SSO Overview
Learn how to log in to Hanzo KMS via SSO protocols.
Hanzo KMS offers Google SSO and GitHub SSO for free across both Hanzo KMS Cloud and Hanzo KMS Self-hosted. Hanzo KMS also offers SAML SSO authentication and OpenID Connect (OIDC) but as paid features that can be unlocked on Hanzo KMS Cloud's Pro tier or via enterprise license on self-hosted instances of Hanzo KMS. On this front, we support industry-leading providers including Okta, Azure AD, and JumpCloud; with any questions, please reach out to team@kms.hanzo.ai.
You can configure your organization in Hanzo KMS to have members authenticate with the platform via protocols like SAML 2.0 or OpenID Connect.
Identity providers
Hanzo KMS supports these and many other identity providers:
If your required identity provider is not shown in the list above, please reach out to team@kms.hanzo.ai for assistance.
For enhanced security, Hanzo KMS enforces PKCE (Proof Key for Code Exchange) with the OAuth 2.0-based SSO providers and OIDC. This provides additional protection against authorization code interception attacks and strengthens your authentication flow security.
SSO Break Glass
In the event your SSO provider experiences downtime, and you need to access Hanzo KMS, Organization Admins can utilize the Admin Login Portal to bypass SSO enforcement.
This portal is accessible at /login/admin (e.g., https://app.kms.hanzo.ai/login/admin).
To bypass SSO for an organization, you must be an Organization Admin for that specific organization. This Organization Admin role is independent of Server Admin status. Being a Server Admin alone does not grant permission to use this bypass feature.
FAQ
By default, Hanzo KMS Cloud is configured to not trust emails from external identity providers to prevent any malicious account takeover attempts via email spoofing. Accordingly, Hanzo KMS creates a new user for anyone provisioned through an external identity provider and requires an additional email verification step upon their first login.
If you're running a self-hosted instance of Hanzo KMS and would like it to trust emails from external identity providers, you can configure this behavior in the Server Admin Console.
You are likely being redirected because you do not have email authentication mode enabled, or you're not an Organization Admin. This portal requires Organization Admin status and direct credential login (email and password). Server Admin status alone is insufficient.
How is this guide?
Last updated on