Menu

How Do I Enable SSO/SAML For Active Directory Federation Services (AD FS)?

Avatar
Jason Kelly
Updated
Follow

Using AD FS on Server 2012 R2 (AD FS 3.0) to Connect to KnowBe4 via SAML

This article will instruct you on how to set-up and enable SAML on your account, so your users can quickly and easily sign in to take their KnowBe4 training using AD FS. Follow each of the three sections below.

Jump to:
Part 1: SET UP SAML
Part 2: OBTAIN SHA1 THUMBPRINT
Part 3: CONTACT KNOWBE4

 

 

SECTION 1 

  1. Access your AD FS management console. Dropdown the Trust Relationships folder, then right-click Relying Party Trust and choose “Add Relying Party Trust…”.



  2. Click Start.



  3. Choose "Enter data about the relying party manually".



  4. Enter a display name. This could be anything, such as KnowBe4. Click Next.



  5. Leave AD FS profile selected, click Next.



  6. Click Next on the Configure Certificate screen.



  7. On Configure URL, check the "Enable support for the SAML 2.0 WebSSO protocol" option. Stay on this screen (do not click Next yet) and move on to Step 8.

  8. For this step, you'll need to obtain your unique Callback URL from your KnowBe4 Account Settings:
    1. Open a new browser window and navigate to https://training.knowbe4.com/login.
    2. Log in. After logging in, click your email address on the top-right.
    3. Click Account Settings.
    4. Scroll down to the SAML section, and copy your account-specific Callback URL. 
      Example: https://training.knowbe4.com/auth/saml/xxxxxxxxxxx/callback
    5. Paste the link you obtained into the "Relying party SAML 2.0 SSO service URL field" on the Configure URL page.
    6. Click Next to move on to the next step.


  9. On the Configure Identifiers screen, enter “KnowBe4” into the Relying party trust identifier text box. Click Add, then click Next.



  10. Leave the option “I do not want to configure multi-factor authentication settings for this relying party trust at this time” selected, then click Next.



  11. Leave the option “Permit all users to access this relying party” selected, then click Next.



  12. Click Next on the Ready to add trust screen.



  13. Leave the checkmark in "Open the Edit Claim Rules…” check box and click Close.



  14. On the Edit claim rules window click Add Rule



  15. On the Choose Rule Type window, leave "Send LDAP Attributes as Claims" selected as the template and click Next.



  16. Enter a name, then under Attribute Store choose "Active Directory". Under the Mapping of LDAP Attributes... area, select Email addresses for the LDAP Attribute and then choose E-mail Address for outgoing claim type. Click Finish.



  17. Click Add Rule back on the Edit Claims window again.



  18. Under Claim rule template, choose "Transform an Incoming Claim" and click Next.



  19. Enter a name and then change the following settings:
    1. Incoming claim type: E-Mail Address
    2. Outgoing claim type: Name ID
    3. Outgoing name ID format: Email
    4. Enable: Pass through all claim values



  20. Click Finish on the Add Transform Claim Rule page, and then click OK on the Edit Claims window to exit.
  21. Right-click the relying party trust and choose Properties.
  22. Click the Advanced tab and change the secure hash algorithm to SHA-256.
  23. Click OK to exit.

Back to top

 

 

KnowBe4 will need your SHA1 thumbprint to enable SAML on your account. Here's how to get the SHA1 thumbprint from ADFS:

1. Open AD FS Management.

2. Select Certificates folder under Service.

3. Select the Token-signing certificate.

4. Select the Details tab.

5. Select Thumbprint

6. Copy your unique Thumbprint. You will need to provide it to KnowBe4 in the next section.

Back to top

 

 

How to Enable SAML

You're almost done! The final step is to submit a support ticket to KnowBe4 to let us know you'd like to enable SAML on your account and provide two pieces of information:

  • SHA1 thumbprint, which you obtained in the last section.
  • The target URL or SSO URL.
    • For example, the target/SSO URL should be in this format:
      https://ADFSserver.example_domain.com/adfs/ls/IdpInitiatedSignOn.aspx?LoginToRp=KnowBe4
      • Where ADFSserver.example_domain.com is the fully qualified domain name of your AD FS server.
  • See this article for more information on the ADFS LoginToRp parameter that is a part of your target/SSO URL.  

Click HERE to submit your ticket and enable SAML on your account.

 

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles