SAML Single Sign-On (SSO)

Share

Is this article helpful?

Last updated:

How Do I Configure SSO/SAML for KCM GRC with Azure Active Directory?

You can configure single sign-on (SSO) for your KCM GRC platform with Azure Active Directory (AD). When you enable SSO, your KCM GRC users can log in to the platform without creating a password. 

You must be an account administrator in both KCM GRC and Azure AD to configure SSO. You also must have a Premium Azure AD subscription to configure SSO for KCM GRC. 

Important:After you configure SAML for your KCM GRC account, users must use SSO to log in to their KCM GRC accounts. For new accounts, users will still be required to activate their accounts before they can log in by using SSO. To learn more about this user experience, see our How to Activate and Access Your KCM GRC Account With SSO/SAML article. 
Note:Because they are external user roles, Auditors and third-party Vendor Users cannot log in to KCM GRC by using single sign-on. As an alternative option for authentication security, you can make multi-factor authentication mandatory for these accounts. For more information, see our How to Enable and Configure Multi-Factor Authentication article.

Follow the steps in the sections below to configure SSO for KCM GRC with Azure AD.

Add the KCM GRC Platform to Azure AD

Before configuring SSO in your KCM GRC platform, please connect KCM GRC to your Azure AD account by following the instructions below. 

First, add the KCM GRC application to your Azure AD account. 

  1. Log in to the Azure AD portal. 
  2. Navigate to the All applications tab from the navigation panel (Enterprise applications > All applications). Azure All Applications tab PNG
  3. Click the + New application button. 
  4. Click the Create your own application button.
  5. Enter "KCM GRC" into the What's the name of your app? field. 
    Tip:To add the KCM GRC logo to your Azure AD application, download the KCM GRC logo to your device. Then, navigate to the Properties tab in Azure AD, click the Select a file button, and upload the logo. 
    Azure Create your own app PNG
  6. Select the Integrate any other application you don't find in the gallery option. 
  7. Click the Create button. 

Next, obtain your KCM GRC SSO information, which you will need to configure SSO in Azure AD. 

  1. Open your KCM GRC platform in a new window or tab.
  2. In the top-right corner of the screen, navigate to Settings > Account Settings. KCM SSO Screen PNG
  3. Click the SSO Settings tab on the View Account page.
  4. Locate the SSO Information section. In steps 16-20, you can copy and paste the SSO Information URLs into Azure AD.

Finally, configure SSO in Azure AD. 

  1. Return to the Azure AD portal.
  2. Select the Single sign-on tab from the navigation panel. Azure Single sign-on Tab PNG
  3. Select SAML.
  4. In the Basic SAML Configuration section, click the pencil icon to edit the SAML settings.
    Note:For steps 16-20, you can return to step 11 to copy the SSO Information URLs and paste them into the Basic SAML Configuration box. 
    Edit Button PNG
  5. Paste your KCM GRC Entity ID into the Identifier (Entity ID) field. Please see below for an example of an Entity ID. 
    • If your account is on the US server: https://organization.kb4compliance.com/metadata 
    • If your account is on the UK server: https://organization.uk.kcmgrc.com/metadata 
    Basic SAML Config PNG
  6. Paste your KCM GRC Callback URL into the Reply URL field. Please see below for an example of a Callback URL. 
    • If your account is on the US server: https://organization.kb4compliance.com/saml/acs
    • If your account is on the UK server: https://organization.uk.kcmgrc.com/saml/acs 
  7. Paste your KCM GRC Sign in URL into the Sign On URL field. Please see below for an example of a Sign in URL. 
    • If your account is on the US server: https://organization.kb4compliance.com/saml/login
    • If your account is on the UK server: https://organization.uk.kcmgrc.com/saml/login
  8. (Optional) Enter your KCM GRC Relay State into the Relay State field. Please see below for an example of a Relay State. 
    Note:The Relay State is only necessary if you are using MFA for Azure AD.
    • If your account is on the US server: https://organization.kb4compliance.com
    • If your account is on the UK server: https://organization.uk.kcmgrc.com 
  9. (Optional) Paste your KCM GRC Sign out URL into the Logout URL field. Please see below for an example of a Sign out URL. 
    Note:The Sign out URL is only necessary if you want to redirect your users to the KCM GRC login screen after they log out of your platform.
    • If your account is on the US server: https://organization.kb4compliance.com/logout
    • If your account is on the UK server: https://organization.uk.kcmgrc.com/logout 
  10. Click the Save button. 
  11. In the User Attributes & Claims section, click the pencil icon to edit the attributes. Edit User Attributes & Claims PNG
  12. Delete the attributes that are listed below:
    • Givenname
    • Surname
    • Emailaddress
    • Name
  13. Click the pencil icon next to the Unique User Identifier attribute.
  14. In the Source attribute field, replace user.userprincipalname with user.mail.
  15. Click the Save button. 
  16. In the SAML Signing Certificate section, copy the App Federation Metadata Url by clicking the Copy button.   Azure Metadata URL PNG

Assign Users to KCM GRC in Azure AD

After you add the KCM GRC application to Azure AD, please follow the instructions below to assign users to KCM GRC in Azure AD.

Important:You will need to repeat this process each time you add a new user to your KCM GRC platform.
  1. Create any new users in your KCM GRC platform. Please see our Working with Users article for more information. 
  2. Log in to the Azure AD portal. 
  3. Navigate to the All applications tab from the navigation panel (Enterprise applications > All applications).
  4. Select the KCM GRC application. 
  5. Select Users and groups tab from the navigation menu. Add User PNG
  6. Click the + Add user button. 
  7. Select Users and groups in the Add Assignment column.
  8. Select the users or groups that have accounts in your KCM GRC platform. Select User PNG
  9. Click the Select button. 
  10. Click the Assign button.

Configure Azure AD SSO in KCM GRC

After you assign users to the KCM GRC application from Azure AD, please follow the instructions below to configure SSO in KCM GRC. 

  1. Log in to your KCM GRC account. 
  2. In the top-right corner of the screen, navigate to Settings Account Settings.
  3. Click the SSO Settings tab on the View Account page.
  4. Click the SSO Enabled toggle to enable SSO.  Import Metadata PNG
  5. Paste the App Federation Metadata Url that you copied in step 27 of the Add the KCM GRC Platform to Azure AD section into the Remote Metadata XML field. 
  6. Click the Import button. 
  7. Wait for the file to import successfully. 
  8. Select Azure Active Directory from the SSO Provider drop-down menu.  KCM SSO Provider Drop-down PNG
  9. Click Save in the bottom-left corner of the screen. 
Note:As a precaution, Account Administrators will also retain the ability to log in to KCM GRC with their password.

Test SSO Integration

After you configure SSO in KCM GRC, we recommend that you test your SSO integration by following the steps below.

  1. Log in to your KCM GRC account. 
  2. In the top-right corner of the screen, navigate to Settings > Account Settings
  3. Click the SSO Settings tab on the View Account page. 
  4. Click the Test SSO Configuration button. KCM Test SSO Integration PNG
  5. Click Continue in the SAML Integration Test window. 

After you click Continue, a window will open to indicate whether the SSO configuration was successful. If the configuration was successful and you are logged in to Azure AD with the same email address that you use for KCM GRC, this window will redirect you to your KCM GRC dashboard.

If the configuration was unsuccessful, this window will redirect you to a "This page can't be found" error screen. Please review the instructions in this article to verify that you configured SSO correctly in Azure AD and KCM GRC. Then, if you still encounter the error, please contact our KCM GRC support team.

Was this article helpful?

0 out of 0 found this helpful

Can't find what you're looking for?

Contact Support