<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=749646578535459&amp;ev=PageView&amp;noscript=1">
Skip to content
Submit a Support Ticket Sign in
  • There are no suggestions because the search field is empty.

Single Sign-On (SSO)

KaiNexus supports SAML 2.0 to limit attacks from phishing schemes and make participation as easy as possible for everyone.

Table of Contents

Logging in with Single Sign-On (SSO)

With SSO enabled, you sign in to KaiNexus using your existing company login instead of a separate KaiNexus password, providing a secure and streamlined sign-in experience.

What are SSO and SAML?

  • Single Sign-On (SSO) is an authentication method that allows users to access multiple applications using a single set of login credentials (for example, a username and password).
  • SAML (Security Assertion Markup Language) is the secure "language" that makes SSO possible. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application (in this case, KaiNexus).

How it works: The SAML SSO Process

SAML works by performing a secure "digital handshake" between your company and KaiNexus:

  1. Identity Verification: You log into the Identity Provider and then access KaiNexus by clicking on its desktop icon or navigating to the site via its URL.

  2. The Secure Exchange: Your Identity Provider sends a digital "packet" to KaiNexus. This packet contains your authentication status and identifiers (like your email and name).

  3. Seamless Entry: KaiNexus verifies this data and instantly grants you access.

Ofie Profile Pic-1Note: KaiNexus supports all SAML 2.0 SSO providers, such as Okta, Microsoft Azure, and ADFS.

Benefits of SSO

  • One Password: You only need to remember your work credentials to access KaiNexus and all your other business tools.

  • Faster Access: Once you've logged into your company network, you can jump into KaiNexus via a direct URL or your apps dashboard without being prompted for a username and password again.

  • Stronger Security: Because your company manages the login, your account is protected by their specific security rules, such as Multi-Factor Authentication (MFA).

SSO in the Mobile App

Single Sign-On is also available in the KaiNexus mobile app, making it easy for users to access the app from their mobile devices.

Organizations that use Single Sign-On have an additional option that allows users to remain logged into the mobile app for an extended time without needing to re-authenticate after an expired session.

If your organization enables the Stay Signed In feature, KaiNexus will authenticate a user's credentials the first time they sign in. After the first login, the user will stay signed in, preventing the system from needing to authenticate when they open the app again in the future. This feature makes signing in even more effortless and allows users to utilize password apps such as Apple Keychain.

However, because users can remain signed into the app indefinitely, there is an added level of security risk that organizations should consider before enabling the Stay Signed In feature.

Ofie Profile PicWarning: If your organization uses the Stay Signed In feature for Mobile App SSO, it is extremely important to inactive a user's KaiNexus account when they leave your organization. The Stay Signed In feature prevents KaiNexus from re-authenticating a user's credentials with your organization's IdP each time they open the app, meaning they could still access KaiNexus even if they are removed from your organization's Identity Provider or internal SSO management system. The only way to ensure the former employee cannot sign into KaiNexus is by revoking their access to KaiNexus.

Troubleshooting Common SSO Errors

If you are having trouble logging in via SSO, find the error message you are seeing below for the likely cause and solution.

Username mismatch

The Error: "You can't use KaiNexus just yet. The username provided by your organization's authentication system did not match a user in KaiNexus. This usually means that your KaiNexus account has not been set up."

  • What it means: During the login process, your organization’s Identity Provider (IdP) sends a unique identifier called a NameID (usually your work email) to KaiNexus. This error occurs if that NameID does not exactly match the username in your KaiNexus profile, or if a KaiNexus account hasn't been created for you yet.

  • The Fix: Reach out to your internal KaiNexus Admin or IT team. They must ensure that the NameID being sent from your company's system matches your KaiNexus username. If they don't match, your Admin will need to update your username in KaiNexus to resolve the issue.

User Not Assigned to Application

The Error: You receive a message directly from your company's login page (like Okta or Azure) stating that you do not have access to the application or that the "app is not assigned."

  • What it means: This is an authorization issue. While your password may be correct, your user account has not been granted permission to use the KaiNexus application within your company’s security system.

  • The Fix: Contact your internal IT department. Ask them to "assign" or "provision" your user account to the KaiNexus application. This is managed entirely by your organization's internal security team.

Other SSO Issues

The Error: “An error occurred while authenticating with your SSO provider. Learn more.”

  • What it means: This is a general error indicating a breakdown in the "handshake" between your company and KaiNexus. It is often caused by expired security certificates or outdated browser links.

  • Things to try:

    • Verify your account status: Contact your internal KaiNexus Administrators to ensure your account is active. If your account is currently "Inactive," the SSO process will be blocked, and you will not be able to sign in.

    • Refresh your URL: Instead of using a saved bookmark or desktop icon—which may contain outdated session data—try typing your organization’s direct KaiNexus URL (e.g., yourcompany.kainexus.com) directly into your browser's address bar.

    • Incognito Mode: Try logging in via a Private or Incognito window. If it works there, you may need to clear your browser's cache.

    • Contact IT regarding Certificates: Ask your internal IT department if the SAML Certificate is up to date. If the login issue is widespread across your entire company, an expired certificate is the most likely cause.

Ofie Profile PicStill having trouble? If these steps don’t resolve the issue, please reach out to your internal IT team or submit a KaiNexus support ticket. When you do, please include a screenshot of the error message so we can help you faster.

Recommended Reading

Check out the following resources for more information on additional security options available for your organization: