Follow the steps below to configure single sign-on (SSO) with Google Workspace. Enabling SSO will allow your users to automatically log in to the KSAT console for their security awareness training using their Google account.
Note: Make sure the email address that your users use to authenticate with SAML is either entered into the Email field or Email Aliases field in their user profile. However, only the email address listed in the Email field will receive training notification emails. For more information about adding information to user profiles, see our User Profile Guide.
To configure SSO with Google Workspace, follow the steps below:
- Log in to https://admin.google.com and select Apps.
- Select Web and mobile apps.
- Click the Add App drop-down menu, and select Search for apps.
- Search for "KnowBe4" and click Select on the app with Web (SAML) as the platform.
- Click Download Metadata. Keep the information from this file in an accessible place. You'll need the SHA1 fingerprint and SSO URL found in this file for step 9. Click Continue.
- Fill out the fields with the appropriate information specified below. Enable Signed Response by selecting the check box then click Continue.
-
ACS URL: Enter this URL. To obtain this URL from your KSAT console, follow the steps below:
- Log in to your KSAT console.
- Click your email address on the top-right corner and select Account Settings.
- Navigate to the SAML section of your settings and copy the Callback Link. For example, https://training.knowbe4.com/auth/saml/xxxxxxxxxxxx/callback.
- Entity ID: Enter "KnowBe4". If a unique entity ID was generated for your KSAT console, use the ID shown in your KSAT Account Settings page.
-
Start URL: Enter this URL. To obtain this URL from your KSAT console, follow the steps below:
- Log in to your KSAT console.
- Click your email address on the top-right corner, then select Account Settings.
- Navigate to the SAML section of your settings and copy the Sign in URL. For example, https://training.knowbe4.com/auth/saml/xxxxxxxxxxxx..
- Signed response: Select this check box.
- Name ID Format: Enter "EMAIL".
-
Name ID: Choose Basic Information – Primary Email.
-
ACS URL: Enter this URL. To obtain this URL from your KSAT console, follow the steps below:
- Under Attributes, navigate to the Basic Information section and select Primary Email. Then, click Finish.
- Click User access and select ON for everyone under Service status. Then, click Save.
- Follow the instructions listed in our How to Set Up SAML Single Sign-on for the Security Awareness Training Platform article to complete the SAML configuration.
Note: The identity provider (IdP) metadata file includes your X.509 certificate. To set up SAML, you will need the SHA1 fingerprint instead. To learn how to convert the X.509 certificate into a SHA1 fingerprint, visit our How to Convert an X.509 Certificate to a SHA1 Fingerprint for SAML article. You can also convert the X.509 certificate to a SHA256 fingerprint if preferred. For more information, visit Google's Maintain SAML certificates article.
- The SHA1 fingerprint
- Example: A1:2B:C3:D4:E6:F7:88:GG:H9:76:4A:2D:CF:AB:A6:A0:20:88:00
- The SSO URL
- The SHA1 fingerprint
For further assistance with this feature, please contact our support team and they would be happy to help.