Menu

KCM GRC: How to Set up SAML/SSO for KCM GRC

Avatar
Lauren Ashley
Updated
Follow

Setting up SAML/SSO for Your Organization

KnowBe4's KCM GRC platform supports SAML 2.0, so your users can quickly and easily log in to KCM using your organization's single sign-on (SSO), or Identity provider (IdP), without having to set up or use a password.

You must be an Account Administrator to set up SSO for your KCM GRC platform. As a safeguard, Account Administrators will retain the ability to log in to KCM GRC with their password. Therefore, as an additional layer of security, if you'd like to require Multi-Factor Authentication when Account Administrators log in with their password, please also see our Enable and Set Up Multi-Factor Authentication article. 

Note: Once you've configured SAML for your KCM GRC account, users must log in using single sign-on. For new accounts, users will still be required to activate their account. To learn more about this user experience, see: Activating and Accessing Your Account.
Due to the nature of these user roles, Auditor and [third-party] Vendor Users cannot log in to KCM GRC using single sign-on. As an alternative option for authentication security, you can make multi-factor authentication mandatory for these accounts (see this article for more information).

If you want to configure SAML/SSO for your OneLogin account, please see this article. If you'd like to configure SAML/SSO for Active Directory Federation Services (AD FS), please see this article.

First, you'll configure the SAML connection in your SSO service provider's platform using information you'll find in your KCM GRC account. Then, you'll import or manually add the necessary metadata into KCM GRC to complete the setup. Follow the sections below for details.

Jump to:

Add the KCM GRC Application to Your SSO Portal
Configure Single Sign-on
Add SAML Provider Information
Test SSO Integration

 

Add the KCM GRC Application to Your SSO Portal

  1. From your SSO provider's admin portal, add KCM GRC as a custom application.

    Tip:

    If OneLogin or Okta is your SSO service provider: Instead of adding a custom application, search for and add the KCM GRC Platform SAML application from your admin portal.
    All other SSO Service Providers: You must be able to add a custom application to configure a SAML connection with your KCM GRC platform.
  2. If you'd like, you can customize your KCM GRC web app by adding our logo or providing a description of the application. 

Then, proceed to the next section to configure SSO.

Configure Single Sign-on

Once you're ready to configure SAML/SSO in your SSO provider, you'll need the following information from your KCM GRC account.

  1. Log in to your KCM GRC account (with account administrator permissions), then click Settings and then Account Settings from the top-right portion of the page.
  2. Click the SSO Settings tab. Under the SSO Information section on the right-hand side, you'll see your account-specific information.
  3. In your KCM GRC account, locate and copy your unique Callback URL.
    • In your SSO provider's portal, paste your Callback URL in the appropriate field. For example, this field is often called the Assertion Consumer Service (ACS) URL.
  4. In your KCM GRC account, locate and copy your unique Sign out URL.
    • In your SSO provider’s portal, paste your Sign out URL in the appropriate field. For example, this field may be called Single Logout URL, or something similar.
  5. In your SSO provider's portal, update any additional fields as necessary. For example, you may need to specify the following settings:
    • SSO Provider Setting Description
      Account ID (also known as SAML Account ID, Entity ID, or Issuer) For example, if your Entity ID is:
      https://yourorganization.kb4compliance.com/metadata,
      enter: yourorganization
      Audience For example, if your Entity ID is:
      https://yourorganization.kb4compliance.com/metadata,
      enter: https://yourorganization.kb4compliance.com
      Sign Response or Assertion Response  
      NameID Format emailAddress
      Relay State or Base URL For example, if your Entity ID is:
      https://yourorganization.kb4compliance.com/metadata,
      enter: https://yourorganization.kb4compliance.com
  6. Click Save in your SSO provider settings (if applicable).

 

Add SAML Provider Information to KCM GRC

  1. Next, you'll need to add or import information about your SAML provider beneath the Settings > SSO Settings > SSO Provider Config section of your KCM GRC platform.

    There are three ways to do this:

    • Option 1 (RECOMMENDED): Download the SAML metadata from your SSO portal and upload it into your KCM GRC account.
      For example, if you're using OneLogin as your SSO provider, you can obtain your SAML metadata file by clicking the More Actions drop-down button on the top-right, then clicking SAML Metadata. An XML file will download to your computer. 
      1. Once you obtain your SAML metadata XML file, click the Upload SSO Metadata button under the SSO Provider Config area of your SSO Settings (click here to view).
      2. Select the XML file you just downloaded, then, click the Import button to import your metadata.
      3. Proceed to the next section to test your configuration.
    • Option 2: Provide a URL which links to your SSO metadata.
      1. Paste your metadata URL in the Remote Metadata XML field of your KCM GRC SSO Settings area (click to view).
      2. Click the Import button to import your SSO metadata.
      3. Click the Save button. Then, proceed to the next section to test your configuration. 
    • Option 3 (Manual Method): If you are unable to download or link to your SSO metadata, you will need to copy the following information from your SSO Portal and add it to your SSO Settings area. To display the fields where you'll need to enter this information, ensure the SSO Enabled toggle is turned on, as shown below.
      • SSO Provider: Select ADFS or your IDP/SSO provider from the drop-down menu.
      • Entity ID: Copy this URL from your IDP/SSO provider's portal. This may also be called the Audience/Identifier ID.
      • SSO URL: Copy this URL from your IDP/SSO provider's portal. This may also be called the SAML Endpoint/Login URL.
      • SLO URL: Copy this URL from your IDP/SSO provider's portal. This may also be called the Logout URL.
      • X.509 Certificate: Copy the entire X.509 certificate from your IDP/SSO provider's portal.
  2. After completing any of the three methods above, click Save. Then, see the next section to test your SAML configuration.

 

Test SSO Integration

Finally, you'll want to test your SAML integration to ensure you can use SSO with your KCM GRC platform successfully. Ensure the SSO Enabled toggle is turned on, then click the Test SSO Integration button at the bottom of your SSO Settings page to attempt to use SSO to log in to your KCM GRC account.

If the button navigates you back to your KCM GRC Dashboard page and you do not experience any errors during this process, you've set up SAML integration successfully. If you do encounter errors, reach out to our support team for assistance.

Back to top

 

 

 

 

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles