Security

Introduction

By integrating SAML SSO with Kubit’s Self-Service Analytics with either Google G-Suite or Okta, you can have fine control on which users in your organization can sign in to Kubit using their existing credential. This Single Sign On approach eliminates yet another set of username/password to be remembered, simplify user management, and also can improve security through your existing Multi-Factor Authentication.

Requirements

• Your organization uses Google G-Suite or Okta for authentication.
• You have Admin role.

Roles

• Identity Provider (IdP): Google or Okta
• Service Provider: Auth0 (through Kubit)

JIT Provision

With SAML integration, once a user is created on your end (optionally included in a Security Group which has access to Kubit), that user can login to Kubit immediately. The user profile information will also be automatically updated at every login time.

When a user is deleted/deactivated on your end, they will lose access to Kubit immediately too. There is no offline communication required.

Steps

SAML configuration is a process which consists of the following 6 steps. Kubit engineers will be available to support you with setting up and testing the integration.

1. Configure SAML app

Kubit will provide the exact configuration information required on your side. Below is just an example of general settings:

• App Name: Kubit
• Home page: https://<YOUR_ORG>.kubit.ai
• Logo: https://<YOUR_ORG>.kubit.ai/images/Kubit.png
• Single Sign On URL (also called ACS or Assertion Consumer Service URL): https://auth.kubit.ai/login/callback?connection=<CONNECTION_NAME>
• Audience URI (Entity ID): urn:auth0:kubit:<CONNECTION_NAME>

2. Map Attributes

Google G-Suite

Okta

• Map user.email to email
• Map String.join(" ", user.firstName, user.lastName) to name #using Okta Expression Language
• Map user.firstName to given_name
• Map user.lastName to family_name
• Map user.profileUrl to picture

‍

‍

3. Respond

Once configured on your side, please provide the following information to Kubit support through a secure channel (eg Slack). For Okta, a metadata file (sample URL https://*****.okta.com/app/*******/sso/saml/metadata) should include them all.

• Sign in URL (SSO URL / ACS URL) for your IdP.
• For Google, eg: https://accounts.google.com/o/saml2/idp?idpid=********
• For Okta, eg: https://****.okta.com/app/******/******/sso/saml
• X509 certificate in a .pem file

4. Test

Once configured properly on both sides, please work with Kubit support to test the integration.

• Make sure yourself has been assigned permission to access Kubit app on your side.
• Try to access https://<YOUR_ORG>.kubit.ai
• Type in your organization's email. The password field will disappear with SSO enabled.
• Click on Sign In

5. Open Access

• Google: you may choose to turn on Kubit App to everyone, or a specific group
• Okta: assign Kubit App to specific users

6. Idp-Initiated SSO

Due to security concerns, Kubit doesn't support Idp-Initiated SSO. User has to go to Kubit website first to initiate the login (SP-Initiated).

• Google: clicking on the Kubit App logo on Google Workspace Dashboard would fail. We don't know a way to hide that logo.
• Okta: please hide the Kubit SSO App from users and create a Bookmark App instead.

References

• Google: Setup your own SAML App
• Auth0: SAML IdP Configuration Settings