SAML Integration Basics
SAML – Security Assertion Markup Language
IdP – Identity Provider
SP – Service Provider
SSO – Single Sign-on
AD FS – Active Directory Federation Services
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their session in another context. This has significant advantages over logging in using a username/password: no need to type in credentials, no need to remember and renew password, no weak passwords, etc. Most companies already know the identity of users because they are logged into their Active Directory domain or intranet. It is natural to use this information to log users into other applications as well such as web-based application, and one of the more elegant ways of doing this by using SAML.
How SAML/SSO Works
SAML single sign-on works by transferring the user's identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents. Consider the following scenario: A user is logged into a system, which acts as an identity provider. The user would like to log into a remote application such as the KnowBe4 Training site (i.e. the service provider).
The following happens:
- The user clicks on the link to the application, either on the corporate intranet, a bookmark or similar and the application loads.
- The application identifies the user origin (either by application subdomain, user IP address or similar) and redirects the user back to the identity provider, asking for authentication. This is the authentication request.
- The user either has a session with the identity provider already, or established one by logging into the identity provider.
- The identity provider builds the authentication response in the form of an XML document containing the user's username or email address, signs it using an X.509 certificate and posts this information to the service provider.
- The service provider (which already knows the identity provider and has a certificate fingerprint) retrieves the authentication response and validates it using the certificate fingerprint. The identity of the user is established.
Here's a great article which goes over the basics of SAML/SSO: How SAML Authentication Works
How SAML for KnowBe4 Training Works
KnowBe4 supports SAML 2.0. SAML for KnowBe4 training works the way SAML does with all other service providers. The typical use case is that your users belong to a corporation and all user authentication is managed by your corporate authentication system (for example, Active Directory or LDAP), which is referred to generically as an identity provider (IdP). The service provider (SP), in this case, KnowBe4 Training, establishes a trust relationship with IdP and allows that external IdP to authenticate users and then seamlessly log them into KnowBe4 training. In other words, a user logs in at work and then has automatic access to the many other corporate applications such as email, your CRM, and so on without having to log in separately to those services. Aside from the convenience this provides to users, all user authentication is handled internally by a system that you have complete control over.
After you've enabled SAML as the type of single sign-on for your KnowBe4 Training, users who visit your KnowBe4 training and attempt to log in are redirected to your SAML server for authentication. Your users' identities can be stored either on the SAML server or can be validated by an identity directory such as Microsoft Active Directory or LDAP. Once authenticated, users are redirected back to KnowBe4 Training and automatically logged in.
Setting Up SAML/SSO For Your Organization
KnowBe4 supports SAML 2.0. If you would like to enable SAML integration on your KnowBe4 account, we have documentation that can assist you, listed below.
- Google Suite (G Suite) SSO
- Azure Active Directory SSO
- PortalGuard SSO
- Active Directory Federation Services (ADFS) SSO
- Okta SSO
- OneLogin SSO
If you don't see your SAML provider listed and need help, please contact Support and one of our techs will be able to assist you.