Iru
Configure Iru MDM SSO
Prerequisites
- Administrator access to your Iru tenant
- A SplitSecure Identity Provider created and approved
- Approval set members must already exist in Iru before they can authenticate via SSO
- A separate browser or browser profile with SplitSecure configured (for testing)
Iru Configuration
Create a Custom SAML Connection
- Log in to the Iru Web App
- In the left sidebar, click Settings
- Click the Access tab
- Scroll to the Authentication section
- Click Add
- Select Custom SAML, then click Next
In the section Identity Provider Configuration Information, note the URL from Service Provider Metadata File — you’ll need it when adding the Iru secure account in SplitSecure.
Fill the form with the following fields:
| Field | Value |
|---|---|
| Name | (e.g., “SplitSecure SAML”) |
| Sign-In URL | https://app.us.splitsecure.com/saml2/sp/login |
| Sign-Out URL | https://app.us.splitsecure.com/saml2/sp/logout |
| Signing Certificate Upload | Download from SplitSecure: Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Certificate |
| User ID Attribute | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
| Sign Request | On (recommended) |
| Sign Request Algorithm | RSA-SHA256 |
| Sign Request Algorithm Digest | SHA 256 |
| Protocol Binding | HTTP-Redirect |
Click Save
Enable the Custom SAML Identity Provider
- The connection will appear in the Authentication section as Disabled
- On the right, click the ellipsis menu (⋮) and select Enable
Create a New User
- In Iru, go to Settings → Access
- Click New User in the Admin Team section
- Enter the user’s information
- Click Submit
- The user will receive an invitation email
SplitSecure Configuration
Create the Iru Secure Account
In SplitSecure, navigate to Secure Accounts → Create Account → Iru
Enter a name for your account
Select the Identity Provider used in the Iru configuration
Configure the Service Provider details:
Field Value/Description Name (e.g., “My Iru Account”) Identity Provider Select the Identity Provider used in the Iru configuration Metadata URL Corresponds to Service Provider Metadata File (found when configuring the IdP on Iru, looks like: https://auth.kandji.io/samlp/metadata?connection=)Default Email Optional Click Create Account
Enforce SSO (Optional)
Once SSO is working, you can disable standard authentication to enforce SSO-only access.
Disable Standard Authentication
- In Iru, go to Settings → Access → Authentication
- Find the Standard Authentication connection
- Click the ellipsis menu (⋮)
- Select Disable
Disabling standard authentication removes the ability for administrators to sign in via email/password, Google, or Microsoft. Ensure your SSO connection is working correctly before disabling.
If you lose SSO access to your Iru tenant, contact Iru Support to have standard authentication re-enabled.
Test Authentication
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
Test Authentication (SP-Initiated)
- Navigate to your Iru tenant URL
- Click Sign in with your Identity Provider (or select the SSO connection)
- You should be redirected to SplitSecure
- Enter your email address when prompted (should correspond to an existing email in the admin approval set)
- Click Request Access
- Complete the authentication flow
- Upon success, you’ll be logged into the Iru Web App
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| User cannot log in | User doesn’t exist in Iru | Add the user as an approval set member before they attempt SSO |
| “User not found” error | Email mismatch | Ensure SAML NameID email matches the Iru approval set member email exactly |
| Certificate error | Invalid or expired certificate | Re-download the certificate from SplitSecure and update in Iru |
| SSO button doesn’t appear | Connection not enabled | Enable the SSO connection in Settings → Access → Authentication |
| Signature validation failed | Algorithm mismatch | Verify Sign Request Algorithm matches between Iru and SplitSecure |
| Locked out of Iru | SSO misconfigured after disabling standard auth | Contact Iru Support to re-enable standard authentication |
| Attributes not updating | Missing surname/givenname claims | Configure SplitSecure to send the required attribute URIs |
| SLO not working | Sign-Out URL misconfigured | Verify SLO is configured in both Iru and SplitSecure |
External Resources
- Single Sign-On SSO overview and requirements
- SAML-based Single Sign-On SAML configuration guide
Last updated: