Iru

Configure Iru MDM SSO

Prerequisites

  • Administrator access to your Iru tenant
  • A SplitSecure Identity Provider created and approved
  • Approval set members must already exist in Iru before they can authenticate via SSO
  • A separate browser or browser profile with SplitSecure configured (for testing)

Iru Configuration

Create a Custom SAML Connection

  1. Log in to the Iru Web App
  2. In the left sidebar, click Settings
  3. Click the Access tab
  4. Scroll to the Authentication section
  5. Click Add
  6. Select Custom SAML, then click Next

Fill the form with the following fields:

Field Value
Name (e.g., “SplitSecure SAML”)
Sign-In URL https://app.us.splitsecure.com/saml2/sp/login
Sign-Out URL https://app.us.splitsecure.com/saml2/sp/logout
Signing Certificate Upload Download from SplitSecure: Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Certificate
User ID Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Sign Request On (recommended)
Sign Request Algorithm RSA-SHA256
Sign Request Algorithm Digest SHA 256
Protocol Binding HTTP-Redirect

Click Save

Enable the Custom SAML Identity Provider

  1. The connection will appear in the Authentication section as Disabled
  2. On the right, click the ellipsis menu (⋮) and select Enable

Create a New User

  1. In Iru, go to Settings → Access
  2. Click New User in the Admin Team section
  3. Enter the user’s information
  4. Click Submit
  5. The user will receive an invitation email

SplitSecure Configuration

Create the Iru Secure Account

  1. In SplitSecure, navigate to Secure Accounts → Create Account → Iru

  2. Enter a name for your account

  3. Select the Identity Provider used in the Iru configuration

  4. Configure the Service Provider details:

    Field Value/Description
    Name (e.g., “My Iru Account”)
    Identity Provider Select the Identity Provider used in the Iru configuration
    Metadata URL Corresponds to Service Provider Metadata File (found when configuring the IdP on Iru, looks like: https://auth.kandji.io/samlp/metadata?connection=)
    Default Email Optional
  5. Click Create Account

Enforce SSO (Optional)

Once SSO is working, you can disable standard authentication to enforce SSO-only access.

Disable Standard Authentication

  1. In Iru, go to Settings → Access → Authentication
  2. Find the Standard Authentication connection
  3. Click the ellipsis menu (⋮)
  4. Select Disable

Test Authentication

Test Authentication (SP-Initiated)

  1. Navigate to your Iru tenant URL
  2. Click Sign in with your Identity Provider (or select the SSO connection)
  3. You should be redirected to SplitSecure
  4. Enter your email address when prompted (should correspond to an existing email in the admin approval set)
  5. Click Request Access
  6. Complete the authentication flow
  7. Upon success, you’ll be logged into the Iru Web App

Troubleshooting

Issue Possible Cause Solution
User cannot log in User doesn’t exist in Iru Add the user as an approval set member before they attempt SSO
“User not found” error Email mismatch Ensure SAML NameID email matches the Iru approval set member email exactly
Certificate error Invalid or expired certificate Re-download the certificate from SplitSecure and update in Iru
SSO button doesn’t appear Connection not enabled Enable the SSO connection in Settings → Access → Authentication
Signature validation failed Algorithm mismatch Verify Sign Request Algorithm matches between Iru and SplitSecure
Locked out of Iru SSO misconfigured after disabling standard auth Contact Iru Support to re-enable standard authentication
Attributes not updating Missing surname/givenname claims Configure SplitSecure to send the required attribute URIs
SLO not working Sign-Out URL misconfigured Verify SLO is configured in both Iru and SplitSecure

External Resources

Last updated: