Skip to main content

SAML SSO Setup: Azure

PhishingBox Support
  • Updated

If your organization has an Office 365/Azure AD subscription you can set up SAML SSO for both the phishing and training portals for your users.

Follow the steps below to deploy the single sign on application to users in your Azure Active Directory.

  • NOTE: If you would like to configure SSO for both the phishing and training portals, you will have to configure two apps in Azure and complete this process separately for both apps.
  • NOTE: If a user is provided access to the phishing portal via your organization's SSO IDP and does not already have an account in the phishing portal (in Administration>Manage Portal Users), an account will automatically be created with a role of "Admin" when the user accesses the phishing portal via SSO.
  1. Register the application in Azure AD
  2. Azure application SSO configuration
  3. PhishingBox SSO configuration
  4. Deploy the application to users

Registering the application

Registering the application will require an Azure administrator with a minimum role of 'Application administrator'.

To register the app, navigate to portal.azure.com.

Click the 'Azure Active Directory' link located in the Azure Services section of the portal's home page.

mceclip0.png

In the Azure Active Directory portal click the 'Enterprise Applications' link in the site navigation bar.

mceclip1.png

Click the 'New application' button located at the top of the Enterprise applications list.

mceclip2.png

Click the 'Create your own application' button located at the top of the app gallery.

 mceclip4.png

In the 'Create your own application' modal form that appears, give the app a name and select 'Integrate any other application you don't find in the gallery'. Then click the 'Create' button.

create-app.png

Azure will redirect you to the app overview. Click the 'Set up single sign on' card.

mceclip0.png

Then, on the 'Select a single sign-on method' page, click the SAML card.

mceclip1.png

This will open the SAML-based Sign-on page. Next, log in to the PhishingBox portal in a new tab. You can now configure the SSO and SLO (optional) URLs in Azure.

Azure SSO configuration

In the Phishingbox portal tab, navigate to Administration > Settings > SSO Settings.

Screenshot_2021-07-13_105856.png

 

SSO Lock

If enabled, administrators can log in to the portal via SSO only. If the SSO configuration fails and administrators can no longer log in, you will have to contact support in order to disable this feature.

Screenshot_2021-07-13_103201.png

 

To configure SSO for the training portal, click the 'School SSO' tab. To configure SSO for the phishing portal, stay on the 'Portal SSO' tab.

  • NOTE: If you would like to configure SSO for the training portal, click the 'School SSO' tab. If you would like to configure SSO for both the training and phishing portals, you will have to configure two apps in Azure and complete this process separately for both apps.

Screenshot_2021-07-13_110756.png

Select 'Azure' in the 'Service' select menu in the 'Portal (School) SSO: Identity Provider (IDP) Settings' section to display the proper EntityId (Azure does not support UUIDs as identifiers).

mceclip3.png

Now you are ready to map the Service Provider (SP) URLs to Azure. In the Azure portal, click the mceclip4.pngbutton located on the 'Basic SAML Configuration' card.

saml-config-azure.png

Copy the EntityId from the PhishingBox portal to the Identifier in azure.

Likewise, copy the ACS (Consumer) URL from PhishingBox to the Reply URL in Azure, and (optionally) the Single Logout URL to the Logout URL. Be sure to delete the default Identifier from the Azure settings and check the 'Default' checkbox next to the identifier you copied from PhishingBox. Click the mceclip6.png button to save the basic SAML configuration.

url-map-azure.png

After saving the basic SAML configuration, you are ready to input the Identity Provider (IDP) settings into PhishingBox.

PhishingBox SSO Configuration

In the Azure portal's SAML-based Sign-on page for the app we created in step one, start by copying the app's Login URL, Azure AD identifier, and Logout URL into the ACS Endpoint URL, Issuer URL, and (optionally) SLO Endpoint URL fields, respectively. You will find these fields in the 'Set up {app name} SSO' card in the Azure portal.

url-map-portal.png

Next, download the 'Certificate (Base64)' from the Azure app's SAML-based Sign-on page. The download link can be found in the 'SAML Signing Certificate' card.

  • NOTE: You may receive warnings that this file can damage your computer from your browser or operating system. You can safely ignore these warnings.

After downloading the file, open it with your preferred text editor and copy the contents. Then, paste them into the 'x.509 Certificate' field on the PhishingBox portal's SSO Settings page.

cert.png

x-509.png

After completing the steps above, you can deploy the application to users in Azure which they can then use to sign in to the phishing or training portals via Office 365.

Deploying the application to users

To assign users to the application, click the 'Users and groups' link in the Azure application's nav bar.

mceclip8.png

Click the 'Add user/group' button located at the top of the users table.

mceclip9.png

  • NOTE: Depending on your Office plan, you may not be able to deploy the application to groups. Please refer to Microsoft's documentation for more information.

Follow the steps in the Add Assignment wizard to add users or groups to the application. . 

After adding users/groups, users can find the app(s) in the Office portal by clicking the hamburger menu then 'All apps'. The app(s) can be found by searching all of their apps or in the 'Other' section of the app navigation.

Simply clicking the app icon will log them into the service.

 

 

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.