About enterprise connections
Auth and access
In Kinde, you can use SAML as your authentication protocol. Kinde acts as a service provider (SP), so you still need to bring your own identity provider (IdP) to set it up. Identity providers can include Google, Microsoft Azure, Cloudflare, and others.
Note: Since there are differences between set ups for each IdP, we are unable to provide full details on how to configure them all to connect with Kinde. However, the fields we mention below, should have similar names in your IdP.
Before you set up SAML, you can import users in bulk, add them via API, or manually in Kinde. Alternatively, you can also take advantage of just-in-time (JIT) provisioning (Step 13 below) when you set up the connection.
You can increase SAML security by adding a certificate and private key pair to your setup. Your IdP will check that the certificate and private key matches, each time a user authenticates this way.
You can obtain the certificate and key from your IdP or you can generate yourself, see below.
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout private_key.key -out certificate.crt
.Enter a name for the connection. It must match the name in your SAML setup.
Select if you want to treat this connection as a trusted provider. A trusted provider is one that guarantees the email they issue is verified. We recommend leaving this off for maximum security.
Enter an Entity ID. This is a value you can make up using a random alphanumeric string, e.g. 5836g209gbhw09r8y0913
. The Entity ID you enter here must be configured exactly the same in your identity provider (unless your IdP is Microsoft Azure).
If Microsoft Azure is your provider and your app is a bit older, you may need to add spn: to the beginning of the Entity ID string in Kinde, e.g. spn:5836g209gbhw09r8y0913
. This is not required for newly created apps.
Enter the IdP metadata URL. This URL comes from your identity provider.
Enter an Email key attribute. This is the attribute in the SAML token that contains the user’s email. Setting this value ensures that the email address returned in the SAML response is correctly retrieved. We do not recommend leaving this field blank, but if you do we will set ‘email’ as the attribute.
Enter any relevant Home realm domains. This is how SAML recognizes a user’s credentials and routes them to the correct sign in page. Note that home realm domains need to be unique across all connections in an environment. Read more about home realm domains.
If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the Always show sign-in button option.
Copy the ACS URL, which is also known as a reply URL. This will need to be copied to the relevant area of your identity provider configuration.
If you want to enable just-in-time (JIT) provisioning for users, select the Create a user record in Kinde option. This saves time adding users manually or via API later.
Once you have entered the ACS URL in your identity provider, the connection should be enabled.
Before you delete a connection, make sure that there are no users relying on it for authentication. Once deleted, the sign in option becomes unavailable to users. This action can’t be reversed.