SAML SSO Setup: Azure

If your organization has an Office 365/Azure AD subscription you can set up SAML SSO for both the phishing and training portals for your users.

Follow the steps below to deploy the single sign on application to users in your Azure Active Directory.

• NOTE: If you would like to configure SSO for both the phishing and training portals, you will have to configure two apps in Azure and complete this process separately for both apps.
• NOTE: If a user is provided access to the phishing portal via your organization's SSO IDP and does not already have an account in the phishing portal (in Administration>Manage Portal Users), an account will automatically be created with a role of "Admin" when the user accesses the phishing portal via SSO.

1. Register the application in Azure AD
2. Azure application SSO configuration
3. PhishingBox SSO configuration
4. Deploy the application to users

Registering the application

Registering the application will require an Azure administrator with a minimum role of 'Application administrator'.

To register the app, navigate to portal.azure.com.

Click the 'Azure Active Directory' link located in the Azure Services section of the portal's home page.

In the Azure Active Directory portal click the 'Enterprise Applications' link in the site navigation bar.

Click the 'New application' button located at the top of the Enterprise applications list.

Click the 'Create your own application' button located at the top of the app gallery.

In the 'Create your own application' modal form that appears, give the app a name and select 'Integrate any other application you don't find in the gallery'. Then click the 'Create' button.

Azure will redirect you to the app overview. Click the 'Set up single sign on' card.

Then, on the 'Select a single sign-on method' page, click the SAML card.

This will open the SAML-based Sign-on page. Next, log in to the PhishingBox portal in a new tab. You can now configure the SSO and SLO (optional) URLs in Azure.

Azure SSO configuration

In the Phishingbox portal tab, navigate to Administration > Settings > Account Settings for Portal SSO or Administration > Settings > School Settings for School SSO.

SSO Lock

If enabled, administrators can log in to the portal via SSO only. If the SSO configuration fails and administrators can no longer log in, you will have to contact support in order to disable this feature.

To configure SSO for the training portal, click the 'School SSO' tab. To configure SSO for the phishing portal, stay on the 'Portal SSO' tab.

• NOTE: If you would like to configure SSO for the training portal, click the 'School SSO' tab. If you would like to configure SSO for both the training and phishing portals, you will have to configure two apps in Azure and complete this process separately for both apps.

Select 'Azure' in the 'Service' select menu in the 'Portal (School) SSO: Identity Provider (IDP) Settings' section to display the proper EntityId (Azure does not support UUIDs as identifiers).

Now you are ready to map the Service Provider (SP) URLs to Azure. In the Azure portal, click the button located on the 'Basic SAML Configuration' card.

Copy the EntityId from the PhishingBox portal to the Identifier in azure.

Likewise, copy the ACS (Consumer) URL from PhishingBox to the Reply URL in Azure, and (optionally) the Single Logout URL to the Logout URL. Be sure to delete the default Identifier from the Azure settings and check the 'Default' checkbox next to the identifier you copied from PhishingBox. Click the button to save the basic SAML configuration.

After saving the basic SAML configuration, you are ready to input the Identity Provider (IDP) settings into PhishingBox.

PhishingBox SSO Configuration

In the Azure portal's SAML-based Sign-on page for the app we created in step one, start by copying the app's Login URL, Azure AD identifier, and Logout URL into the ACS Endpoint URL, Issuer URL, and (optionally) SLO Endpoint URL fields, respectively. You will find these fields in the 'Set up {app name} SSO' card in the Azure portal.

Next, download the 'Certificate (Base64)' from the Azure app's SAML-based Sign-on page. The download link can be found in the 'SAML Signing Certificate' card.

• NOTE: You may receive warnings that this file can damage your computer from your browser or operating system. You can safely ignore these warnings.

After downloading the file, open it with your preferred text editor and copy the contents. Then, paste them into the 'x.509 Certificate' field on the PhishingBox portal's SSO Settings page.

After completing the steps above, you can deploy the application to users in Azure which they can then use to sign in to the phishing or training portals via Office 365.

Deploying the application to users

To assign users to the application, click the 'Users and groups' link in the Azure application's nav bar.

Click the 'Add user/group' button located at the top of the users table.

• NOTE: Depending on your Office plan, you may not be able to deploy the application to groups. Please refer to Microsoft's documentation for more information.

Follow the steps in the Add Assignment wizard to add users or groups to the application. . 

After adding users/groups, users can find the app(s) in the Office portal by clicking the hamburger menu then 'All apps'. The app(s) can be found by searching all of their apps or in the 'Other' section of the app navigation.

Simply clicking the app icon will log them into the service. If you would like to send a log in link to your users, right click the app icon to copy the sign in link.