Getting Started
8 min read Published on 24/12/2025

SSO Configuration (Azure AD, OIDC, SAML2)

Enable enterprise authentication with your identity provider

In brief

KaliaOps supports Single Sign-On (SSO) via OAuth2/OIDC and SAML2 protocols, allowing your users to authenticate with their corporate credentials from Azure AD, Okta, Auth0, Keycloak, Google Workspace, or any SAML2-compatible identity provider. Configuration takes less than 15 minutes.

Overview

Single Sign-On (SSO) allows your users to access KaliaOps using their corporate credentials, eliminating the need for separate passwords. KaliaOps supports two authentication protocols:

  • OAuth2/OIDC: Used by Azure AD, Okta, Auth0, Keycloak, Google Workspace
  • SAML2: Used by ADFS, Ping Identity, OneLogin, and legacy enterprise IdPs

Why SSO Instead of LDAP?

As a cloud SaaS platform, KaliaOps cannot directly connect to your on-premises LDAP/AD servers (which are typically behind firewalls). SSO protocols are specifically designed for internet-based authentication and are the standard for enterprise cloud applications.

Azure AD Configuration

1

Create an App Registration

In the Azure Portal, go to App registrations and click New registration:

  • Name: KaliaOps SSO
  • Supported account types: Accounts in this organizational directory only
  • Redirect URI: Copy the URI shown in KaliaOps Settings > SSO
2

Get Client ID and Tenant ID

After creating the app registration, copy the following values:

  • Application (client) ID: This is your Client ID
  • Directory (tenant) ID: This is your Azure Tenant ID
3

Create a Client Secret

Go to Certificates & secrets, click New client secret, and copy the value immediately (it won't be shown again).

4

Configure API Permissions

Go to API permissions and add Microsoft Graph delegated permissions:

  • openid
  • profile
  • email
  • User.Read

Click Grant admin consent to approve these permissions.

5

Configure KaliaOps

In KaliaOps, go to Settings > Single Sign-On and enter:

  • Provider: Azure AD
  • Client ID: Your Application ID
  • Client Secret: Your secret value
  • Azure Tenant ID: Your Directory ID

Click Save and use the Test Connection button to verify.

Tip: To restrict access to a specific security group, go to Azure AD Token configuration > Add groups claim > Security groups, then enter the group's Object ID in KaliaOps.

Generic OIDC Configuration

For other identity providers (Okta, Auth0, Keycloak, Google Workspace), use the generic OIDC configuration.

Required Information

  • Client ID: Application identifier from your IdP
  • Client Secret: Secret key from your IdP
  • Issuer URL: Your IdP's OIDC issuer URL

Example Issuer URLs

  • Okta: https://your-org.okta.com
  • Auth0: https://your-tenant.auth0.com
  • Keycloak: https://keycloak.example.com/realms/your-realm
  • Google Workspace: https://accounts.google.com

Make sure to configure the redirect URI in your IdP: copy it from KaliaOps Settings > SSO.

SAML2 Configuration

For SAML2-based identity providers (ADFS, Ping Identity, OneLogin), you need to exchange metadata between KaliaOps and your IdP.

Information from Your IdP

  • IdP Entity ID: Unique identifier of your identity provider
  • IdP SSO URL: URL where users are redirected to authenticate
  • IdP Certificate: X.509 certificate for signature validation (PEM format)

Information to Provide to Your IdP

  • SP Entity ID: https://kaliaops.com/{tenant}/auth/saml2/metadata
  • ACS URL: https://kaliaops.com/{tenant}/auth/saml2/acs
  • NameID Format: Email address

Attribute Mapping

Configure your IdP to send the following SAML attributes:

  • Email (required)
  • First name and last name (optional, for auto-provisioning)
  • Groups (optional, for access control)

User Provisioning

KaliaOps can automatically create user accounts when employees log in for the first time via SSO.

Auto-Create Users

When enabled, new users are automatically created with their information from the identity provider. You can specify a default role for these users.

Link to Employees

When enabled, KaliaOps will try to match new SSO users with existing employees in your CMDB by email or name. This automatically links the user account to the employee record.

Access Control by Security Group

You can restrict SSO access to members of a specific security group. Only users who belong to this group will be able to log in. Others will see an access denied message.

Testing and Troubleshooting

After configuring SSO, use the Test Connection button to verify that KaliaOps can communicate with your identity provider.

Common Issues

Invalid state parameter
This indicates a CSRF protection issue. Make sure cookies are enabled and the redirect URI is correctly configured.
Group access denied
The user is not a member of the allowed security group. Check group membership in your IdP.
Invalid OIDC discovery response
The issuer URL is incorrect. Verify you can access {issuer}/.well-known/openid-configuration
Signature validation failed (SAML2)
The IdP certificate is incorrect or expired. Download the current certificate from your IdP.
Tip: You can always fall back to email/password authentication for administrator accounts. This ensures you can recover access if SSO is misconfigured.
Key points
  • Support for Azure AD, Okta, Auth0, Keycloak, Google Workspace
  • OAuth2/OIDC and SAML2 protocols
  • Automatic user provisioning on first login
  • Group-based access control (security groups)
  • Optional 2FA on top of SSO authentication

Need help with SSO setup?

Our support team can help you configure SSO for your organization.

Contact Support
Back to documentation Next article Initial Data Import