Skip to main content

SAML SSO Setup: Azure

PhishingBox Support
  • Updated

Overview

If your organization has an Office 365/Azure AD subscription you can set up SAML SSO for both the phishing and training portals for your users.

Follow the steps below to deploy the single sign on application to users in your Azure Active Directory.

NOTE: If you would like to configure SSO for both the phishing and training portals, you will have to configure two apps in Azure and complete this process separately for both apps.
NOTE: If a user is provided access to the phishing portal via your organization's SSO IDP and does not already have an account in the phishing portal (in Administration>Manage Portal Users), an account will automatically be created with a role of "Admin" when the user accesses the phishing portal via SSO.
  1. Register the application
  2. Azure SSO configuration
  3. PhishingBox SSO configuration
  4. Deploying the application to users
  5. SSO Lock

Registering the application

Registering the application will require an Azure administrator with a minimum role of 'Application administrator'.

To register the app, navigate to portal.azure.com.

Click the 'Azure Active Directory' link located in the Azure Services section of the portal's home page.

mceclip0.png

In the Azure Active Directory portal click the 'Enterprise Applications' link in the site navigation bar.

mceclip1.png

Click the 'New application' button located at the top of the Enterprise applications list.

mceclip2.png

Click the 'Create your own application' button located at the top of the app gallery.

 mceclip4.png

In the 'Create your own application' modal form that appears, give the app a name and select 'Integrate any other application you don't find in the gallery'. Then click the 'Create' button.

Create_your_own_application.png

Azure will redirect you to the app overview. Click the 'Set up single sign on' card.

mceclip0.png

Then, on the 'Select a single sign-on method' page, click the SAML card.

mceclip1.png

This will open the SAML-based Sign-on page. Next, log in to the PhishingBox portal in a new tab. You can now configure the SSO and SLO (optional) URLs in Azure.

Azure SSO configuration

In the PhishingBox portal tab, navigate to Administration > Settings > Account Settings for portal SSO or Administration > Settings > School Settings for school SSO.

NOTE: If you would like to configure SSO for both the training and phishing portals, you will have to configure two apps in Azure and complete this process separately for both apps.

SSO_nav.png

Under the SSO tab, you'll find find the Service Provider Settings.

School_SSO_SP_settings.png

Now you are ready to map the Service Provider (SP) URLs to Azure. In the Azure portal, click the mceclip4.pngbutton located on the 'Basic SAML Configuration' card.

Azure_edit_SAML_config.png

Complete the following configuration steps in Azure:

  1. Click "Add identifier" under Identifier (Entity ID).
  2. Copy the EntityId from the PhishingBox portal and paste in the text field.
  3. Click "Add reply URL" under Reply URL (Assertion Consumer Service URL).
  4. Copy the ACS (Consumer) URL from the PhishingBox portal and paste in the text field, and set Index to 0.
  5. (Optional) Copy the Single Logout URL from the PhishingBox portal and paste it in the text field under Logout Url (Optional).
  6. Click "Save".

Basic_SAML_Configuration_-_Microsoft_Azure_1.png

Basic_SAML_Configuration_-_Microsoft_Azure_2.png

After saving the basic SAML configuration, you are ready to input the Identity Provider (IDP) settings into PhishingBox.

PhishingBox SSO Configuration

In Azure, you will find the IDP settings needed in PhishingBox under the "Setup {app name}" card.

Complete the following configuration steps in PhishingBox:

  1. Copy the Azure AD Identifier in Azure into the Issuer URL text field.
  2. Copy the Login URL in Azure into the ACS Endpoint URL text field.
  3. (Optional) Copy the Logout URL in Azure into the SLO Endpoint URL text field.

Setup_SSO_Card.png

PB_IDP_Settings.png

 

Next, download the 'Certificate (Base64)' from the Azure. The download link can be found in the "SAML Signing Certificate" card.

NOTE: You may receive warnings that this file can damage your computer from your browser or operating system. You can safely ignore these warnings.

certificate_base64.png

After downloading the file, open it with your preferred text editor and copy all the contents. Then, paste them into the 'x.509 Certificate' field under Identity Provider (IDP) Settings in PhishingBox.

x-509.png

After completing the steps above, you can deploy the application to users in Azure which they can then use to sign-in to the phishing or training portals via the Office portal.

Deploying the application to users

To assign users to the application, click the "Users and groups" link in the Azure application's nav bar.

mceclip8.png

Click the 'Add user/group' button located at the top of the users table. 

mceclip9.png

This will open the Add Assignment page. Here, click "None Selected" under Users and Groups and select users/groups to assign the SSO app to. Once you're finished selecting users/groups, click "Select".

NOTE: Depending on your Office plan, you may not be able to deploy the application to groups. Please refer to Microsoft's documentation for more information.

After adding users/groups, users can find the app(s) in the Office portal by clicking the App Launcher button and then 'All apps'. The app(s) can be found by searching all of their apps or in the 'Other' section of the app navigation. Simply clicking the app icon will log them into the service. 

SSO Lock

If enabled, administrators can log in to the portal via SSO only. If the SSO configuration fails and administrators can no longer log in, you will have to contact support in order to disable this feature.

Screenshot_2021-07-13_103201.png

Back to top

Related articles

Comments

0 comments

Please sign in to leave a comment.