Table of Contents:
- Step 1. Access your SAML settings in CanIPhish
- Step 2. Create an Application in Okta
- Step 3. Configure SSO in CanIPhish
- Step 4. Assign the CanIPhish Application to users in Okta
- Step 5. Provision a role for users in CanIPhish
- Appendix A: (Optional) Simulate an IdP-initiated flow with an Okta Bookmark App
To setup SAML-based single sign-on within Okta, please follow the below steps:
Step 1. Access your SAML settings in CanIPhish
1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Settings Page.
1.2. Click on Authentication Settings > Platform Single Sign-On to show your SSO configuration.
1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).
Step 2. Create an Application in Okta
2.1. Login to Okta with an admin account and visit the administrator dashboard.
2.2. In the Okta menu (on the left), click "Applications" and then click the "Applications" sub-heading.
2.3. Click "Create App Integration".
2.4. Select SAML 2.0 as the application type, and then click Next.
2.5. Give the app a name of your choosing (e.g. CanIPhish Cloud Platform), tick "Do not display application icon to users" and then click Next.
Note: Because CanIPhish only supports SP-initiated SSO, we recommend ticking "Do not display application icon to users". If you want to show an application icon to users, please see Appendix A.
Optional: If you want to upload an App logo. A CanIPhish Logo can be downloaded here.
2.6. In the Single sign-on URL field, enter in the URL copied earlier and leave "Use this for Recipient URL and Destination URL ticked.
2.7. In the Audience URI (SP Entity ID) field, enter in the value copied earlier.
2.8. In Name ID format, select EmailAddress from the dropdown.
2.9. Leave the default values for "Default RelayState", "Application username" and "Update application username on"
2.10. Scroll down to Attribute Statements (optional) and enter the following Name and Value pairing:
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name format: URI Reference
Value: user.email
2.11. Scroll to the bottom and Click Next
2.12. For the Feedback page, select "I'm an Okta customer adding an internal app" and then tick "This is an internal app that we have created". Then click Finish!
Step 3. Configure SSO in CanIPhish
3.1. Before jumping back into the CanIPhish Cloud Platform, open the newly created application and click on the "Sign On" tab (this should be open by default after creating the application).
3.2. Scroll down to the Metadata details section and make a note of the Metadata URL (copy it to clipboard). We'll need this when configuring SSO in CanIPhish.
3.3. Jump back into the CanIPhish Cloud Platform and traverse to the Platform Single Sign-On section.
3.4. Select the "Enter metadata document URL" option and then paste in the Metadata URL we just copied from Okta.
3.5. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in Okta. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
3.6. (Optional) Enter the email address of an existing CanIPhish user who should still be allowed to login to CanIPhish directly using an email address and password (i.e. without SSO). We recommend adding at least 1 user. In the event there is an issue with the SSO config, you won't be entirely locked out of your tenant.
3.7. Click Activate SSO!
3.8. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.
Step 4. Assign the CanIPhish Application to users in Okta
4.1. Jump back into the Application created in Okta and click on the Assignments tab.
4.2. Click on the Assign dropdown button and then click on "Assign to People" or "Assign to Groups".
4.3. Assign the CanIPhish Okta Application to any groups or users who should have access to the CanIPhish Cloud Platform. When finished, click the Done button.
Step 5. Provision a role for users in CanIPhish
5.1. Jump back into your CanIPhish Cloud Platform account and traverse back to the "Platform Settings" page (scrolling to the top to see "User Management").
5.2. If there are any users who you've assigned the CanIPhish Okta Application to who don't yet have a role within your CanIPhish tenant, click on the "Add New User" button. If everyone already has a role, you can skip Step 5.
5.3. In the respective field, provide the users First & Last Name, Email Address, and Role of their account (i.e. Platform Admin, Platform User, or Platform Reporter). Once complete, click the Save button.
5.4. The user will be sent an email notification inviting them to finalize the creation of their new account and login using single sign-on. You're all done. SSO has been successfully configured!
Getting single sign-on setup can be complex. If you run into any issues, please don't hesitate to contact the team at CanIPhish for assistance.
Appendix A: (Optional) Simulate an IdP-initiated flow with an Okta Bookmark App
Follow this supplementary guidance if you wish to provide users with an app they can click in their Okta dashboard to seamlessly log in without the need to go to the CanIPhish login page.
Step 1. Go to the Platform Management page on your CanIPhish account and scroll down to the Platform Single Sign-On section. Under the "Configuration For The Identity Provider" section, you should notice a "SSO Bookmark URL" field (if it doesn't appear, please refresh the page). Copy this URL or make a note of it:
Step 2. Log into the Okta Admin Console and go to .
Step 3. Click Browse App Catalog.
Step 4. In the Search... field, enter "Bookmark App". Click the Bookmark App integration.
Step 5. Click "Add Integration" to create a Bookmark App instance.
Step 6. Under the Application label field, enter the application name you want users to see (e.g. "CanIPhish Cloud Platform").
Step 7. Enter the SSO Bookmark URL copied earlier. Once entered, click Done.
Step 8. Assign this bookmark application to the same users or groups assigned earlier in Okta.
Step 9. Upload a custom Icon so users can easily see the application. Do this by clicking on the default Star icon and then upload the CanIPhish Logo, which can be downloaded here.
Step 10. You're all done! The bookmark app will now appear in user's Okta directories, and they can click on it to log in to CanIPhish (simulating an IdP-initiated sign-in process).
Comments
0 comments
Please sign in to leave a comment.