This article will instruct you on how to set-up and enable SAML on your account, so your users can quickly and easily sign in to take their KnowBe4 training using AD FS. For more information on ADFS, see Microsoft's Create a Relying Party Trust article. Follow each of the three sections below.
Note: Make sure the email address that your users use to authenticate with SAML is either entered into the Email or Email Aliases field of their User Profile. However, only the email address listed in the Email field will receive training notification emails. For more information about adding information to user profiles, see our User Profile Guide.
How to Set Up SAML
- Access your AD FS management console. Dropdown the Trust Relationships folder, then right-click Relying Party Trust and choose Add Relying Party Trust….
- Click Start.
- Choose Enter data about the relying party manually.
- Enter a display name. This could be anything, such as KnowBe4. Click Next.
- Leave AD FS profile selected, click Next.
- Click Next on the Configure Certificate screen.
- On Configure URL, check the "Enable support for the SAML 2.0 WebSSO protocol" option. Stay on this screen (do not click Next yet) and move on to Step 8.
- For this step, you'll need to obtain your unique Callback URL from your KnowBe4 Account Settings:
- Open a new browser window and navigate to https://training.knowbe4.com/login, https://eu.knowbe4.com/users/login, or https://ca.knowbe4.com/users/login.
- Log in. After logging in, click your email address on the top-right.
- Click on Account Settings.
- Navigate to the SAML section, and copy your account-specific Callback URL.
- Paste the link you obtained into the Relying party SAML 2.0 SSO service URL field on the Configure URL page.
- Click Next to move on to the next step.
- On the Configure Identifiers screen, enter KnowBe4 into the Relying party trust identifier text box. Click Add, then click Next.
- Leave the option I do not want to configure multi-factor authentication settings for this relying party trust at this time selected, then click Next.
- Leave the option Permit all users to access this relying party selected, then click Next.
- Click Next on the Ready to add trust screen.
- Leave the checkmark in Open the Edit Claim Rules… check box and click Close.
- On the Edit claim rules window click Add Rule…
- On the Choose Rule Type window, leave Send LDAP Attributes as Claims selected as the template and click Next.
- Enter a name, then under Attribute Store choose Active Directory. Under the Mapping of LDAP Attributes... area, select Email addresses for the LDAP Attribute and then choose E-mail Address for outgoing claim type. Click Finish.
- Click Add Rule back on the Edit Claims window again.
- Under Claim rule template, choose Transform an Incoming Claim and click Next.
- Enter a name and then change the following settings:
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Enable: Pass through all claim values
- Click Finish on the Add Transform Claim Rule page, and then click OK on the Edit Claims window to exit.
- Right-click the relying party trust and choose Properties.
- Click the Advanced tab and change the secure hash algorithm to SHA-256.
- Click OK to exit.
How to Find the SHA1 Thumbprint
1. Open AD FS Management.
2. Select Certificates folder under Service.
3. Select the Token-signing certificate.
4. Select the Details tab.
5. Select Thumbprint.
6. Copy your unique Thumbprint.
How to Enable SAML
You're almost done! The final step is to enable SAML on your account. To learn how to enable SAML on your account, please see our How to Set Up SAML/SSO for the Security Awareness Training Platform article. For more information on the ADFS LoginToRp parameter that is part of your target/SSO URL, please see this article.