Knowbe4 SAML Single Sign-On (SSO) and SCIM integration

This topic describes how to configure Knowbe4 for SAML SSO and SCIM in CyberArk Identity.

Knowbe4 SSO supported features

This application template supports the following features:

  • Identity provider (IdP)-initiated SSO

  • Service provider (SP)-initiated SSO

  • Just-in-time (JIT) provisioning

  • System for Cross-domain Identity Management (SCIM) provisioning

Prerequisites for Knowbe4 SSO

Before you configure Knowbe4 for SSO, make sure you have the following information.

Setting

Description

Assertion Consumer Service (ACS) URL https://training.knowbe4.com/auth/saml/<companyID>/callback
SP Entity ID: KnowBe4

You also need to have administrator and user accounts in Knowbe4.

Configure the Knowbe4 app template in the Identity Administration portal

Perform these steps in the Identity Administration portal to configure the Knowbe4 application template for SSO.

Step 1: Add the Knowbe4 web app template.

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure the Trust page.

  1. Click Trust to go to the Trust page.

  2. In the Identity Provider Configuration section, select Manual Configuration. Copy the IdP Entity ID/IdP Issuer and Signing Certificate Thumbprint values and save them so you can use them later when you configure the SAML integration in Knowbe4.

  1. In the Service Provider Configuration section, select Manual Configuration, then enter the following information and click Save after you finish.

    Setting Description

    SP Entity ID

    KnowBe4

    Assertion Consumer Service (ACS) URL

    https://training.knowbe4.com/auth/saml/<companyID>/callback

Step 3: Configure the Permissions page to grant Knowbe4 users SSO access.

Grant SSO access to Knowbe4 users by assigning permissions to users, groups, or roles.

  1. On the Permissions page, click Add.

  2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want and click Save.

    Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

    Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

Step 4: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure Knowbe4 for SAML single sign-on

Perform these steps in Knowbe4 to configure the Knowbe4 application template for SSO.

  1. Sign in to the KnowBe4 application as the system administrator.

  2. Go to Account Settings > Account Integrations > SAML.

  3. In the SAML settings section, select Enable SAML SSO and Allow Account Creation from SAML Login (enables SAML just-in-time provisioning).

  1. Enter the following values from the SP Configuration into the corresponding fields in Knowbe4.

    Name in CyberArk Corresponding Name in Knowbe4

    Assertion Consumer Service (ACS) URL

    SSO Callback (ACS) URL

    SP Entity ID

    Entity ID

    You can keep the default Entity ID (KnowBe4), or click Generate unique Entity ID. If you generate a new value, make sure you enter this value in the Sign On application tab in CyberArk. If you use the default, leave the field blank in CyberArk settings.

  1. In the IdP Cert Fingerprint field, select SHA-1 or SHA-256.

  2. Note down these values for future use:

    • SSO Sign-in URL. Required for SP-initiated SSO

    • SSO Calback (ACS) URL. The Base-SSO Login URL is part of this value. For example, if your SSO Callback (ACS) URL is https://training.knowbe4.com/auth/saml/58673658569/callback, the Base-SSO Login URL is https://training.knowbe4.com.

    • SAML ID

    • Bypass-SSO Login URL. This URL bypasses the SSO redirect and can be used to log in to KnowBe4 using your email and password.

  1. Click Save SAML Settings.

Configure Knowbe4 SCIM provisioning in Identity Administration portal

Perform these steps in the Identity Administration portal to configure for SCIM provisioning:

  1. In the Identity Administration portal, go to the Knowbe application's Provisioning tab and select Enable provisioning for this application.

  2. Enter the SCIM Service URL and Bearer Token values and then click Verify.

    You can generate the bearer token from the Knowbe application.

  3. Go to Core Services > Roles, then click Add Role.

  4. Add members to the role, then save the role.

Configure Knowbe4 for SCIM provisioning

Perform these steps in Knowbe4 to configure for SCIM provisioning:

  1. Sign in to the Knowbe4 application as the system administrator.

  2. Go to Profile > Account Settings.

  3. In the Account Settings section, go to User Management > User Provisioning.

  4. Select Enable User Provisioning.

  5. Copy the SCIM URL from the Tenant URL field and paste it into the SCIM Service URL field in CyberArk Identity.

  6. Create and copy the SCIM bearer token and paste it in the Bearer Token field in CyberArk Identity.

Test the Knowbe4 SSO configuration

Now that you have finished configuring the application template settings in the Identity Administration portal and Knowbe4, users can benefit from SP-initiated and IdP-initiated SSO.

To test IdP-initiated SSO:
  1. Sign in to CyberArk Identity with the user account you just added.

  2. Click the Knowbe4 application tile to launch Knowbe4 in a new tab and automatically sign in.

To test SP-initiated SSO:
  1. Go to the following URL:

    https://training.knowbe4.com/ui/login

  2. Sign in as your test user.

To test SCIM provisioning:

  1. In the Identity Administration portal, go to Settings > Users > Outbound Provisioning.

  2. Select Knowbe4 from the Provisioning Enabled Applications drop-down menu, then click Start Sync.

  3. Click the View Synchronization Job Status and Reports link to view the synchronization report.

  4. To validate the synced users in the Knowbe4 application, go to Users > Provisioning to view the synced users.