In this article, you'll learn about the Account Integrations section of your KSAT account settings. In the Account Integrations section, you can manage your account integrations for SAML, the Phish Alert Button (PAB), API reporting, PhishER, and if you have a Diamond-level subscription, Second Chance and PasswordIQ.
SAML
In the SAML section, you can enable or disable SAML on your account. You will need the information provided in this section to set up SAML with your single sign-on (SSO) provider. If you need to enable SAML to allow your users to log in for training using your SSO provider, please follow the instructions in our Set Up SAML Single Sign-on for the Security Awareness Training Console article.
See below for more information about the settings in this section:
- Enable SAML SSO: Select this setting to enable SAML Single Sign-on (SSO) on your account. For more information, see our Set Up SAML Single Sign-on for the Security Awareness Training Console article.
- Disable non-SAML Logins for All Users: Select this check box to disable password logins for all users. Once selected, users will be required to log in with their SAML application and all bypass URLs will be disabled. This check box is only visible when the Enable SAML SSO check box is selected.
- Allow Admins w/MFA to Bypass SAML Login: Select this check box to allow admins with multi-factor authentication enabled to log in with their password and token. Admins will be able to use this login method with a bypass URL as an alternative to their SAML application. This check box is only visible when the Disable non-SAML Logins for All Users check box is selected.
- Allow Account Creation from SAML Login: This check box will display after you enable SAML. This setting allows users who do not already have an account to create a new account by entering their email address from the login window. If the SAML authentication was successful, the new user's account will be created. If you don’t enable this setting, users who do not already have an account will get an error message if they try to create an account.
- IdP SSO Target URL: Enter your identity provider URL or SSO URL into the field.
- IdP Cert Fingerprint: Enter the fingerprint of your identity provider's SAML certificate. The SHA-1 option is selected by default.
- Sign SP AuthnRequest: Select this check box to digitally sign the SAML AuthnRequest sent from the KnowBe4 service provider to your identity provider. Once you select this check box, you’ll be able to copy your current and upcoming AuthnRequest values and see how long the certificates are valid.
- Enable SP AuthnRequest Expiration Notification: Select this check box to receive email notifications when your AuthnRequest is about to expire and has expired. If you select this check box, you’ll be able to enter notification recipients.
- Current AuthnRequest Certificate: This field shows your current AuthRequest Certificate with the ability to download your certificate and view how long the certificate is valid for.
- Entity ID: When configuring the SAML connection to your identity provider, enter the ID found in this section. Depending on your IdP provider, the Entity ID field may also be named the SAML Audience or Identifier.
-
Generate Unique Entity ID: You can click this button to generate a unique entity ID to use for this account. However, be aware that if you do change the entity ID, SSO will not work for your users until you update the entity ID in your Identity Provider account.
Important: If you manage multiple accounts, your Identity Provider may not allow the same entity ID to be entered multiple times in the same Identity Provider account. If your Identity Provider does not allow the same ID to be entered multiple times, your users may be unable to log in to their account with SSO.If you click the Generate Unique Entity ID button, you'll see the Restore Default Entity ID button. You can click this button to restore your entity ID back to "KnowBe4". If you click this button, any existing SAML connection using your entity ID will stop functioning until you update it in your identity provider.
- SSO Sign-in URL: This field provides the Login URL or SAML Endpoint URL. This URL will redirect your users to the identity provider SSO URL.
- SSO Sign-out URL: This field provides the Logout URL.
- SSO Callback (ACS) URL: This field provides the Assertion Customer Service (ACS) URL. This URL receives the authentication response from your identity provider.
- SAML ID: This field provides your SAML ID. Your SAML ID is a unique code that links your users back to your KnowBe4 account. You can’t change your SAML ID.
- Metadata URL: This field provides your Metadata URL. Your Metadata URL contains your service provider’s metadata file and can be used to automatically configure the SAML connection on your identity provider. You can only use the metadata URL where applicable.
- Bypass-SSO Login URL: This field provides your Bypass-SSO Login URL. If you'd like to bypass SSO, this URL will bypass the SSO redirect and allow you to log in to the KSAT console using your email and password.
Phish Alert Button (PAB)
In the Phish Alert section, you can configure and customize aspects of the Phish Alert Button (PAB) for your account. For information about the settings in this section, see the Enable and Configure PAB section of our Phish Alert Button (PAB) Product Manual.
API
In the API section, you can enable and access KnowBe4’s APIs.
See below for more information about the settings in this section:
- Reporting API: If your organization would like to use an API to pull data from the console for reporting purposes, select the Enable Reporting API Access setting and then click Reporting API. To use this feature, you must have a Platinum or Diamond subscription. For more information, see our Reporting API Overview article.
- User Event API: If your organization uses the User Event API, you can click User Event API to access the User Event API Management Console. To access the console, you must have a Platinum or Diamond subscription. For more information, see our User Event API Overview article.
- Product API: If your organization would like to use an API for PhishER, KSAT, or to integrate with KCM GRC, click Product API. For more information, see our KnowBe4 Graph API Overview and How to Integrate KnowBe4's KSAT Console with KCM GRC articles.
PhishER
If you have enabled PhishER in your organization, you can click the Go to PhishER button to access the PhishER interface.
For more information about PhishER, see our PhishER Product Manual.
Webhooks
In the Webhooks section, you can enable webhooks for your KnowBe4 account by selecting the Enable Webhooks check box. When this feature is enabled, you can create webhooks to send real-time phishing and training data to other applications that you use.
For more information, see Webhooks in Your KSAT Console article.
Second Chance
In the Second Chance section, you can enable our Second Chance tool for your KnowBe4 account. You must have a Diamond-level subscription to enable Second Chance.
To enable Second Chance, select the Enable Second Chance Management setting. If you enable Second Chance, you can have access to a new Second Chance tab in your KSAT console.
If you have a Partner account, you can use the Days Shown on Overview Page field to select the number of days you’d like to include when displaying the User Actions data on the Second Chance Overview page. The default setting is 30 days.
For more information about Second Chance, see our Second Chance Product Manual.
PasswordIQ
In the PasswordIQ section, you can use our PasswordIQ tool for your KnowBe4 account. You must have a Diamond-level subscription to use PasswordIQ.
To use PasswordIQ, select the Enable PasswordIQ setting. Once enabled, you can access a new PasswordIQ tab in your KSAT console.
For more information about PasswordIQ, see our PasswordIQ Product Manual.