SAML Integration Basics
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their session in another context. SAML enables single sign-on (SSO), which allows users to log in to multiple applications using one set of credentials.
This method has significant advantages over logging in using a username and password. With this method, users don't need to type in credentials, don't need to remember and renew passwords, and won't have to worry about weak passwords. Most organizations already know the identity of users because they are logged into their Active Directory domain or intranet. It is natural to use this information to log users into other applications as well such as web-based applications, and one of the more elegant ways of doing this is by using SAML.
For more information about SAML, read the below sections.
How SAML/SSO Works
SAML single sign-on (SSO) works by transferring the user's identity from the identity provider to the service provider. This process is done through an exchange of digitally signed XML documents. Consider the following scenario: A user is logged into a system, which acts as an identity provider. The user would like to log into a remote application such as their KnowBe4 Learner Experience or another service provider.
In this scenario, the following steps occur:
- The user clicks on the link to the application by using their corporate intranet, a bookmark, or a similar option. Then, the application loads.
- The application identifies the user's origin and redirects the user back to the identity provider by asking for authentication. To identify the user's origin, the application uses the application subdomain, the user's IP address, or similar information. This is the authentication request.
- The user either has a session with the identity provider already, or the user establishes one by logging into the identity provider.
- The identity provider builds the authentication response in the form of an XML document containing the user's username or email address. Then, the identity provider signs the document using an X.509 certificate and posts this information to the service provider.
- The service provider retrieves the authentication response and validates it using the certificate fingerprint. The service provider already knows the identity provider and has a certificate fingerprint. The identity of the user is established.
For a visual aid for this workflow, see the screenshot below:
For more information about the basics of how SAML and SSO works, see auth0's What is SAML and how does SAML Authentication Work article.
How SAML for the Learner Experience (LX) Works
KnowBe4 supports SAML 2.0. SAML for KnowBe4's Learner Experience (LX) the way SAML does with all other service providers. Typically, an organization's user authentication is managed by its chosen authentication system, such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP). These authentication systems are referred to as identity providers.
The service provider, in this case, the LX, allows the identity provider to authenticate users and then log them into their LX. In other words, users can log in at work and have automatic access to their organization's applications such as their email or their customer relationship management (CRM) system without having to log in separately to those services. Aside from the convenience this provides to users, all user authentication is handled internally by a system that you have complete control over.
After you've enabled SAML as the type of single sign-on (SSO) for the LX, users who attempt to log in to the LX will be redirected to your SAML server for authentication. Your users' identities can be stored either on the SAML server or can be validated by an identity directory such as Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP). Once authenticated, users are redirected back to their LX and automatically logged in.
Note: Make sure the email address that your users use to authenticate with SAML is either entered into the Email field or Email Aliases field of their User Profile. However, only the email address listed in the Email field will receive training notification emails. For more information about adding information to user profiles, see our User Profile Guide.
Setting Up SAML/SSO For Your Organization
KnowBe4 supports SAML 2.0. If you would like to enable SAML integration on your KMSAT console, see our How-to Enable SAML Single Sign-on for Your SSO Provider article.
If you don't see your SAML provider listed and need help, please contact our support team for assistance.