How to Integrate Single Sign-On into Command

Command Single Sign-On (SSO) support is done using the SAML standard. Your Identity Provider (IDP) platform must be able to send a SAML assertion. You must work with your Customer Success Manager (CSM) and Implementation Engineer (IE) to implement SSO support into Command.

The Command SSO solution supports two options:

Authentication Only

Once enabled, this option removes user authentication (signing in) from Kount and gives that task to the IDP. The user then authenticates to Kount through SSO, but the assignment of the Kount groups is still completed in the Command portal.

Authentication and Authorization

Once enabled, this option removes user authentication (signing in) and user authorization (assigning users to groups) from Kount and gives that task to the IDP. The SAML assertion must include group attributes that match the Kount groups used.

Single Sign-On Configuration

You must have a service agreement in place for SSO support before attempting configuration.

Information checklist:

Item

Description

Notes

Email Domain Mapping

This value is set by the Customer Success Manager.

Provide a list of email domains that a customer's end-users use.

This step is necessary to associate new end-users with the customer's account.

Domains must be unique across customers (deleted entries are not counted), meaning the domain cannot be a common email domain (like yahoo.com, gmail.com, etc.).

Validated against regex: "^(?:[-A-Za-z0-9]+\.)+[A-Za-z]{2,10}$^"

Group Assignment (only for the Authentication and Authorization option)

User roles are based on group assignment and some planning and configuration is required for expected behavior.

Setting up groups in their IDP allows mapping to Kount permission roles.

Setting up the Test and Production Environment

We set up and enable the service provider environment to receive the SAML assertion and provide the following to the identity provider (IDP). The steps are the same when setting up either your test or production environments. Work with your Customer Success Manager and Implementation Engineer to complete the following steps:

  1. We set up and enable the Service Provider environment to receive SAML and provide the following to the IDP:

    • Assertion Consumer Service URL

    • Audience URI

    • Kount SSO Metadata File

    • Kount SSO Certificate

  2. Configure the IDP with the following:

    • Set up SAML assertion

    • Include required attributes (firstName, lastName, email, etc.)

    • Include group attributes (for authorization option)

  3. Once the IDP is configuration is complete, send the following to us:

    • IDP Issuer URI

    • IDP SSO URL

    • IDP Signature certificate (.pem file)

      Note:

      If you are unsure how to download the cert, we may be able to extract it from the metadata.

    • Metadata file or link

  4. We complete the configuration on our end with the new values.

  5. Coordinate a cutover to enable SSO in the test environment. This is when the service provider enables the service and the IDP requires a test of the logins.

  6. Once enabled in the test environment, repeat these steps in the production environment.

Frequently Asked Questions

How do I do group planning and setup for SSO customers?

Note:

We do not recommend using groups.

If the Authentication and Authorization option has been chosen, then the IDP will be responsible for sending the Kount groups in the SAML assertion. The attribute name should be groups and the values sent should match existing Kount groups. Multiples can be sent to combine group permissions.

When using Authentication and Authorization, group data must come from the IDP and cannot be manually edited in the Kount portal.

The default AWC groups are:

  • Kount Admin

  • Kount Agent

  • Kount Agent Manager

  • Kount Employee

  • Kount Lead Agent

  • Kount Manager

  • Kount New Editor

  • Kount Risk Editor

Was this article helpful?
0 out of 1 found this helpful