SSO/SAML

Enable SAML Single Sign-on (SSO) with Microsoft Entra ID

In this article, you'll learn how to configure single sign-on (SSO) for your KnowBe4 account with Microsoft Entra ID. When you configure SSO, you'll be able to assign users to KnowBe4 in Microsoft Entra ID. Then, the users will be able to log in to their KnowBe4 Learner Experience (LX) by using Microsoft Entra ID. 

See the sections below to learn how to configure SSO for KnowBe4 with Microsoft Entra ID. 

Note: To complete the steps in this article, you'll need to have a Microsoft Entra ID subscription.

Add the KnowBe4 Application to Microsoft Entra ID

To start configuring SSO with Microsoft Entra ID, you'll need to add the KnowBe4 application to your Microsoft Entra ID account. 

To add the KnowBe4 application to your Microsoft Entra ID account, follow the steps below:

  1. Log in to your Microsoft Entra ID admin account.
  2. From the navigation panel, navigate to Enterprise applications > All applications.
  3. In the top-left corner of the page, click the + New application button.New Application button
  4. In the Add from the gallery field, enter "KnowBe4."Searching for KnowBe4 in Azure AD gallery
  5. Select the KnowBe4 Security Awareness Training application.
  6. In the window that opens, enter your preferred name for the app.
  7. Click the Add button at the bottom of the window. Add button
  8. In the navigation panel, select the Single sign-on tab.
  9. Select the SAML method. Select SAML SSO method

Next, obtain your unique KnowBe4 SSO Sign in URL. You'll need this information to configure SSO in Microsoft Entra ID. 

To obtain your SSO Sign in URL, follow the steps below:

  1. In a new window or tab, log in to your KnowBe4 account. 
  2. In the top-right corner of the page, click your email address.
  3. Select Account Settings.
  4. Navigate to Account Integrations > SAML.
  5. Locate your unique SSO Callback (ACS) URL and SSO Sign in URL. In step 17, you'll need to copy and paste this information into Microsoft Entra ID. 

Finally, finish configuring SSO in Microsoft Entra ID by following the steps below:

  1. Return to the Microsoft Entra ID portal. 
  2. In the Basic SAML Configuration section, click the pencil icon. 
  3. Edit the fields on this page. For more information about the mandatory fields, see the screenshot and information below:
    1. In the Identifier field, enter "KnowBe4" if you have not generated a unique Entity ID in your account settings. Otherwise, enter your unique Entity ID.
      Important: KnowBe4 is case-sensitive.
    2. In the Reply URL text field, enter the unique SSO Callback (ACS) URL you obtained in step 14 above. For example, enter "https://training.knowbe4.com/auth/saml/xxxxxxxxxxxx/callback".
    3. In the Sign on URL text field, enter the unique SSO Sign in URL you obtained in step 14 above. For example, enter "https://training.knowbe4.com/auth/saml/xxxxxxxxxxxx".
    Note: You only need to fill out the other fields on the Basic SAML Configuration page of your Microsoft Entra ID portal in specific circumstances. For example, if you're using multi-factor authentication (MFA) for Microsoft Entra ID, you'll need to add your callback link to the Relay State field.
  4. After you fill out the fields on this page, click the Save button.
  5. In the User Attributes & Claims section, click the pencil icon to edit the attributes.
  6. Delete the attributes listed below:
    • givenname
    • surname
    • emailaddress
    • name
  7. Click the pencil icon to edit the Unique User Identifier attribute.
  8. In the Source attribute field, make sure the attribute is user.userprincipalname. If you would like for your user to be logged in with their email address instead, you can alternatively update this attribute to user.mail.
    Note: If you're using SCIM for Microsoft Entra ID, this attribute should the same as the SCIM Source attribute. By default, the SCIM Source attribute is user.userprincipalname. For more information, see the Advanced Configuration Options section of our How to Configure SCIM for Microsoft Entra ID article.
  9. Click the Save button. 
  10. In the SAML Signing Certificate section, copy the Thumbprint.Copying Thumbprint
  11. In the Set up section, copy the Login URL. You'll need this in addition to the Thumbprint above. Copying Login URL
Note: You'll need to paste the Thumbprint and Login URL in the IdP SSO Target URL and IdP Cert Fingerprint fields when you set up SSO in your KnowBe4 account.

Assign Users to KnowBe4 in Microsoft Entra ID

After you add the KnowBe4 application to Microsoft Entra ID, you can assign users and groups to the application. 

To assign users and groups to your KnowBe4 application, follow the steps below:

  1. Log in to your Microsoft Entra ID admin account. 
  2. Navigate to Enterprise applications > All applications.
  3. Select the KnowBe4 application. 
  4. From the navigation panel, select the Users and groups tab.
  5. Click the + Add user button.Add User button
  6. Select the users or groups that you would like to assign to your KnowBe4 application.
  7. Click the Select button. Select users
  8. Once you've added all the users or groups you would like to add, click the Assign button.Assign button

Configure Microsoft Entra ID in Your KnowBe4 Account

To complete the configuration, you'll need to enter your Microsoft Entra ID Login URL and Thumbprint into your KnowBe4 Account Settings.

To learn how to enter this information into your Account Settings, see our How to Set Up SAML Single Sign-on for the Security Awareness Training Platform article.

Create a New Certificate and Update Thumbprint

Each time your Microsoft Entra ID SAML certificate expires, you'll need to create and activate a new certificate. Then, you'll need to update the SAML thumbprint in your KnowBe4 account. 

To create a new certificate and update your thumbprint, follow the steps below:

  1. Log in to your Microsoft Entra ID admin account. 
  2. Navigate to Enterprise applications > All applications.
  3. Select the KnowBe4 application. 
  4. From the navigation panel, select the Single sign-on tab.
  5. In the SAML Signing Certificate section of the page, click the pencil icon. Edit SAML Signing Certificate
  6. Click the + New Certificate button.
  7. Select the calendar icon.
  8. Select the date that you would like your certificate to expire on.
  9. Click the Save button.
  10. Click the three dots icon next to the certificate you've created.
  11. Click the Make certificate active button. Make certificate active button
  12. In the Thumbprint column, copy your new thumbprint. In step 17, you'll need to paste this thumbprint into your KnowBe4 account.

Next, you'll need to update your thumbprint in your KnowBe4 account by following the steps below:

  1. Log in to your KnowBe4 account. 
  2. In the top-right corner of the page, click your email address.
  3. Select Account Settings
  4. Navigate to Account Integrations > SAML.
  5. Paste your new certificate thumbprint into the IdP Cert Fingerprint field.  IdP Cert Fingerprint field
  6. Scroll down to the bottom of the page. 
  7. Click the Save Changes button.  
Note: Make sure the email address that your users use to authenticate with SAML is either entered into the Email or Email Aliases field of their User Profile. However, only the email address listed in the Email field will receive training notification emails. For more information about adding information to user profiles, see our User Profile Guide.

Can't find what you're looking for?

Contact Support
circle-arrow-up