Overview
If your organization has an Office 365/Entra ID subscription you can set up SAML SSO for both the phishing and school portals for your users.
Follow the steps below to deploy the single sign on application to users in your Microsoft Entra ID Directory.
NOTE: If you would like to configure SSO for both the phishing and school portals, you will have to configure two apps in Microsoft Entra ID and complete this process separately for both apps.
NOTE: If a user is provided access to the phishing portal via your organization's SSO IDP and does not already have an account in the phishing portal (in Administration>Manage Portal Users), an account will automatically be created with a role of "Admin" when the user accesses the phishing portal via SSO.
- Register the application
- Entra ID SSO configuration
- PhishingBox SSO configuration
- Deploying the application to users
- SSO Lock
- Creating a New Certificate
Registering the application
Registering the application will require an Azure administrator with a minimum role of 'Application administrator'.
To register the app, follow the steps below:
- Navigate to portal.azure.com.
- Click the 'Microsoft Entra ID' link located in the Azure Services section of the portal's home page.
- Click the "" link in the site navigation bar.
- Click the "" button located at the top of the Enterprise applications list.
- Click the "" button located at the top of the app gallery.
- In the "Create your own application" modal form that appears, give the app a name and select "Integrate any other application you don't find in the gallery (Non-gallery)".
- Click the "Create" button:
- Entra ID will redirect you to the app overview. Click the "Set up single sign on" card:
- On the Select a single sign-on method page, click the SAML card (This will open the SAML-based Sign-on page):
- Open a new tab and log in to the PhishingBox portal.
Entra ID SSO configuration
You are now ready to configure the SSO and SLO (optional) URLs in Entra ID. Follow the steps below:
In the PhishingBox portal tab, navigate to Administration > Settings > Account Settings for portal SSO or Administration > Settings > School Settings for school SSO.
NOTE: If you would like to configure SSO for both the training and phishing portals, you will have to configure two apps in Azure and complete this process separately for both apps.
Under the SSO tab, you'll find the Service Provider Settings.
NOTE: If the admin portal or school URLs are updated, the SAML app will need to be reconfigured with the updated EntityId, ACS and Single Logout URL.
In the Microsoft Entra ID portal, click the button located on the 'Basic SAML Configuration' card.
Complete the following configuration steps in Microsoft Entra ID to map the Service Provider (SP) URLs:
- Click "Add identifier" under Identifier (Entity ID).
- Copy the "EntityId" from the PhishingBox portal and paste in the text field.
- Click "Add reply URL" under Reply URL (Assertion Consumer Service URL).
- Copy the "ACS (Consumer) URL" from the PhishingBox portal and paste in the text field. Set Index to 0.
- (Optional) Copy the "Single Logout URL" from the PhishingBox portal and paste it in the text field under Logout Url (Optional).
- Click "Save".
After saving the basic SAML configuration, you are ready to input the Identity Provider (IDP) settings into PhishingBox.
PhishingBox SSO Configuration
In Microsoft Entra ID, you will find the IDP settings needed in PhishingBox under the "Setup {app name}" card.
Complete the following configuration steps in PhishingBox:
- Copy the "Microsoft Entra ID Identifier" in Entra ID into the Issuer URL text field.
- Copy the "Login URL" in Entra ID into the ACS Endpoint URL text field.
- (Optional) Copy the "Logout URL" in Entra ID into the SLO Endpoint URL text field.
Next, download the "Certificate (Base64)" from the Microsoft Entra ID. The download link can be found in the "SAML Certificates" card.
NOTE: You may receive warnings that this file can damage your computer from your browser or operating system. You can safely ignore these warnings.
After downloading the file, open it with your preferred text editor and copy all the contents. Then, paste them into the 'x.509 Certificate' field under Identity Provider (IDP) Settings in PhishingBox.
After completing the steps above, you can deploy the application to users in Microsoft Entra ID which they can then use to sign-in to the phishing or school portals via the Microsoft Office portal.
Deploying the application to users
To assign users to the application, follow the steps below:
- Click the "Users and groups" link in the Microsoft Entra ID application's nav bar:
- Click the"" button located at the top of the users table.
- This will open the Add Assignment page. Here, click "None Selected" under Users and Groups .
- Select the users/groups you want this app to be assigned to.
- Click "".
- Click "".
NOTE: Depending on your Office plan, you may not be able to deploy the application to groups. Please refer to Microsoft's documentation for more information.
After adding users/groups, users can find the app(s) in the Microsoft Office portal by clicking the App Launcher button and then "All apps". The app(s) can be found by searching all their apps or in the "Other" section of the app navigation. Simply clicking the app icon will log them into the service.
In addition to this, you can copy the "User access URL" for the SSO app in the app's properties (Enterprise applications > Find and click the SSO app > Manage > Properties) and share it to users/students:
NOTE: You can include the user access URL in school system emails by adding the URL to the "App Embed Link" field found in Account Settings. If no URL is provided in this field, the system emails will provide plain text stating to sign-in via SSO. See our Account Settings article for more details.
SSO Lock
If enabled, administrators/students can log in to the portal via SSO only. If the SSO configuration fails and administrators can no longer log in, you will have to contact support to disable this feature.
Creating a New Certificate
When the SAML Signing Certificate for your SSO app expires, you will need to create a new one. Follow these steps to create a new SAML Signing Certificate:
- Navigate to portal.azure.com > Microsoft Entra ID > Enterprise Applications.
- Find your SSO app and click it to expand it.
- Click "Single sign-on" in the app's left-hand menu.
- Click "Edit" on the Token signing certificate section.
- Click the "+ New Certificate" button.
- Configure the certificate with these options:
- Signing Option: Sign SAML response and assertion
- Signing Algorithm: SHA-256
- Click "Save"
- Click the three dots on the newly created certificate and click "Make certificate active".
- Click the three dots again on the new certificate and click "Base64 certificate download".
- Open the downloaded certificate in a text editor and copy all of it's contents.
- Navigate to the PhishingBox portal > Administration > Settings then either Account Settings > SSO for portal SSO or School Settings > SSO for school SSO.
- Erase the old certificate found in the x.509 Certificate field and paste the contents of the new certificate.
- Click "Save".
Comments
0 comments
Please sign in to leave a comment.