Help & Support
Follow

Enable Single-Sign-On (SSO)

LeanKit’s step-by-step guide on enabling SSO in your LeanKit account.  

Enabling Single-Sign-On (“SSO”) for your LeanKit account will allow your users to access the account without having to use a separate LeanKit username and password. SSO is included in Premium edition LeanKit accounts, or can be purchased as a separate add-on for Advanced edition accounts.

Once SSO is enabled, all users within the account will be required to only use SSO to authenticate. Also, enabling SSO will disable the ability for LeanKit support agents to log into the account and provide support, so if LeanKit support is required another mechanism should be arranged to provide this service.

Is SSO available for my account?

You can confirm that SSO is available for your account by noting if the account is Premium edition. To see whether or not you have a Premium edition account, click the three-gears icon in your home screen to access your account details. Here you will be able to see which edition of LeanKit you have.

Account_Details_Tab_.png

If it isn’t Premium edition, check with your LeanKit sales representative about the purchase of SSO as an add-on to your account.

 

How does SSO work?

When SSO is enabled and configured for your LeanKit account, logging in to the account is simple:

  1. Users go to the URL of their LeanKit account where they will see a Continue button instead of the usual username and password fields.
  2. After clicking the Continue button, users are either taken straight into the account, or directed first to a login page for your organization’s authentication mechanism, depending on how SSO is configured, after which they are taken into the account.

There are three parties involved in the SSO process:

  • the principal (the LeanKit user),
  • the service provider (“SP”) (in this case LeanKit), and
  • the identity provider (“IdP”) (authentication service operated by the customer).

LeanKit’s SSO system uses Security Assertion Markup Language (“SAML”) to authenticate users with your organization. SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between systems, in this case, between your IdP and your SP, LeanKit.

LeanKit currently supports SAML version 2.

There are two ways that the SSO feature can be configured for users to sign in to LeanKit:

  • Being redirected to sign in to your IdP:
  1. The user goes to your LeanKit URL and clicks Continue.
  2. They are then redirected to an external login page generated by your IdP.
  3. The user will then enter their company credentials in your login form.
  4. Then your IdP sends an encrypted SAML response to LeanKit’s servers.
  5. LeanKit decrypts this response using your Public Signing Certificate.
  6. In the decrypted response LeanKit finds the user identifier (email or external user ID) and checks it against the LeanKit account.
  7. Finally, If the user identifier matches with the LeanKit account, the LeanKit system allows the user into the LeanKit account.
  • Being taken directly into the account:
  1. The user goes to your LeanKit URL and clicks Continue.
  2. LeanKit servers then send a SAML request to your IdP.
  3. The request includes information about the LeanKit account being accessed.
  4. your IdP sends an encrypted SAML response to LeanKit’s servers.
  5. LeanKit decrypts this response using your Public Signing Certificate.
  6. In the decrypted response LeanKit finds the user identifier (email or external user ID) and checks it against this LeanKit account.
  7. Finally, if the user identifier matches with the LeanKit account, the LeanKit system allows the user into the account.

 

To turn on SSO in your LeanKit account:

To have SSO turned on for your LeanKit account, submit a ticket at support.leankit.com. We’ll need a few things from you so that the process goes as quickly and easily as possible.

What you need from us:

  1. LeanKit’s external login URL format: https://<OrgHostName>.leankit.com/Account/Membership/ExternalLogin

Optionally:

  • Your security engineer can use the attached leankit_metadata.xml file at the bottom of this page to automate SAML configuration in your IDP system.  The file will need to have the the 'hostname' text edited in two places within the file to match the hostname of your LeanKit account.

 

What we’ll need from you:

  1. The external login URL: a login page for your IdP to which we would redirect users; and
  2. Your Public Signing Certificate, with which we’ll decrypt the SAML responses

 

Here’s an easy request you can copy and paste, include your own information, and send to support via email:

I would like to turn on SSO for [LeanKit domain].
The external login URL is: [provide URL here].
Our Public Signing Certificate is attached to this email [attach Public Signing Certificate].

Questions or comments about the SSO enablement process should be directed to the Support Team (support@leankit.com).

 

Things to be aware of when enabling SSO:

  1. Once enabled, all user passwords will be reset to a random value, breaking any current integrations you may be using via the API. To avoid this, please provide us a list of active API users so we can exclude them from this reset
  1. Once your request has gone through, our Support team will provide you with a LeanKit SSO test account so that you can point your IDP to the correct place.
  1. Once SSO is enabled, any users who are using the mobile app will need to go through a new process to "register" their phones through the "My apps and devices" section that gets enabled after SSO is enabled.
  1. Adding users to a LeanKit Account after SSO is enabled requires the Admin to manually create each new user (first name, last name, email address, time zone, and a randomized password). You can no longer invite via email address.

 

Doc ID: 1192275916 

Have more questions? Submit a request