KanbanBOX application at https://app.kanbanbox.com/help/sso_configuration_details.

We recommend you configure two separate SPs in you production Identity Provider, to enable end users with ongoing access to both the Production and Test environments of KanbanBOX.

1.1 Only for Okta users

If you are using Okta as your identity provider, you will find KanbanBOX in the app catalog. The preconfigured application is only valid for the KanbanBOX production environment.

You can follow these steps in Okta to complete the configuration:

  1. Add the KanbanBOX application from the app catalog.
  2. From the "Sign On" tab inside the app, click "Edit" and upload the certificate that you found in the SP metadata at https://app.kanbanbox.com/help/sso_configuration_details.
  3. From Sign On > Sign on methods > SAML 2.0, take note of the Metadata URL: you will need it in the next steps.

2. Open a support ticket to request SSO activation

SSO is activated only after a formal request to KanbanBOX Support.

Please include the following mandatory information in the ticket:

  • Tenant name
  • Target environment: Test, Production, or both
  • Plant list or the Corporate license where SSO must be enabled
  • Identity Provider metadata (XML file attached, or HTTPS metadata URL)
  • Confirmation that SAML attribute email is mapped and sent in the assertion
  • Technical contact details for validation (name and email)
  • Technical contact details for any future communication regarding SSO (name and email)

3. KanbanBOX Support configures SSO for each Plant

After the ticket is complete, KanbanBOX Support:

  • Registers the IdP configuration
  • Associates the configuration to the requested Plants
  • Enables SSO according to the request scope (Test/Production)
  • Confirms when validation can start

4. Validation checklist after activation

Run these checks with at least one user per enabled Plant:

  1. SP-initiated login: from KanbanBOX login page, enter email and continue with SSO.
  2. IdP-initiated login (if used): verify redirection to KanbanBOX with the expected RelayState.
  3. Verify successful access only when email matches an existing KanbanBOX user.
  4. Verify behavior in both Test and Production, if both were requested.

SP-initiated SSO

For information about how to log in via SP-initiated SSO, please refer to How to login via SSO

Troubleshooting

  • User is not recognized after login: verify email in SAML assertion exactly matches the KanbanBOX user email.
  • Generic SAML validation error: verify ACS URL, Recipient, and Audience values are exactly as documented.
  • IdP-initiated flow does not land in KanbanBOX: verify RelayState value.
  • Only some users can log in: verify SSO is enabled on the correct Plants and user accounts.

If the issue persists, update the same support ticket with:

  • Timestamp of failed attempt
  • Affected user email
  • Environment (Test/Production)
  • SAML response diagnostic details from the IdP (when available)

Certificate rotation

Before the current signing certificate expires, follow this sequence:

  1. Customer IT generates a new certificate in the IdP but does not enable it yet.
  2. Customer IT opens a ticket to KanbanBOX Support and shares the new certificate (or updated metadata containing it).
  3. KanbanBOX Support adds the new certificate as a secondary certificate in the SSO configuration.
  4. After KanbanBOX Support confirms completion, Customer IT enables the new certificate in the IdP.

By following this sequence, you ensure a smooth transition without downtime for users.

Change management and security notes

  • Keep IdP signing certificates valid and monitor expiration dates.
  • If metadata, certificates, IdP or email domain change, notify KanbanBOX Support before go-live changes.
  • Keep at least one non-SSO admin access path for emergency recovery, if allowed by your company policy.

Related articles

Comments

0 comments

Article is closed for comments.