kintone

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) for kintone using SAML.

About kintone

kintone is an enterprise rapid application development platform that allows its users to build business applications and database apps faster and easier.

After integrating kintone with Oracle Identity Cloud Service:

  • Users can access kintone using their Oracle Identity Cloud Service login credentials.
  • Users can start kintone using the Oracle Identity Cloud Service My Apps console.
  • Admins can assign and revoke user access to the kintone app using the Oracle Identity Cloud Service administration console.

What Do You Need?

  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
  • A kintone account with authorization rights to configure federated authentication.
  • Make sure that the email ID of each user in kintone matches the primary email ID of the Oracle Identity Cloud Service account.

Configuring the kintone App in Oracle Identity Cloud Service

Use this section to register and activate the kintone app, and then assign users to the app.

Prerequisite Steps

A dedicated domain name is required before you can register and activate the kintone app.

The kintone domain name appears in the kintone login URL: https://<Domain_Name>.kintone.com/ that you received in an email from kintone.

Registering and Activating the kintone App

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for kintone, and then click Add.

  4. In the App Details section, enter your kintone Domain Name, and then click Next.

    Note: This is the Domain Name value that you obtained while performing the steps in the "Prerequisite Steps" section.

  5. Click Download Signing Certificate.

    Tip: Use this file later during the kintone configuration in the "Configuring SSO for kintone" section.

  6. Click Finish. Oracle Identity Cloud Service displays a confirmation message.

  7. Click Activate, and then click Activate Application. The Oracle Identity Cloud Service displays a confirmation message.

Assigning Users to the kintone App

  1. On the kintone app page in Oracle Identity Cloud Service, select Users, and then click Assign. The Assign Users window appears.

  2. Select users that you want to assign to kintone, and then click OK. Oracle Identity Cloud Service displays a confirmation message stating that the kintone app is assigned to the users that you selected.

Configuring SSO for kintone

  1. Access kintone as an administrator using the login URL: https://<Domain_Name>.kintone.com/login. The kintone home page appears.

  2. In the upper-right corner, click the settings icon, and then select Users & System Administration from the drop-down list. The Service Usage page appears.

  3. In the left navigation menu, locate the Security section, and then click Login. The Login Security page appears.

  4. Locate the SAML Authentication section, use the table to update the federated authentication attributes, and then click Save.

    This table lists the mandatory federated authentication attributes that you must set to complete the SSO configuration.
    Attribute Value
    Enable SAML authentication Select the check box to enable SSO.
    Login URL Enter the Sign-in URL/SSO Endpoint: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso.
    Logout URL Enter the Sign-out URL/SLO Endpoint: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.
    Certificate Upload the Oracle Identity Cloud Service certificate that you downloaded during kintone registration in Oracle Identity Cloud Service. See the "Registering and Activating the kintone App" section.

    Note: Enabling SSO deactivates the ability to log in using Kintone user name and password directly on the app. Remain logged in to the kintone session until you complete the next section to verify that Identity Provider initiated SSO from Oracle Identity Cloud Service works.

Verifying the Integration

Use this section to verify that SSO works when initiated from kintone (SP Initiated SSO).

Verifying Service Provider Initiated SSO from kintone

  1. Access kintone using the login URL: https://<Domain_Name>.kintone.com/login. You are redirected to the Oracle Identity Cloud Service login page.

  2. Log in using credentials for a user that is assigned to the kintone app. The kintone home page appears.

  3. In the upper-right corner, confirm that the user that is logged in is the same for both kintone and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from kintone works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

kintone displays the message, "No user account for that NameID found"

Cause: The email attribute sent by Oracle Identity Cloud Service during SSO doesn't match any existing user in kintone.

Solution: Ensure that the user that you assign to the kintone app has an account in both Oracle Identity Cloud Service and kintone with the same email address.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service kintone app and kintone is deactivated.

Solution 1:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then select kintone.
  • In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the kintone app using Oracle Identity Cloud Service.

Solution 2:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then select kintone.
  • In the App Details section, select Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.