SAML Single Sign-On (SSO)

Last updated:

How to Set Up SAML/SSO for KCM GRC

KnowBe4's KCM GRC platform supports SAML 2.0, so your users can quickly and easily log in to KCM using your organization's single sign-on (SSO), or Identity provider (IdP), without having to set up or use a password.

You must be an Account Administrator to set up SSO for your KCM GRC platform. As a precaution, Account Administrators will retain the ability to log in to KCM GRC with their password. 

Important: After you configure SAML for your KCM GRC account, users must log in by using single sign-on. For new accounts, users will still be required to activate their account. To learn more about this user experience, see our How to Activate and Access Your KCM GRC Account With SSO/SAML article.
Note: Because they are external user roles, Auditor and third-party Vendor Users cannot log in to KCM GRC by using single sign-on. As an alternative option for authentication security, you can make multi-factor authentication mandatory for these accounts. For more information, see our How to Enable and Configure Multi-Factor Authentication article.

See the sections below to learn how to add KCM GRC to your SSO portal and how to add the SSO provider's metadata to KCM GRC. 

Add the KCM GRC Application to Your SSO Portal

Before configuring SSO in your KCM GRC platform, you will need to add KCM GRC to your SSO provider's admin portal.

First, follow the instructions below to add the KCM GRC application to your SSO portal:

  1. Log in to your SSO portal.
  2. Add KCM GRC as a custom application.
    Tip:If OneLogin or Okta is your SSO service provider, you can search for the KCM GRC Platform SAML application instead of adding a custom application. For more information, see our How Do I Configure SSO/SAML for KCM GRC with OneLogin? and How Do I Configure SSO/SAML for KCM GRC with Okta? articles.
  3. (Optional) Customize your KCM GRC web app by adding our logo or providing a description of the application.

Next, follow the instructions below to copy your SSO information from your KCM GRC account and paste that information into your SSO provider's portal:

  1. Open KCM GRC in a new window or tab, and log in to your account.
  2. Click Settings, then Account Settings in the top-right area of the page.
  3. Select the SSO Settings tab. Under the SSO Information section, you can find your account-specific information.
    Tip: If you would rather download your KMC GRC metadata information instead of manually configuring the details below, you will first need to turn on SSO Enabled in your KCM GRC account and save this setting. See the Add SAML Provider Information to KCM GRC section below for more information.
  4. In your KCM GRC account, locate and copy your unique Callback URL.
    • In your SSO provider's portal, paste your Callback URL in the appropriate field. For example, this field is often called the Assertion Consumer Service (ACS) URL.
  5. In your KCM GRC account, locate and copy your unique Sign out URL.
    • In your SSO provider’s portal, paste your Sign out URL in the appropriate field. For example, this field may be called Single Logout URL, or something similar.
  6. In your SSO provider's portal, update any additional fields as necessary. For example, you may need to specify the following settings:
    SSO Provider Setting Description
    Account ID (also known as SAML Account ID, Entity ID, or Issuer) For example, if your Entity ID is: https://yourorganization.kb4compliance.com/metadata, enter: "yourorganization".
    Audience For example, if your Entity ID is: https://yourorganization.kb4compliance.com/metadata, enter: "https://yourorganization.kb4compliance.com".
    Sign Response or Assertion Response  
    NameID Format emailAddress
    Relay State or Base URL For example, if your Entity ID is: https://yourorganization.kb4compliance.com/metadata, enter: "https://yourorganization.kb4compliance.com".
  7. Click Save in your SSO provider settings, if applicable.

Add KCM GRC Users to Your SSO Portal

After you complete the steps above, you can add or assign users to the KCM GRC application your SSO portal.

Important:KCM GRC does not support user provisioning at this time. Before users can use SSO to log in to KCM GRC, you will need to manually add or assign them to the KCM GRC application in your SSO portal. Each time you create a new user in your KCM GRC account, you will need to repeat this process. 

The instructions will vary for each SSO provider. For an example of how to assign users to KCM GRC in Microsoft Entra ID, see the Assign User to KCM GRC in Microsoft Entra ID section of our How Do I Configure SSO/SAML for KCM GRC with Microsoft Entra ID? article. 

Add SSO Provider Information to KCM GRC

After you add the KCM GRC application to your SSO provider's portal, you will need to add your SSO provider's information to KCM GRC. 

To add your SSO provider's information to KCM GRC, follow the instructions below:

  1. Log in to your KCM GRC. 
  2. In the top-right corner of the page, select Settings, then Account Settings.
  3. Select the SSO Settings tab.
  4. Add information about your SSO provider to the SSO Provider Config section of your KCM GRC platform. To learn about the methods you can use to add this information, see the list below:
    1. You can download the SAML metadata from your SSO portal, and upload it to KCM GRC. To upload the XML file, click the Upload SSO Metadata button, select the XML file, and click the Import button. 
      Note:This option is our recommended method.
    2. You can copy the URL that links to your SSO metadata from your SSO portal. Then, in KCM GRC, paste the link to the Remote Metadata XML field, and click the Import button.  remote metadata XML field
    3. If you are unable to download or link to your SSO metadata, you will need to copy the information below from your SSO Portal and add it to your SSO Settings area.
      Note:To display the fields where you can enter this information, make sure the SSO Enabled toggle is turned on.
      • SSO Provider: Select ADFS or your IDP/SSO provider from the drop-down menu.
      • Entity ID: Copy this URL from your IDP/SSO provider's portal. This may also be called the Audience/Identifier ID.
      • SSO URL: Copy this URL from your IDP/SSO provider's portal. This may also be called the SAML Endpoint/Login URL.
      • SLO URL: Copy this URL from your IDP/SSO provider's portal. This may also be called the Logout URL.
      • X.509 Certificate: Copy the entire X.509 certificate from your IDP/SSO provider's portal.
  5. Click the Save button. 

Test SSO Integration

After you configure SSO in KCM GRC, we recommend that you test your SSO integration by following the steps below.

  1. Log in to your KCM GRC account. 
  2. In the top-right corner of the screen, navigate to Settings > Account Settings
  3. Click the SSO Settings tab on the View Account page. 
  4. Click the Test SSO Configuration button. KCM Test SSO Integration PNG
  5. Click Continue in the SAML Integration Test window. 

After you click Continue, a window will open to indicate whether the SSO configuration was successful. If the configuration was successful and you are signed in to your SSO provider's portal with the same email address that you use for KCM GRC, this window will redirect you to your KCM GRC dashboard.

If the configuration was unsuccessful, this window will redirect you to a "Page not found" error screen. Review the instructions in this article to verify that you configured SSO correctly. Then, if you still encounter the error, please contact the KCM GRC support team for assistance. 

Can't find what you're looking for?

Contact Support