IdP-initiated SAML SSO

In this guide, you’ll learn how to configure IdP-initiated SSO in Kinde, including setting up the SAML connection, configuring your Identity Provider, and testing both SP-initiated and IdP-initiated authentication flows.

What is IdP-initiated SSO?

Link to this section

IdP-initiated SSO is an authentication flow where the login process starts at the Identity Provider rather than at your application (the Service Provider).

When setting up enterprise authentication, you’ll encounter two main ways to start a SAML single sign-on flow: Service Provider (SP) initiated and Identity Provider (IdP) initiated. IdP-initiated SSO differs from SP-initiated SSO, where the user first visits your application and is then redirected to the IdP to authenticate.

How it works

Link to this section

1. A user logs into their corporate Identity Provider portal (such as Okta, Azure AD, or Google Workspace)
2. From the IdP dashboard, the user clicks on your application
3. The IdP creates a SAML assertion containing the user’s identity and attributes
4. The IdP sends this assertion directly to your Kinde ACS URL
5. Kinde validates the assertion and creates a user session
6. The user is redirected to your application

What you need

Link to this section

• A Kinde account with an enterprise connections entitlement
• Admin access to your enterprise identity provider (Okta, Azure AD, Google Workspace, etc.)
• A verified domain configured in Kinde (for organization-level connections)

Step 1: Add a SAML enterprise connection in Kinde

Link to this section

Option A: Environment-level connection (shared across organizations)

Link to this section

1. Sign in to your Kinde admin portal
2. Navigate to Settings > Authentication
3. Select Add connection in the Enterprise connections section
4. Select your SAML provider:
   • Custom SAML (for any SAML 2.0 IdP)
   • Google Workspace (pre-configured for Google)
   • Okta (pre-configured for Okta)
   • Cloudflare (pre-configured for Cloudflare Access)
5. Select Next

Option B: Organization-level connection (specific to one organization)

Link to this section

1. Sign in to your Kinde admin portal
2. Navigate to Organizations > select your organization
3. Go to the Authentication tab
4. Select Add connection. A pop-up appears
5. Select Organization SSO connection, then select Next
6. Choose your connection type (Custom SAML, Cloudflare, Okta, etc.)
7. Select Next

Organization-level connections require verified domains to be configured for the organization first. Contact your system administrator if no domains are available.

Step 2: Configure the SAML connection details in Kinde

Link to this section

After creating the connection, configure these settings:

1. Connection name: A name to identify this connection (e.g., “Acme Corp SSO”)

2. Entity ID: The unique identifier configured in your IdP (e.g., https://yourapp.kinde.com)

3. IdP metadata URL: You will add this after finishing setup in your Identity Provider (see Step 3)

4. Sign in URL (optional): Override the default SSO endpoint with a URL your IdP recognizes

5. Sign request algorithm: Choose the algorithm used to sign SAML requests (RSA-SHA1 or RSA-SHA256)

6. Protocol binding: Choose the protocol binding used to send SAML requests

7. Name ID format: Select the format for the Name ID used to identify users in SAML responses (persistent recommended)

8. Set up the attribute mapping for user:

   • Email key attribute: The attribute in the SAML token that contains the user’s email. Defaults to email if not provided.

   • User ID key attribute: The attribute in the SAML token that contains the user ID. Defaults to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier if not provided.

   • First name key attribute: The attribute in the SAML token that contains the user’s first name. Defaults to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname if not provided.

   • Last name key attribute: The attribute in the SAML token that contains the user’s last name. Defaults to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname if not provided.

     If your IdP uses different attribute names, enter the correct attribute keys in the mapping fields.

9. Home realm domains: A list of domains used for home realm discovery. Add each URL on a new line:

   acmecorp.com
   acme.co

   When users enter an email matching these domains, they’ll be automatically routed to this SSO connection.

10. Always show sign-in button:

    • Off (default): If home realm domains are set, the SSO button only shows after email domain detection
    • On: The SSO button is always visible on the login screen

11. Copy the Assertion Consumer Service (ACS) URL. You will need to add this to your IdP configuration.

12. Provisioning: Control how users are created when authenticating via SAML:

    • Create a user record in Kinde: When enabled, users who don’t exist in Kinde are automatically created on first sign-in

    • Trust email addresses provided by this connection: Merge accounts when email matches an existing Kinde user

      

    • Auto-add users (org-level only): Users are automatically added as members of the organization

      

13. Select Save

Step 3: Configure your Identity Provider

Link to this section

In your IdP admin console, create a new SAML application with these settings:

1. ACS URL / Reply URL: Use the ACS URL you copied from Kinde in Step 2 (e.g., https://yourdomain.kinde.com/login/saml/callback)

2. Entity ID / Audience: Use the Entity ID you configured in Kinde

3. Name ID format: Select the format for the Name ID used to identify users in SAML responses (Persistent recommended)

4. RelayState (optional): Configure a default RelayState URL if your IdP supports it. This is where users are redirected after authentication.

5. Enable IdP-initiated SSO: In your IdP’s application settings, enable the option to allow IdP-initiated sign-on (the exact setting name varies by provider)

   IdP-initiated SAML SSO support may vary by Identity Provider. Contact Kinde support if you encounter issues with specific IdP configurations.

6. Copy the Metadata URL from your IdP. This is typically found in the SAML application settings or can be downloaded as an XML file. You’ll need this URL in the next step.

Step 4: Finish setting up your IdP connection

Link to this section

1. Open the connection in Kinde. Go to Organizations > Authentication or Settings > Authentication.
2. Scroll to the IdP metadata URL field and paste the Metadata URL you copied from Step 3.
3. (Optional) Enter the signed certificate and key information if you have it. You can do this later as well. See Advanced SAML configurations for more details.
4. Switch on the connection. This will make it instantly available to users if this is your production environment.
   • For environment-level connections, scroll down and select the apps that will use the auth method.
   • For organization-level connections, scroll down and select if you want to switch this on for the org.
5. Select Save. You can now use the IdP for the selected applications.

Step 5: Test the configuration

Link to this section

Test SP-initiated flow (standard)

Link to this section

1. Navigate to your application’s login page
2. Enter an email address matching a home realm domain
3. You should be redirected to your IdP
4. After authentication, you should be redirected back to your app

Test IdP-initiated flow

Link to this section

1. Log in to your Identity Provider’s portal
2. Click on your application in the IdP dashboard
3. You should be redirected to your app and logged in automatically

Troubleshooting

Link to this section

Common issues

Link to this section

Issue	Possible cause	Solution
”Invalid SAML response”	Mismatched Entity ID	Ensure the Entity ID in Kinde matches your IdP configuration exactly
”Signature verification failed”	Certificate mismatch	Verify your IdP’s signing certificate is correctly configured
User not created	Provisioning disabled	Enable “Create a user record in Kinde”
Wrong attributes	Attribute mapping	Check that your IdP attribute names match the mapped keys

Error codes

Link to this section

For a comprehensive list of error codes, see Common errors and codes.

Security best practices

Link to this section

• Prefer SP-initiated when possible: SP-initiated SSO includes additional security validations (InResponseTo, state/nonce)
• Enable IdP-initiated only when required: Only enable for enterprise customers who specifically require portal-based access
• Use signed requests: Configure SAML request signing for enhanced security
• Enforce MFA at the IdP: Since authentication happens at the IdP, ensure MFA is required there
• Keep certificates current: Monitor certificate expiration and rotate before they expire

Conclusion

Link to this section

You’ve successfully configured IdP-initiated SAML SSO in Kinde. Your enterprise users can now access your application directly from their Identity Provider portal. Remember that while IdP-initiated SSO offers convenience, SP-initiated flows provide additional security validations. Use IdP-initiated SSO only when your enterprise customers specifically require portal-based access. Test both authentication flows thoroughly before enabling in production.