Knowbe4 SAML Single Sign-On (SSO) integration

This topic describes how to configure Knowbe4 for SAML SSO in CyberArk Identity.

Knowbe4 SSO supported features

This application template supports the following features:

  • Identity provider (IdP)-initiated SSO

  • Service provider (SP)-initiated SSO

  • • Just-in-time (JIT) provisioning

Prerequisites for Knowbe4 SSO

Before you configure Knowbe4 for SSO, make sure you have the following information.

Setting

Description
Assertion Consumer Service (ACS) URL https://training.knowbe4.com/auth/saml/<companyID>/callback
SP Entity ID: KnowBe4

You also need to have administrator and user accounts in Knowbe4.

Configure the Knowbe4 app template in the Identity Administration portal

Perform these steps in the Identity Administration portal to configure the Knowbe4 application template for SSO.

Step 1: Add the Knowbe4 web app template.

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure the Trust page.

  1. Click Trust to go to the Trust page.

  2. In the Identity Provider Configuration section, select Manual Configuration. Copy the IdP Entity ID/IdP Issuer and Signing Certificate Thumbprint values and save them so you can use them later when you configure the SAML integration in Domo.

  1. In the Service Provider Configuration section, select Manual Configuration, then enter the following information and click Save after you finish.

    Setting Description

    SP Entity ID

    		 KnowBe4

    Assertion Consumer Service (ACS) URL

    		 https://training.knowbe4.com/auth/saml/<companyID>/callback

Step 3: Configure the Permissions page to grant Knowbe4 users SSO access.

Grant SSO access to Knowbe4 users by assigning permissions to users, groups, or roles.

  1. On the Permissions page, click Add.

  2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want and click Save.

    Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

    Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

Step 4: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure Knowbe4 for SAML single sign-on

Perform these steps in Knowbe4 to configure the Knowbe4 application template for SSO.

  1. Sign in to the KnowBe4 application as the system administrator.

  2. Go to Account Settings > Account Integrations > SAML.

  3. In the SAML settings section, select Enable SAML SSO and Allow Account Creation from SAML Login (enables SAML just-in-time provisioning).

  1. Enter the following values from the SP Configuration into the corresponding fields in Knowbe4.

    Name in CyberArk Corresponding Name in Knowbe4

    Assertion Consumer Service (ACS) URL

    SSO Callback (ACS) URL

    SP Entity ID

    Entity ID

    You can keep the default Entity ID (KnowBe4), or click Generate unique Entity ID. If you generate a new value, make sure you enter this value in the Sign On application tab in CyberArk. If you use the default, leave the field blank in CyberArk settings.

  1. In the IdP Cert Fingerprint field, select SHA-1 or SHA-256.

  2. Note down these values for future use:

    • SSO Sign-in URL. Required for SP-initiated SSO

    • SSO Calback (ACS) URL. The Base-SSO Login URL is part of this value. For example, if your SSO Callback (ACS) URL is https://training.knowbe4.com/auth/saml/58673658569/callback, the Base-SSO Login URL is https://training.knowbe4.com.

    • SAML ID

    • Bypass-SSO Login URL. This URL bypasses the SSO redirect and can be used to log in to KnowBe4 using your email and password.

  1. Click Save SAML Settings.

Test the Knowbe4 SSO configuration

Now that you have finished configuring the application template settings in the Identity Administration portal and Knowbe4, users can benefit from SP-initiated and IdP-initiated SSO.

To test IdP-initiated SSO:

  1. Sign in to CyberArk Identity with the user account you just added.

  2. Click the Knowbe4 application tile to launch Knowbe4 in a new tab and automatically sign in.

To test SP-initiated SSO:

  1. Go to the following URL:

    https://training.knowbe4.com/ui/login

  2. Sign in as your test user.