Using AD FS on Server 2012 R2 (AD FS 3.0) to Connect to KnowBe4 via SAML
This article will instruct you on how to set-up and enable SAML on your account, so your users can quickly and easily sign in to take their KnowBe4 training using AD FS. Follow each of the three sections below.
- Access your AD FS management console. Dropdown the Trust Relationships folder, then right-click Relying Party Trust and choose “Add Relying Party Trust…”.
- Click Start.
- Choose "Enter data about the relying party manually".
- Enter a display name. This could be anything, such as KnowBe4. Click Next.
- Leave AD FS profile selected, click Next.
- Click Next on the Configure Certificate screen.
- On Configure URL, check the "Enable support for the SAML 2.0 WebSSO protocol" option. Stay on this screen (do not click Next yet) and move on to Step 8.
- For this step, you'll need to obtain your unique Callback URL from your KnowBe4 Account Settings:
- Open a new browser window and navigate to https://training.knowbe4.com/login.
- Log in. After logging in, click your email address on the top-right.
- Click Account Settings.
- Scroll down to the SAML section, and copy your account-specific Callback URL.
- Paste the link you obtained into the "Relying party SAML 2.0 SSO service URL field" on the Configure URL page.
- Click Next to move on to the next step.
- On the Configure Identifiers screen, enter “KnowBe4” into the Relying party trust identifier text box. Click Add, then click Next.
- Leave the option “I do not want to configure multi-factor authentication settings for this relying party trust at this time” selected, then click Next.
- Leave the option “Permit all users to access this relying party” selected, then click Next.
- Click Next on the Ready to add trust screen.
- Leave the checkmark in "Open the Edit Claim Rules…” check box and click Close.
- On the Edit claim rules window click Add Rule…
- On the Choose Rule Type window, leave "Send LDAP Attributes as Claims" selected as the template and click Next.
- Enter a name, then under Attribute Store choose "Active Directory". Under the Mapping of LDAP Attributes... area, select Email addresses for the LDAP Attribute and then choose E-mail Address for outgoing claim type. Click Finish.
- Click Add Rule back on the Edit Claims window again.
- Under Claim rule template, choose "Transform an Incoming Claim" and click Next.
- Enter a name and then change the following settings:
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Enable: Pass through all claim values
- Click Finish on the Add Transform Claim Rule page, and then click OK on the Edit Claims window to exit.
- Right-click the relying party trust and choose Properties.
- Click the Advanced tab and change the secure hash algorithm to SHA-256.
- Click OK to exit.
Here's how to get the SHA1 thumbprint from ADFS:
1. Open AD FS Management.
2. Select Certificates folder under Service.
3. Select the Token-signing certificate.
4. Select the Details tab.
5. Select Thumbprint.
6. Copy your unique Thumbprint. You will need to provide it to KnowBe4 in the next section.
How to Enable SAML
You're almost done! The final step is to enable SAML on your account. To learn how to enable SAML on your account, please see our How to Set Up SAML/SSO for the Security Awareness Training Platform article. For more information on the ADFS LoginToRp parameter that is part of your target/SSO URL, please see this article.