In this article, we will walk you through the following:

  • How to begin setup of SAML/SSO
  • Instructions for integrating with OneLogin
  • Instructions for integrating with Okta
  • Instructions for integrating with Google

Before you get started, you'll want to make sure that everyone on your team needing access to Kolide has an account with your SSO provider - SAML/SSO  authentication in Kolide is currently all-or-nothing, so it's important to make sure you aren't inadvertently locking someone out of Kolide!

 
To get started, you'll want to sign in to your Kolide account, and select your avatar on the top right corner, and click "Settings".

In the left hand menu, check out your "Security & Privacy" page to view your current sign in method. 

You will have one of the three Allowed Authentication Methods available, but you will also see that SAML-based Single Sign On is present, but not yet available. To enable this, you will need to "Configure SAML First".

This will take you to the "SAML / SSO" page (please note, you can navigate to this directly, but we wanted to show you this selection page first!).

Keep this page open, as you will need this information to integrate with your SSO provider!

Instructions for OneLogin 

For more instructions on how to set up SAML with OneLogin, please refer to their help doc.

Log in to your OneLogin account.
Select "Applications", click on the blue button that says "Add App", and search for "SAML Test Connector". Select this.

From here, you will want to change the "Display Name" (e.g. 'Kolide' or 'Kolide K2'), and add a description. You can even upload our logo from our press page: https://kolide.com/press

Click "Save".

On the left hand menu, select "Configuration".
In the red boxed areas below, you will want to copy and paste the following:

  • In "Audience", paste your unique Kolide Issuer URL
  • In "Recipient", paste your unique Kolide SSO URL
  • In "ACS (Consumer) URL Validator*", paste your unique Kolide SSO URL, prepending all slashes and periods a backslash. You'll also want to start with a ^  character and end with a $  (see example below in red text)
  • In "ACS (Consumer) URL*", paste your unique Kolide SSO URL

Next, you will need to select "SSO" from the left hand menu. Let's first copy the link provided under "SAML 2.0 Endpoint (HTTP)".

Paste this into your Kolide SAML / SSO page.

Once that is complete, click "View Details" to gather the Certification information. Click the "Copy to Clipboard" icon on the top right corner of the Certificate window. Paste this into your Kolide SSO Configuration page.

When you are finished, click "Save & Test SSO".

But wait. There's more! You now have to go to your Security & Privacy page to enforce SAML / SSO. 

Click "Save Changes", which will now make other sign in methods inaccessible. 

Your team will see a message in their inbox letting them know of this change. 

Instructions for Okta

Log in to your Okta account.
Select "Applications", click the green button that says "Add Application", and then click "Create New App".

Be sure to make sure the Platform field says "Web", and select the Sign on method to indicate SAML 2.0.

Next, type in "Kolide", or whatever unique identifier you want for the app, into the "App name" field. You can pretty this up by adding our logo, which can be found here: https://kolide.com/press

Once you click Next, you will need to copy and paste your unique Kolide SSO URL into the Single sign on URL field, and your Kolide Issuer URL into the Audience URI (SP Entity ID).
Use the dropdown menus to propagate "EmailAddress" in the Name ID format field, and "Email" in the Application username field.

This will take you to an optional Feedback page. You can certainly fill this out, or click "Finish".

This will take you to the new Application page. Click on the "View Setup Instructions". 

This will take you to the configuration page, where you will need to copy the unique URLs from into your Kolide setup page.

Item 1 should be pasted in the IDP SSO TARGET URL field, and the "X,506 Certificate" should be copied and pasted into the designated X,506 CERTIFICATE field in Kolide.

Hooray! This is now configured! 

Instructions for Google

Steps to set up SAML auth for K2 with Google SAML as the identity provider: 

First, visit the 'SAML  Apps' page in your GSuite account, and click the '+' button to add a new app:

In the popup that appears, click 'Setup my own custom app':

In step 2, make sure you save the SSO url for user later, and download the IDP certificate. You'll need both of these when filling out the SAML form in the Kolide dashboard.

 In step 3, choose a name, and optionally a description and logo. 

 May we suggest the following description?

    Kolide is a user focused security platform which your team uses to inform users when their device has issues that affect system stability or security

And for a logo, feel free to use this one:

After clicking 'Next', you'll see a form asking for your ACS URL and Entity ID.

You can find both of these in the SAML settings screen at  https://k2.kolide.com/x/settings/admin/saml/edit. Use the field labeled 'Kolide SSO URL' for the GSuite 'ACS URL', and the field labeled 'Kolide Issuer URL' for the GSuite 'Entity ID'

You'll also want to make sure to select 'EMAIL' for the 'Name ID Format', and check the box for 'Signed Response'. The 'Start URL' field can be left empty.

Upon clicking 'Next', you should see a confirmation that the setup (On the GSuite IDP side) is complete:  

Note that you'll likely need to enable the new SAML application for the appropriate accounts and/or groups before it can be used. Click on the new application, then click 'Edit Service', and configure the availability as appropriate.

Now we need to jump over to the K2 SAML setup, at https://k2.kolide.com/x/settings/admin/saml/edit

Here, you'll fill in the certificate and IDP SSO Target URL fields using the URL and Certificate saved from step 2. 

Then click 'Save & test, and if everything was filled out correctly you should see a success message.

But wait. There's one more step! 

You now have to go to your Security & Privacy page to enforce SAML / SSO. 

Click "Save Changes", which will now make other sign in methods inaccessible. 

Your team will see a message in their inbox letting them know of this change. 

Now, when your team signs in, they will see this (Okta used as an example):

BOOM! Now you're all set! Now get cracking :)

Did this answer your question?