Skip to main content
Kondo supports SAML SSO on the Enterprise plan for teams that need centralized login through their identity provider (e.g. Okta, Azure AD, OneLogin). With SSO enabled, your team signs into Kondo using their company credentials. Your IT admin controls who has access by assigning or unassigning the Kondo app in your identity provider.

What SSO gives you

  • Centralized access — IT controls who can access Kondo from your identity provider
  • MFA enforcement — your company’s MFA policies apply to Kondo logins
  • Automatic offboarding — when someone leaves and IT disables their account, they can no longer sign into Kondo
  • New employee access — employees get a Kondo account automatically the first time they sign in through SSO

How to set up SSO

Reach out to us at [email protected] to get started. Here’s what the setup looks like:
  1. Your IT admin creates a SAML app for Kondo in your identity provider (e.g. Okta), using these URLs:
    • Single sign-on URL (ACS URL): https://supa.trykondo.com/auth/v1/sso/saml/acs
    • Audience URI (Entity ID): https://supa.trykondo.com/auth/v1/sso/saml/metadata
    • Name ID format: EmailAddress
  2. Your IT admin assigns employees to the app
  3. Send us your SAML metadata URL and email domain at [email protected]
  4. We enable SSO for your domain — your team can start signing in
Setup takes a few minutes once we have your metadata URL.

How your team signs in

  1. Go to the Kondo login page
  2. Click Sign in with SSO
  3. Enter your work email address
  4. You’ll be redirected to your company’s login page (e.g. Okta)
  5. Sign in with your company credentials
  6. You’ll be redirected back to Kondo, signed in

Can my team still sign in with Google or Microsoft?

If SSO is enabled for your domain, your team will need to sign in through SSO. Signing in with Google or Microsoft will redirect you to the SSO flow.

Does SSO work with any identity provider?

Kondo supports any identity provider that uses SAML 2.0, including Okta, Azure AD, OneLogin, Google Workspace, and others.

What about SCIM?

SCIM (automated user provisioning and deprovisioning) is not yet supported. Accounts are created automatically on first SSO login, and access is controlled by assigning or unassigning the Kondo app in your identity provider.