This page explains how to configure and use Single Sign-On (SSO) to log in to KANNA.
*Note: Availability of this feature depends on your subscription plan. Please contact your account representative if you wish to enable it.
・ Supported Identity Providers
・ Setup instructions (for Microsoft Entra ID)
1. Supported Identity Providers
The following Identity Provider (IdP) services can be used to log in to KANNA:
- Microsoft Entra ID
A valid IdP subscription must be in place before configuring Single Sign-On. For details on IdP-side configuration, please consult your IdP provider.
2. Setup Instructions (for Microsoft Entra ID)
Step 1: [Microsoft] Create an Application and Register SaaS Information
Step 1-1: [Microsoft] Create an Enterprise Application
In the Microsoft Entra admin center, go to Enterprise Applications → New application.
Select Create your own application (non-gallery), enter a name for the SaaS service, and click Create.
Step 1-2: [Microsoft] Begin Single Sign-On (SSO) Configuration
In the management screen for the application you just created, select Single sign-on → SAML.
Step 1-3: [KANNA] Confirm the SAML Configuration Issued by KANNA
In KANNA, go to Settings > Security Settings > Single Sign-On (SSO).
Confirm the values for Identifier (Entity ID) and Reply URL (ACS URL).
| Field | Description |
|---|---|
| Identifier (Entity ID) | The ID that uniquely identifies the SaaS application |
| Reply URL (ACS URL) | The SaaS-side URL to which Microsoft sends the authentication response after successful login |
Step 1-4: [Microsoft] Apply the SAML Configuration from KANNA
Copy the values displayed in KANNA and enter them into the Microsoft configuration screen.
Step 2: [Microsoft] Retrieve Integration Details and Assign Users
Step 2-1: [Microsoft] Retrieve the Certificate and URLs
From the SAML Signing Certificate section of the configuration screen, download the following:
| Item | Description |
|---|---|
| Certificate (Base64) | Public key certificate used for signature verification |
Then confirm that the following information is available in the Set up [your app name] section:
| Item | Description |
|---|---|
| Login URL | The redirect destination when a user logs in |
| Microsoft Entra Identifier | The unique ID for your Microsoft Entra ID |
Step 2-2: [KANNA] Configure the Identity Provider Information
Enter the information obtained in Step 2-1 into the KANNA admin panel. After entering all values, be sure to click Save.
Step 2-3: [Microsoft] Assign Users/Groups
From Users and groups → + Add user/group, add the users or groups who should have access to this SaaS application.
Select the users to assign. The email address of each selected user must also be registered as an administrator in KANNA.
⚠️ Skipping this step will result in a login error (Error AADSTS50105) even if the configuration is otherwise correct. Always confirm that the email address assigned on the Microsoft side is also registered as an administrator in KANNA. Administrators who have not been assigned, or whose email addresses are not registered on both sides, will not be able to log in via Single Sign-On.
Step 3: [Verification] Connection Test
Step 3-1: [KANNA] Test Login
Attempt to log in from the KANNA login screen (SSO button, etc.). First, select Log in with external account.
Next, select Log in with Microsoft.
Enter the email address of a user assigned in Microsoft. (This email address must also be registered as an administrator in KANNA.)
If you are already logged into Microsoft in the same browser, you will see the following screen — select the email address to use for login.
If you are not already logged into Microsoft in the same browser, the Microsoft login screen will appear. Log in using your Microsoft credentials and complete two-factor authentication if required.
Once Microsoft authentication is complete, you will be logged in to KANNA.
Step 4: Related Settings
Disable Email Login:
This setting can only be configured by users with Owner permissions. When enabled, all members except the Owner will no longer be able to log in with their email address. This enforces Single Sign-On login for all administrators, helping to maintain a consistent security level.
Force Logout:
Executing this function logs out all currently active members of your organization, forcing everyone to log in again. Running this after configuring Single Sign-On ensures that all members are required to re-authenticate via SSO.
3. Login Method
To log in to KANNA via Single Sign-On, follow the same steps as the connection test described above.
From the KANNA login screen, select Log in with external account.
Next, select Log in with Microsoft.
Enter the email address of a user assigned in Microsoft. (This email address must also be registered as an administrator in KANNA.)
If you are already logged into Microsoft in the same browser, you will see the following screen — select the email address to use for login.
If you are not already logged into Microsoft in the same browser, the Microsoft login screen will appear. Log in using your Microsoft credentials and complete two-factor authentication if required.
Once Microsoft authentication is complete, you will be logged in to KANNA.