Compliance Module

Single Sign-On (SSO)

KaiNexus supports SAML 2.0 as part of the Compliance Module to limit attacks from phishing schemes and make participation as easy as possible for everyone.

Two Line OfieSSO is available as part of the Compliance Module. Reach out to your Customer Success Manager if you're interested in this module or, if your organization is already using it, to take advantage of any of the features described in this article.

What is SAML?

SAML is an acronym used to describe the Security Assertion Markup Language (SAML). It enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application (in this case, KaiNexus).

SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials. So, when the user tries to access a site, the identity provider passes the SAML authentication to the service provider, who then grants the user entry. 

What is SSO?

Single Sign-On (SSO) is an authentication service that enables a user to use one set of login credentials (for example, a name and password) to access multiple applications. KaiNexus supports all SAML 2.0 SSO providers, such as Okta, Microsoft Azure, and ADFS.  

What is SAML SSO?

SAML Single Sign-On is a mechanism that leverages SAML, allowing users to log on to multiple web applications after logging into the identity provider. As the user only has to log in once, SAML SSO provides a faster, seamless user experience.

SAML SSO is easy to use and more secure from a user perspective as they only need to remember one set of user credentials. It also provides fast and seamless access to a site as every application they access does not prompt them to enter a username and password. Instead, the user logs into the identity provider and then accesses the relevant web application by clicking on its icon or navigating to the site via its URL.

SSO in the KaiNexus mobile app

Single Sign-On is also available in the KaiNexus mobile app, making it easy for users to access the app from their mobile devices.

Organizations that use Single Sign On have an additional option that allows users to remain logged into the mobile app for an extended time without needing to re-authenticate after an expired session.

If your organization enables the Stay Signed In feature, KaiNexus will authenticate a user's credentials the first time they sign in. After the first login, the user will stay signed in, preventing the system from needing to authenticate when they open the app again in the future. This feature makes signing in even more effortless and allows users to utilize password apps such as Apple Keychain.

However, because users can remain signed into the app indefinitely, there is an added level of security risk that organizations should consider before enabling the Stay Signed In feature.

Ofie Profile PicWarning: If your organization uses the Stay Signed In feature for Mobile App SSO, it is extremely important to inactive a user's KaiNexus account when they leave your organization. The Stay Signed In feature prevents KaiNexus from re-authenticating a user's credentials with your organization's IdP each time they open the app, meaning they could still access KaiNexus even if they are removed from your organization's Identity Provider or internal SSO management system. The only way to ensure the former employee cannot sign into KaiNexus is by revoking their access to KaiNexus.

SSO Error Messages

You may receive either of the following SSO error messages when logging into KaiNexus:

  • “An error occurred while authenticating with your SSO provider. Learn more.” 
  • "You can't use KaiNexus just yet. The username provided by your organization's authentication system did not match a user in KaiNexus. This usually means that your KaiNexus account has not been set up."
Typically these errors appear when the username (NameID) being passed to KaiNexus from your IdP (Identity Provider) does not match the username on your user profile in KaiNexus, which is why your account cannot be authenticated. Companies most often use your organizational email address for your NameID/username.

Our best suggestion in this situation is to reach out to your administrator and/or IT team and see if they can confirm that the NameID being passed from your IdP to KaiNexus matches your username within KaiNexus. If your credentials do not match, your team should update your KaiNexus username to match in order to fix the login issue.

However, if your admin/IT team confirms that your credentials match and you're still receiving this error, submit a support ticket and we'll see if there is a deeper issue.

Recommended Reading