KnowBe4's KCM GRC platform supports SAML 2.0, so your users can quickly and easily log in to KCM using your organization's single sign-on (SSO), or Identity provider (IdP), without having to set up or use a password.
You must be an Account Administrator to set up SSO for your KCM GRC platform. As a precaution, Account Administrators will retain the ability to log in to KCM GRC with their password.
See the sections below to learn how to add KCM GRC to your SSO portal and how to add the SSO provider's metadata to KCM GRC.
Add the KCM GRC Application to Your SSO Portal
Before configuring SSO in your KCM GRC platform, you will need to add KCM GRC to your SSO provider's admin portal.
First, follow the instructions below to add the KCM GRC application to your SSO portal:
- Log in to your SSO portal.
- Add KCM GRC as a custom application.
Tip:If OneLogin or Okta is your SSO service provider, you can search for the KCM GRC Platform SAML application instead of adding a custom application. For more information, see our How Do I Configure SSO/SAML for KCM GRC with OneLogin? and How Do I Configure SSO/SAML for KCM GRC with Okta? articles.
- (Optional) Customize your KCM GRC web app by adding our logo or providing a description of the application.
Next, follow the instructions below to copy your SSO information from your KCM GRC account and paste that information into your SSO provider's portal:
- Open KCM GRC in a new window or tab, and log in to your account.
- Click Settings, then Account Settings in the top-right area of the page.
- Select the SSO Settings tab. Under the SSO Information section, you can find your account-specific information.
Tip: If you would rather download your KMC GRC metadata information instead of manually configuring the details below, you will first need to turn on SSO Enabled in your KCM GRC account and save this setting. See the Add SAML Provider Information to KCM GRC section below for more information.
- In your KCM GRC account, locate and copy your unique Callback URL.
- In your SSO provider's portal, paste your Callback URL in the appropriate field. For example, this field is often called the Assertion Consumer Service (ACS) URL.
- In your KCM GRC account, locate and copy your unique Sign out URL.
- In your SSO provider’s portal, paste your Sign out URL in the appropriate field. For example, this field may be called Single Logout URL, or something similar.
- In your SSO provider's portal, update any additional fields as necessary. For example, you may need to specify the following settings:
SSO Provider Setting Description Account ID (also known as SAML Account ID, Entity ID, or Issuer) For example, if your Entity ID is: https://yourorganization.kb4compliance.com/metadata, enter: "yourorganization". Audience For example, if your Entity ID is: https://yourorganization.kb4compliance.com/metadata, enter: "https://yourorganization.kb4compliance.com". Sign Response or Assertion Response NameID Format emailAddress Relay State or Base URL For example, if your Entity ID is: https://yourorganization.kb4compliance.com/metadata, enter: "https://yourorganization.kb4compliance.com". - Click Save in your SSO provider settings, if applicable.
Add KCM GRC Users to Your SSO Portal
After you complete the steps above, you can add or assign users to the KCM GRC application your SSO portal.
The instructions will vary for each SSO provider. For an example of how to assign users to KCM GRC in Microsoft Entra ID, see the Assign User to KCM GRC in Microsoft Entra ID section of our How Do I Configure SSO/SAML for KCM GRC with Microsoft Entra ID? article.
Add SSO Provider Information to KCM GRC
After you add the KCM GRC application to your SSO provider's portal, you will need to add your SSO provider's information to KCM GRC.
To add your SSO provider's information to KCM GRC, follow the instructions below:
- Log in to your KCM GRC.
- In the top-right corner of the page, select Settings, then Account Settings.
- Select the SSO Settings tab.
- Add information about your SSO provider to the SSO Provider Config section of your KCM GRC platform. To learn about the methods you can use to add this information, see the list below:
- You can download the SAML metadata from your SSO portal, and upload it to KCM GRC. To upload the XML file, click the Upload SSO Metadata button, select the XML file, and click the Import button. Note:This option is our recommended method.
- You can copy the URL that links to your SSO metadata from your SSO portal. Then, in KCM GRC, paste the link to the Remote Metadata XML field, and click the Import button.
- If you are unable to download or link to your SSO metadata, you will need to copy the information below from your SSO Portal and add it to your SSO Settings area.
Note:To display the fields where you can enter this information, make sure the SSO Enabled toggle is turned on.
- SSO Provider: Select ADFS or your IDP/SSO provider from the drop-down menu.
- Entity ID: Copy this URL from your IDP/SSO provider's portal. This may also be called the Audience/Identifier ID.
- SSO URL: Copy this URL from your IDP/SSO provider's portal. This may also be called the SAML Endpoint/Login URL.
- SLO URL: Copy this URL from your IDP/SSO provider's portal. This may also be called the Logout URL.
- X.509 Certificate: Copy the entire X.509 certificate from your IDP/SSO provider's portal.
- You can download the SAML metadata from your SSO portal, and upload it to KCM GRC. To upload the XML file, click the Upload SSO Metadata button, select the XML file, and click the Import button.
- Click the Save button.
Test SSO Integration
After you configure SSO in KCM GRC, we recommend that you test your SSO integration by following the steps below.
- Log in to your KCM GRC account.
- In the top-right corner of the screen, navigate to Settings > Account Settings.
- Click the SSO Settings tab on the View Account page.
- Click the Test SSO Configuration button.
- Click Continue in the SAML Integration Test window.
After you click Continue, a window will open to indicate whether the SSO configuration was successful. If the configuration was successful and you are signed in to your SSO provider's portal with the same email address that you use for KCM GRC, this window will redirect you to your KCM GRC dashboard.
If the configuration was unsuccessful, this window will redirect you to a "Page not found" error screen. Review the instructions in this article to verify that you configured SSO correctly. Then, if you still encounter the error, please contact the KCM GRC support team for assistance.