Skip to main content

Authentication methods

Kapa provides secure, password-less authentication methods designed to streamline access while maintaining strong security.

Overview

Kapa offers three authentication options:

  1. One-time password (default): Secure email-based authentication that works for all users
  2. OAuth: Simplified authentication for organizations using Google Workspace or Microsoft accounts
  3. SAML single sign-on (SSO): Enterprise SSO for organizations using identity providers like Okta or Entra ID

One-time password and OAuth authentication are enabled by default.

Contact your Kapa account manager to enable SAML SSO for your organization. Note that once SAML SSO is configured, other authentication mechanisms are disabled for security purposes.

With SAML SSO, users with email addresses from your registered domain can sign in via their identity provider without requiring separate invitations. These accounts are automatically associated with your organization's projects. Team owners maintain control over role assignments and permissions within the project.

One-time password

To sign in with a one-time password:

  1. Visit app.kapa.ai in your web browser
  2. Enter the email address associated with your account
  3. Click Send one-time password
  4. Check your email for the one-time password
  5. Enter the password on the sign-in page in your browser.

One-time passwords expire after 10 minutes and can only be used once. If your link expires before you use it, simply request a new one.

Sign into the Kapa platform to disable One-time password authentication for your organization.

OAuth

If your organization has enabled Google or Microsoft authentication:

  1. Visit app.kapa.ai in your web browser
  2. Click either the Sign in with Google or Sign in with Microsoft button
  3. Select your account or enter your credentials

These methods work with corporate Google Workspace or Microsoft accounts and are particularly useful for organizations that have set up domain-based account creation, as they allow new users to create accounts without requiring separate invitations.

By default Kapa allows authentication via both Google and Microsoft. Sign into the Kapa platform to restrict your organization to a single OAuth provider.

SAML-based SSO

Kapa supports SAML 2.0 for enterprise single sign-on. This allows you to integrate Kapa with identity providers like Okta, Entra ID (formerly Azure AD), and other SAML-compliant systems.

Prerequisites

To set up SAML SSO, you must have:

  • Administrator access to your identity provider

Steps

Follow these steps to configure SAML SSO for your organization:

  1. Create a new SAML 2.0 application in your identity provider. Use these configuration values:

    • Callback URL (ACS URL): https://api.kapa.ai/org/v1/teams/{team_id}/saml/callback/

      Replace {team_id} with your actual Kapa team ID. If you don't know your team ID, contact support@kapa.ai.

    • Audience URI (Entity ID): https://auth.kapa.ai/saml

    • Name ID format: EmailAddress (the user's email address used to sign in)

  2. After creating the application, copy these details from your identity provider:

    • IdP Entity ID (Issuer)
    • SSO URL (Login URL)
    • X.509 Certificate (public certificate to verify identity assertions)

  3. Send the configuration details to Kapa from step 2 to support@kapa.ai or your account manager. Kapa completes the SAML configuration for your team.

Once Kapa confirms the setup is complete, team members can sign in using your organization's identity provider. Test the integration by having a user authenticate through your IdP.

Session management

For security reasons, Kapa sessions expire after 14 days of inactivity. After this period, you'll need to authenticate again using one of the methods above.

Troubleshooting

One-time password not arriving

If you don't receive your one-time password email:

  1. Your organization may be using SAML / SSO. One-time password authentication is blocked for security purposes if SAML is enabled
  2. Check your spam or junk folder
  3. Verify you entered the correct email address
  4. Confirm that the email address has an associated user account. One-time passwords can only be sent to existing accounts. If you don't have an account yet, contact your team administrator to request an invitation

Unable to use OAuth

If you're having trouble with Google or Microsoft authentication:

  1. Ensure you're using a corporate account from your organization's domain
  2. Check that your organization has enabled the respective authentication method
  3. Try clearing your browser cookies and cache
  4. Contact your team administrator if problems persist

Unable to use SAML / SSO

If you're having trouble with SAML authentication:

  1. Ensure you're using a corporate account from your organization's domain
  2. Check that your organization has configured and enabled SAML
  3. Contact your team administrator if problems persist

For any other authentication issues, please contact support@kapa.ai.