‼️ Important changes to SAML 2.0 SSO requirements in Kentik Portal
As part of our constant efforts to secure Kentik Portal, we are updating our SSO capabilities to more recent and secure server-side code.
Evolving SAML2 standards now require Identity Provider users to configure their Identity Provider’s Public Signing key (x.509) for each Service Provider SAML2 app they govern.
⚠️ This security upgrade of our SSO/SAML 2.0 Backend requires us to make IdP Public Signing Keys (x.509 certificates) mandatory for our SSO Users.
On March 31st, Kentik accounts without this configuration will be able to SSO into Kentik Portal: "SSO Enabled" Accounts will still be able to login via user/password, while "SSO Required" accounts will not be able to access Kentik Portal at all (save for their SuperAdmin users).
All accounts with SSO configured and an IDP Signing key configured will be migrated transparently between now and March 31st.
Read on for the instructions if you are using SSO with Kentik.
How do I know if my company needs to update my SSO configuration ?
The first thing you need to know is that SSO Configuration in Kentik Portal can only be modified by users with a SuperAdmin user-level - traditionally, the first user to open a Kentik account for your company will be the SuperAdmin and the only one able to create other SuperAdmins moving forward.
SuperAdmins is the only class of users who can login with User/Password credentials even when SSO is "Required": the reason for this special privilege is that at least one person in the company (ideally not too many) need to be able to disable SSO in case of a major Identity Provider failure that would prevent your users to login to Kentik.
If you are a SuperAdmin, the SSO config screen will be located at
- https://portal.kentik.com/v4/settings/authentication/sso-settings if your account is on our US SaaS Cluster
- https://portal.kentik.eu/v4/settings/authentication/sso-settings if your account is on our EU SaaS Cluster
Or you can just look for the SSO Settings tab in the screen "Authentication & SSO"
On this screen, you'll now if your company uses SSO if this field is either set to Enabled or Required. "Enabled" means your users can login both via SSO or User/Password, if "Required" they can log only via SSO.
Next on the same screen, just look for the field depicted below:
if it is empty, this means you do not have the signing key for your Identity Provider configured and will need to configure it before March 31st, 2025.
If that is the case, your SuperAdmin users should have already been presented with a prompt to perform this change when logging into Kentik Portal.
Where can I find this IdP Public Signing Key ?
First you need to find a co-worker who has access to your Identity Provider's Admin interface. Typical Identity Providers are: Okta, Microsoft Entra ID (formerly ADFS), OneLogin, Ping Identity, Duo Security, Google Suite...
In this Identity Provider, you will have one configuration per App registered for SAML2 authentication - find your Kentik Portal application configuration.
From this point, the easiest is for you to find a way to download what is often referred to as "Identity Provider Metadata Configuration File".
If you open this xml
file with a text editor, you will find your Identity Provider's x.509 signing key between these tags:
Just copy paste its content in Kentik Portal's SSO "IDP Public Signing Key (X.509 cert)" field and save your SSO configuration.
IMPORTANT NOTE:
Depending on your text editor, the Copy/Paste action may insert unwanted characters that will make the configured key malformed and make authentication fail.
This lifesaving online tool will strip this Cert string from all it's undesirable characters before you can safely paste it in your Kentik Portal SSO Configuration.
Additional notes
You may wonder: "Do I really need to do this ? What am I getting out of this ?"
- If your company accesses Kentik via SSO and you don't have an IdP Signing key, this change is mandatory.
- Remember that your local SuperAdmin will always have access to Kentik Portal with a user/password type of credentials, and will be able to disable SSO if your users are locked out
- The new backend code we are replacing the current SSO Engine with follows the most recent industry security practices, therefore making your Kentik Account more secure
- Our previous SSO login workflow did not carry the URL context forward: if you came in unauthenticated with a full URL from Kentik Portal, the SSO engine would log you in and send you to the homepage configured in your user profile: with this new code, we're carrying the inbound URL throughout the login process and landing you on the desired inbound URL. (which is specially useful when a coworker hands over a Data Explorer query hash and you haven't logged in yet).
If you require help with this configuration, our dedicated support team will help you at 🛟 support@kentik.com
If by March 31st you are locked out of Kentik Portal and your friendly SuperAdmin co-worker is not available to help, our Support Team can also help you too.