Submit a request

Articles in this section

KanbanBOX Single Sign-On (SSO) with SAML 2.0

This guide explains how to enable SAML 2.0 Single Sign-On (SSO) in KanbanBOX.

SSO activation is managed by KanbanBOX Support and must be requested via support ticket.

Scope

Use this document when your company wants to authenticate KanbanBOX users through a SAML 2.0 Identity Provider (IdP), such as Microsoft Entra ID, Okta, ADFS, or similar.

Supported features

The KanbanBOX SAML SSO implementation supports the following features:

  • SP-initiated SSO: users start login from KanbanBOX and are redirected to the IdP for authentication.
  • IdP-initiated SSO: users start login from the IdP and are redirected to KanbanBOX with a predefined RelayState.
  • SP-initiated SLO (Single Logout): users can log out from KanbanBOX and the IdP in a single flow.

Roles and responsibilities

Role Responsibility
Customer IT team Configure the IdP application, provide metadata, perform validation tests
KanbanBOX Support Configure SSO in KanbanBOX for each required Plant and confirm activation

Prerequisites

Before opening the ticket, make sure you have:

  • A SAML 2.0 compatible IdP
  • Admin access to your IdP
  • The list of KanbanBOX Plants where SSO must be enabled
  • A unique SSO domain name to associate with the Tenant/Plants
  • At least one test user already present in KanbanBOX with a valid email

1. Configure KanbanBOX Service Provider (SP) in your Identity Provider (IdP)

When no custom requirements are needed, use these standard KanbanBOX SP configurations:

  • KanbanBOX-testing.sp for KanbanBOX Test environment
  • KanbanBOX-production.sp for KanbanBOX Production environment

You can find the SP metadata XML files, as well as all the SAML configuration details, from inside the KanbanBOX application at https://app.kanbanbox.com/help/sso_configuration_details.

You should configure two separate SPs if you want to enable SSO in both Production and Test environments.

2. Open a support ticket to request SSO activation

SSO is activated only after a formal request to KanbanBOX Support.

Include the following mandatory information in the ticket:

  • Tenant name
  • Target environment: Test, Production, or both
  • Plant list or the Corporate license where SSO must be enabled
  • IdP metadata (XML file attached, or HTTPS metadata URL)
  • Confirmation that SAML attribute email is mapped and sent in the assertion
  • Technical contact details for validation (name and email)
  • Technical contact details for any future communication regarding SSO (name and email)

3. KanbanBOX Support configures SSO for each Plant

After the ticket is complete, KanbanBOX Support:

  • Registers the IdP configuration
  • Associates the configuration to the requested Plants
  • Enables SSO according to the request scope (Test/Production)
  • Confirms when validation can start

4. Validation checklist after activation

Run these checks with at least one user per enabled Plant:

  1. SP-initiated login: from KanbanBOX login page, enter email and continue with SSO.
  2. IdP-initiated login (if used): verify redirection to KanbanBOX with the expected RelayState.
  3. Verify successful access only when email matches an existing KanbanBOX user.
  4. Verify behavior in both Test and Production, if both were requested.

Troubleshooting

  • User is not recognized after login: verify email in SAML assertion exactly matches the KanbanBOX user email.
  • Generic SAML validation error: verify ACS URL, Recipient, and Audience values are exactly as documented.
  • IdP-initiated flow does not land in KanbanBOX: verify RelayState value.
  • Only some users can log in: verify SSO is enabled on the correct Plants and user accounts.

If the issue persists, update the same support ticket with:

  • Timestamp of failed attempt
  • Affected user email
  • Environment (Test/Production)
  • SAML response diagnostic details from the IdP (when available)

Certificate rotation

Before the current signing certificate expires, follow this sequence:

  1. Customer IT generates a new certificate in the IdP but does not enable it yet.
  2. Customer IT opens a ticket to KanbanBOX Support and shares the new certificate (or updated metadata containing it).
  3. KanbanBOX Support adds the new certificate as a secondary certificate in the SSO configuration.
  4. After KanbanBOX Support confirms completion, Customer IT enables the new certificate in the IdP.

By following this sequence, you ensure a smooth transition without downtime for users.

Change management and security notes

  • Keep IdP signing certificates valid and monitor expiration dates.
  • If metadata, certificates, IdP or email domain change, notify KanbanBOX Support before go-live changes.
  • Keep at least one non-SSO admin access path for emergency recovery, if allowed by your company policy.

Comments

0 comments

Article is closed for comments.