SAML SSO with Azure Active Directory

Table of Contents

• Building a SAML Application for Infosec IQ
• Setting up SAML-based Single-on
• User Assignment
• Testing and Enabling in Infosec Accounts

Important: Before creating the SAML application in Azure, you will need to obtain Infosec IQ’s Entity ID and ACS URLs. To do so:

1. Login to Infosec IQ
2. Navigate to the settings gear in the top right corner and select Learner Authentication (SSO)
3. In the Single sign-on section, select setup
4. Do not adjust any of the settings and click save in the bottom right-hand corner. This will expose the SP Metadata, Entity ID, and ACS URLs for your organization. You will need these URLs to perform the below configuration steps

Building a SAML Application for Infosec IQ

1. Log into your Azure Active Directory admin center
2. Navigate to Enterprise Applications under the Applications drop down menu.
   
3. Select New Application
   
   

   AzureSSO_2.png986×469 111 KB
4. Select Create your own application
   
   

   AzureSSO_3.png1123×476 109 KB
5. Provide a name for your SAML app, leave integrate any other application you don’t find in gallery selected, and then click create
   
   

   AzureSSO_4.png626×723 46.2 KB
6. Navigate to the manage section on the left and select Single Sign on
   
7. Select SAML as the sign sign-on method
   

Return to Table of Contents

Setting up SAML-based Single-on

1. Edit the Basic SAML Configuration section by pasting the below information. Make sure to click save before proceeding to the next step:
   

   

   AzureSSO_7.png1046×277 37.7 KB
   • Identifier (Entity ID): Paste correct Entity ID URL
   • Reply URL (Assertion Consumer Service URL): Paste correct ACS URL

2. Edit the User Attributes & Claims section:

   • Update the required claim value to user.mail and hit save
     
     

     AzureSSO_8.png960×320 25.4 KB
   • Remove the additional claims
     
     

     AzureSSO_9.png959×412 50.8 KB
   • Add a new claim named emailaddress and the source attribute set to user.mail, then click save.
   • Once completed, close out of the User Attributes & Claims window. The section should now look like this:
     
     

     AzureSSO_10.png1023×178 17.8 KB

3. Edit the SAML Signing Certificate

   • Update the Signing Option to Sign SAML response and assertion
   • Click Save
   • Once updated, close our of the SAML Signing Certificate window
     
     

     AzureSSO_11.png1227×485 67.6 KB

Note: If you test this SAML application in Azure, you will get redirected to An Internal Error Has Occurred Infosec IQ page and not the Windows Auth Page. To test if the SAML app is configured correctly, navigate to the Testing and Enabling in Infosec IQ section of this article

Return to Table of Contents

User Assignment

User Assignment is not required if you planning to initiate training using the Infosec IQ campaign notifications. To disable User Assignment:

1. Navigate to the SAML application’s Properties
2. Toggle Assignment required to No
3. Click Save
   
   

   AzureSSO_12.png1433×555 127 KB

If you would like to provide your learners with a universal training link, then you will need to keep Assignment required enabled and follow the below steps:

1. Confirm that Assignment Required is toggled to Yes by navigating to properties under manage on the left-hand side.
2. Next select Users and Groups under Manage
3. Click Add Users/Groups
4. Click None Selected to identify the group or users you want to have this enabled. We recommend using/creating a group as this will be easier than manually selecting all your active users in Azure. If you do not have a group created, follow the below steps:
   • Navigate to Azure Active Directory from the left-hand menu
   • Select Groups
   • Click New Group
   • Fill in the sections and add users to that group
   • Once completed, navigate back to the Infosec IQ SAML application and select your group
5. Once you have assigned the correct group of users to the SAML application, navigate back to the SAML application’s Properties
6. In properties, locate the User Access URL. This URL will be the unique training URL that you can share with your employees.
   
   

   AzureSSO_13.png1127×748 136 KB

Note: Before sharing the above URL, you will need to configure your Infosec IQ account to support iDP Initiated Training. Review steps in Testing and Enabling in Infosec IQ to learn how to configure your account.

Return to Table of Contents

Testing and Enabling in Infosec Accounts

1. Stay in your Azure AD Admin Center
2. Navigate to the SAML application you created under Enterprise Applications
3. Click on Single sign-on on the left-hand side
4. Copy the App Federation Metadata URL that is in section three
   
   

   azuresso_14.png1123×399 48.5 KB
5. Navigate to Infosec IQ and hover over the settings gear in the top-right corner. Select User Settings
6. Select Organizations and in the Single sign-on section, select Actions then Edit or Setup.
7. Paste the App Federation Metadata URL into the IdP Metadata URL box
   
   

   Screenshot 2022-02-21 153732.png379×601 33.5 KB
8. Turn the Activate this Config toggle to enabled.
9. (Optional) If you are planning on using a universal training link, make sure the iDP-initiated SSO toggle under settings is enabled.
10. Click Save
11. Once saved, you can perform a test by expanding the Actions dropdown menu and clicking test. Follow the prompts on the screen to complete the test. If your test isn’t successful, please contact support for further assistance.
12. After the test is successful, the SSO configuration will be active for all users.

Note: When building an AwareEd campaign, there will be an option to enable authentication for that campaign in the “Advanced Settings” section on the top right of the campaign setup page.