Owner-only settings. SSO and Security configuration is restricted to Workspace Owners. Admins cannot access these settings. Before enabling SSO enforcement, verify the configuration works — incorrectly configured SSO can lock users out.
OIDC (OpenID Connect) SSO
OIDC is the recommended SSO method for most identity providers (Okta, Azure AD, Google Workspace, Auth0, and others). When OIDC is configured, users can sign in with their identity provider credentials.
Create a new OIDC application. Note the Client ID and Client Secret. Set the redirect URI to: https://[your-domain]/api/auth/sso/callback
Go to Settings → SSO & Security → Configure SSO. Select OIDC. Enter the Client ID, Client Secret, and Discovery URL.
Click Test SSO to verify the configuration works. Then toggle Enforce SSO to require SSO for all workspace members.
SAML 2.0 SSO
Use SAML for IdPs that prefer it. Kansov supports SP-initiated SAML 2.0 with signed assertions. Configuration follows the same pattern as OIDC — enter your IdP metadata URL or upload the XML metadata file.
SCIM User Provisioning
SCIM automates user lifecycle management — users are created, updated, and deprovisioned in Kansov automatically when they're added or removed in your IdP.
| Operation | What it does in Kansov |
|---|---|
| Create user | Creates a new workspace member when a user is assigned in the IdP |
| Update user | Updates name, email when changed in the IdP |
| Deactivate user | Immediately revokes workspace access when deprovisioned |
| Group mapping | IdP groups can be mapped to Kansov roles |
Multi-Factor Authentication (MFA)
Go to Settings → Workspace → Require MFA and toggle it on. All users who haven't enrolled in MFA will be prompted at their next login.
Audit Logs
Security-relevant actions are logged and available at Settings → SSO & Security → Audit Logs. Logs are retained for 90 days and include logins, team changes, settings changes, and admin actions.