SAML Single Sign-On (SSO)

Share

Is this article helpful?

Last updated:

Enable SAML Single Sign-on (SSO) for Google Workspace

Follow the steps below to configure single sign-on (SSO) with Google Workspace. Enabling SSO will allow your users to automatically log in to the KSAT console for their security awareness training using their Google account.

To enable SAML SSO, you’ll need to set up SSO within your Google Workspace account, then upload the resulting certificates into your KSAT console. Finally, you’ll configure the certifications in your Google Workspace account.

Note: Make sure the email address that your users use to authenticate with SAML is either entered into the Email field or the Email Aliases field in their user profile. However, only the email address listed in the Email field will receive training notification emails. For more information about adding information to user profiles, see our User Profile Guide.

Configure SSO

To configure SSO with Google Workspace, follow the steps below.

Prerequisites

Before you configure SSO with Google Workspace, make sure you gather the following information from your KSAT console by following the steps below:

  1. Log in to your KSAT console.
  2. Select your email address in the top-right corner and select Account Settings.

  3. Navigate to Account Integrations > SAML > SAML Settings. Copy the Entity ID, SSO Sign-in URL, and SSO Callback (ACS) URL, and save them in a place you can easily access later.

     

Configure SSO with Google Workspace

After you’ve gathered the information in the section above, you can configure SSO with Google Workspace by following the steps below.

  1. Log in to your Google Workspace Admin console Google Workspace Admin console (link opens in new window).

  2. Navigate to Apps > Web and mobile apps.

    Note:You must be a super admin with the Mobile Device Management Mobile Device Management (link opens in new window) administrator privilege in order to access the Web and mobile apps section.

     

  3. Select the Add app drop-down menu, then select Add custom SAML app.

     

  4. Enter “KnowBe4” as the App name. Select Continue.

  5. On the Google Identity Provider details page, copy the SSO URL and SHA-256 fingerprint and save them in a place you can easily access later. Then, select Continue.

     

  6. On the Service provider details page, fill out the information to match the screenshot below:
    1. ACS URL: Paste the SSO Callback (ACS) URL that you copied earlier.
    2. Entity ID: Paste the Entity ID that you copied earlier.
    3. Start URL (optional): Paste the SSO Sign-in URL that you copied earlier.
    4. Signed response: Select this check box.
    5. Name ID format: Enter “EMAIL”.

    6. Name ID: Select Basic information > Primary email.

       

  7. Select Continue.
  8. On the Attribute mapping page, navigate to the Google Directory attributes section and select Primary email.
  9. Select Finish.

  10. You will automatically return to the SAML app details page of your KnowBe4 app. In the User access section, select OFF for everyone.

     

  11. On the Service status page, select ON for everyone.
  12. Select Save.

Configure SSO with KnowBe4

After configuring SSO with Google Workspace, you'll need to add your SAML provider information to your KnowBe4 console.

  1. Log in to your KnowBe4 console.
  2. Select your email address in the top-right corner and select Account Settings.
  3. Navigate to the SAML section.

  4. Expand the SAML Settings box.

     

  5. Select the Enable SAML SSO check box.
  6. In the IDP SSO Target URL field, paste the SSO URL that you copied earlier.
  7. Select the SHA-256 button. By default, SHA-1 is selected. In the IdP Cert Fingerprint field, paste the SHA-256 Fingerprint that you copied earlier.
  8. Select Save SAML Settings.
Tip:If you’re a partner and want to enable SAML, see our Partner and Multi-Account: Enable SAML on Your Account Management Console article.

If you need any additional assistance setting up SAML single sign-on with your Google Workspace, check out Google’s article to set up Google as a SAML identity provider.

Configure SAML Certificates

To configure SAML certificates with Google Workspace, follow the steps below.

  1. Log in to your Google Workspace Admin console Google Workspace Admin console (link opens in new window).

  2. Navigate to Apps > Web and mobile apps.

    Note:You must be a super admin with the Mobile Device Management Mobile Device Management (link opens in new window) administrator privilege in order to access the Web and mobile apps section.

     

  3. Select the Add app drop-down menu, then select Search for apps.

     

  4. Enter "KnowBe4".

  5. On the KnowBe4 Web (SAML) app, select View app details.

     

    Note:If you don’t have KnowBe4 as a Web SAML app yet, follow the steps in the Configure SSO with Google Workspace section.

  6. Select the Service provider details section.

     

  7. Select the Certificate drop-down menu and choose the certificate with the latest expiration date.

     

Remember:If you need to create a new certificate because you have only one certificate and your other certificate has expired or is going to expire soon, select Add another certificate. The new certificate will automatically replace the old certificate. Select Delete certificate to delete outdated certificates.

For further assistance with this feature, contact our support team contact our support team (link opens in new window).

Was this article helpful?

8 out of 16 found this helpful

Can't find what you're looking for?

Contact Support