Integrate Kisi with Azure Active Directory
This is a Kisi-built integration, maintained and supported by Kisi.
As a Kisi organization owner you can set up Azure single sign-on (SSO) for your Kisi users. To further control your SSO integration, you can sync it with your Azure Active Directory members and groups with SCIM.
Kisi organizations with single sign-on (SSO) can, if needed, also enable authentication with password for users. If enabled, the user will be able to log in with email and password. If the user is in the organizations' IdP directory, an SSO login will also be available.
Prerequisites
- a Kisi organization owner account
- a valid and activated SSO license
Before setting up the integration, ensure you are logged in as the Kisi organization owner and have a valid, activated SSO license. If these prerequisites are met and the SSO & SCIM option is still not visible on the dashboard, please reach out to Kisi Support for assistance.
Enable SSO on Azure Active Directory
Set up the integration in Azure Active Directory
- Sign in to your Azure Active Directory portal
- Navigate to Enterprise Applications and select All Applications
- Click on New application
- Start typing Kisi Physical Security in the search field
- Select Kisi Physical Security from the list and click on Create.
- On the Kisi Physical Security application integration page navigate to the Manage section
- Click on Single sign-on
- When prompted to Select a single sign-on method, select SAML
- When prompted to Set up single sign-on with SAML, select Edit under the Basic SAML Configuration section
- Here, if you want to configure the application in IDP initiated mode, enter the following values for the following fields:
- In the Identifier field, type the following URL:
https://api.kisi.io/saml/metadata - In the Reply URL field, type the following URL:
https://api.kisi.io/saml/consume/<DOMAIN>(You can find your Kisi organization domain under Organization Setup > Settings)
- If you want to configure the application in SP initiated mode, click Set additional URLs and in the Sign-on URL field type the following URL:
https://web.kisi.io/organizations/sign_in?domain=<DOMAIN> - Kisi expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration under User Attributes & Claims. Here is the list of default attributes:
| User attributes | Claims |
|---|---|
| givenname | user.givenname |
| surname | user.surname |
| emailaddress | user.mail |
| name | user.userprincipalname |
| user.userprincipalname | |
| FirstName | user.givenname |
| LastName | user.surname |
| Unique User Identifier | user.userprincipalname |
- Under SAML Signing Certificate, copy the App Federation Metadata URL and save it on your computer
For more information, check out the Microsoft's tutorial on how to integrate Kisi with Azure Active Directory.
Set up the integration in Kisi
- Sign in to Kisi as the organization owner
- Under Organization Setup, click on SSO & SCIM and paste the App Federation Metadata URL that you saved in the step above
- Click Save
You don't need any additional encryption certificate to set up SSO on Azure.
Enable SCIM on Azure Active Directory
Before you start, make sure you have SSO set up for your organization. Then just follow the next steps to generate a SCIM token and add the Kisi Physical Security app in Azure.
Generate your SCIM Token in Kisi
- Sign in to Kisi as the organization owner
- Under Organization setup click on SSO & SCIM
- Disable SCIM and click Save
- Re-enable it and click on Generate Token
- Copy the token (shown once)
Set up SCIM with Azure
- Sign in to your Azure Active Directory portal
- Click on Enterprise applications
- Under All Applications, select your Kisi Physical Security application
- Navigate to the Provision User Accounts card and click Get Started
- Change provisioning mode from Manual to Automatic
- Add
https://api.kisi.io/scim/v2as the Tenant URL and enter your SCIM token in Secret Token field - Click Test Connection to verify if the test succeeds before clicking Save
- Under Settings you can define whether both groups and users should be synchronized. Add an email address that will receive an alert if the synchronization fails.
- Navigate back to Enterprise applications, choose Kisi Physical Security and click on Users and groups
- Add any groups and users you want to sync with Kisi
- Go back to Provisioning and click Start provisioning (greyed out means it's already running)
You can sync single users on demand under Provisioning > Provision on demand. Groups cannot be synced on demand.
The initial Azure Active Directory sync is triggered immediately after you enable provisioning. Subsequent syncs are triggered every 20-40 minutes, depending on the number of users and groups in the application. This means that any updates in Azure might take between 20-40 minutes before they are propagated to Kisi.
Import users from Azure Active Directory
Customers who don't yet have SSO set up can still import users from their Azure Active Directory by manually setting up the integration. We recommend, however, setting up SSO to allow your Kisi users to log in with their single, existing credentials.
To be able to set this integration up, you need to have global admin permissions in Azure.
- Sign in to Kisi
- Under Organization Setup, select Integrations and click Add Integration
- Enter a name, open the Type dropdown and select Azure Active Directory User Import
- Click Authorize with Microsoft and you’ll be redirected to the Microsoft Authentication screen
- Sign in with your Microsoft account that has admin privileges
- Click Accept to allow the integration read access
- Once back in Kisi, select the Active Directory Group
- In the User Email Property section, choose between User Principal Name and Mail as the attribute you want to use for this integration and that contains the user's email address in Azure AD. The default value is User Principal Name.
- Define if the import should be done into a Kisi group or as users only
- For the group option, map the Azure Group to the Kisi Group. A Kisi Group is needed to share access to your place(s) with your users.
- For the users only option, users will be imported but won't receive an invitation email from Kisi or have any access in your place(s).
- Click Add
The integration will be set up immediately. Everyone in the Azure Active Directory Group will get an email notification that Kisi access has been shared with them, unless you chose to import as users only.