Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How Do I Configure SSO/SAML with Azure Active Directory (AD)?

Updated:

Created:

Configuring SSO with Azure Active Directory (AD)

In this article, you'll learn how to configure single sign-on (SSO) for your KnowBe4 account with Azure Active Directory (AD). When you configure SSO, you'll be able to assign users to KnowBe4 in Azure AD. Then, the users will be able to log in to their KnowBe4 Learner Experience (LX) by using Azure AD. 

See the sections below to learn how to configure SSO for KnowBe4 with Azure AD. 

Note: To complete the steps in this article, you'll need to have an Azure AD subscription.

Jump to:

Add the KnowBe4 Application to Azure AD

Assign Users to KnowBe4 in Azure AD

Configure Azure AD in Your KnowBe4 Account

Create New Certificate and Update Thumbprint

 

Add the KnowBe4 Application to Azure AD

To start configuring SSO with Azure AD, you'll need to add the KnowBe4 application to your Azure AD account. 

To add the KnowBe4 application to your Azure AD account, follow the steps below:

  1. Log in to your Azure AD admin account.
  2. From the navigation panel, navigate to Enterprise applications > All applications.
  3. In the top-left corner of the page, click the + New application button.
    New Application button
  4. In the Add from the gallery field, enter "KnowBe4."
    Searching for KnowBe4 in Azure AD gallery
  5. Select the KnowBe4 Security Awareness Training application.
  6. In the window that opens, enter your preferred name for the app.
  7. Click the Add button at the bottom of the window. 
    Add button
  8. In the navigation panel, select the Single sign-on tab.
  9. Select the SAML method. 
    Select SAML SSO method

Next, obtain your unique KnowBe4 SSO Sign in URL. You'll need this information to configure SSO in Azure AD. 

To obtain your SSO Sign in URL, follow the steps below:

  1. In a new window or tab, log in to your KnowBe4 account. 
  2. In the top-right corner of the page, click your email address.
  3. Select Account Settings.
  4. Navigate to Account Integrations > SAML.
  5. Locate your unique SSO Callback (ACS) URL and SSO Sign in URL. In step 17, you'll need to copy and paste this information into Azure AD. 

Finally, finish configuring SSO in Azure AD by following the steps below:

  1. Return to the Azure AD portal. 
  2. In the Basic SAML Configuration section, click the pencil icon. 
  3. Edit the fields on this page. For more information about the mandatory fields, see the screenshot and information below:
    1. In the Identifier field, enter the Entity ID "KnowBe4" or the Entity ID you generated in your Account Settings.
      Note: KnowBe4 is case-sensitive.
    2. In the Reply URL text field, enter the unique SSO Callback (ACS) URL you obtained in step 14 above. For example, enter "https://training.knowbe4.com/auth/saml/xxxxxxxxxxxx/callback".
    3. In the Sign on URL text field, enter the unique SSO Sign in URL you obtained in step 14 above. For example, enter "https://training.knowbe4.com/auth/saml/xxxxxxxxxxxx".
    Note: You only need to fill out the other fields on the Basic SAML Configuration page of your Azure AD portal in specific circumstances. For example, if you're using multi-factor authentication (MFA) for Azure AD, you'll need to add your callback link to the Relay State field.
  4. After you fill out the fields on this page, click the Save button.
  5. In the User Attributes & Claims section, click the pencil icon to edit the attributes.
  6. Delete the attributes listed below:
    • givenname
    • surname
    • emailaddress
    • name
  7. Click the pencil icon to edit the Unique User Identifier attribute.
  8. In the Source attribute field, make sure the attribute is user.userprincipalname. If you would like for your user to be logged in with their email address instead, you can alternatively update this attribute to user.mail.
    Note: If you're using SCIM for Azure AD, this attribute should the same as the SCIM Source attribute. By default, the SCIM Source attribute is user.userprincipalname. For more information, see the Advanced Configuration Options section of our How to Configure SCIM for Azure article.
  9. Click the Save button. 
  10. In the SAML Signing Certificate section, copy the Thumbprint.
    Copying Thumbprint
  11. In the Set up section, copy the Login URL. You'll need this in addition to the Thumbprint above. 
    Copying Login URL

Note: You'll need to paste the Thumbprint and Login URL in the IdP SSO Target URL and IdP Cert Fingerprint fields when you set up SSO in your KnowBe4 account.

Back to top

 

Assign Users to KnowBe4 in Azure AD

After you add the KnowBe4 application to Azure AD, you can assign users and groups to the application. 

To assign users and groups to your KnowBe4 application, follow the steps below:

  1. Log in to your Azure AD admin account. 
  2. Navigate to Enterprise applications > All applications.
  3. Select the KnowBe4 application. 
  4. From the navigation panel, select the Users and groups tab.
  5. Click the + Add user button.
    Add User button
  6. Select the users or groups that you would like to assign to your KnowBe4 application.
  7. Click the Select button. Select users
  8. Once you've added all the users or groups you would like to add, click the Assign button.
    Assign button

Back to top

 

Configure Azure AD in Your KnowBe4 Account

To complete the configuration, you'll need to enter your Azure AD Login URL and Thumbprint into your KnowBe4 Account Settings.

To learn how to enter this information into your Account Settings, see our How to Set Up SAML Single Sign-on for the Security Awareness Training Platform article.

Back to top

 

Create a New Certificate and Update Thumbprint

Each time your Azure AD SAML certificate expires, you'll need to create and activate a new certificate. Then, you'll need to update the SAML thumbprint in your KnowBe4 account. 

To create a new certificate and update your thumbprint, follow the steps below:

  1. Log in to your Azure AD admin account. 
  2. Navigate to Enterprise applications > All applications.
  3. Select the KnowBe4 application. 
  4. From the navigation panel, select the Single sign-on tab.
  5. In the SAML Signing Certificate section of the page, click the pencil icon. Edit SAML Signing Certificate
  6. Click the + New Certificate button.
  7. Select the calendar icon.
  8. Select the date that you would like your certificate to expire on.
  9. Click the Save button.
  10. Click the three dots icon next to the certificate you've created.
  11. Click the Make certificate active button. Make certificate active button
  12. In the Thumbprint column, copy your new thumbprint. In step 17, you'll need to paste this thumbprint into your KnowBe4 account.

Next, you'll need to update your thumbprint in your KnowBe4 account by following the steps below:

  1. Log in to your KnowBe4 account. 
  2. In the top-right corner of the page, click your email address.
  3. Select Account Settings
  4. Navigate to Account Integrations > SAML.
  5. Paste your new certificate thumbprint into the IdP Cert Fingerprint field.  IdP Cert Fingerprint field
  6. Scroll down to the bottom of the page. 
  7. Click the Save Changes button.  

Note: Make sure the email address that your users use to authenticate with SAML is either entered into the Email or Email Aliases field of their User Profile. However, only the email address listed in the Email field will receive training notification emails. For more information about adding information to user profiles, see our User Profile Guide.

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles