Table of Contents:
- Step 1. Access your SAML settings in CanIPhish
- Step 2. Create an Application in OneLogin
- Step 3. Configure SSO in CanIPhish
- Step 4. Assign the CanIPhish Application to users or groups in OneLogin
- Step 5. Provision a role for users in CanIPhish
To setup SAML-based single sign-on within OneLogin, please follow the below steps:
Step 1. Access your SAML settings in CanIPhish
1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Management page.
1.2. Click on Authentication Settings > Platform Single Sign-On to show your SSO configuration.
1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).
Step 2. Create an Application in OneLogin
2.1. Login to OneLogin with an admin account and visit the administrator dashboard.
2.2. In the OneLogin menu (up the top), click "Applications" and then click the "Applications" sub-heading.
2.3. Click "Add App".
2.4. Type "SAML Custom Connector" into the Search bar and select the "SAML Custom Connector (Advanced)" application.
2.5. Give the app a display name of your choosing (e.g. CanIPhish Cloud Platform), turn off "Visible in portal" and then click Save.
Note: Because CanIPhish only supports SP-initiated SSO, we recommend turning off "Visible in portal". If you want to show an application icon to users, please see Appendix A.
Optional: If you want to upload an App logo. A CanIPhish Logo can be downloaded here.
2.6. Click on the "Configuration" menu item on the left side of the page.
2.7. In the "Audience (EntityID)" field, enter the "Audience URI (SP Entity ID)" value copied earlier from CanIPhish.
2.8. In the "Recipient", "ACS (Consumer) URL Validator", "ACS (Consumer) URL", and "Login URL" fields, enter in the "Single Sign-On URL" value copied earlier from CanIPhish. Leave all other values as their default and then click Save.
2.9. Click on the Parameters menu item on the left side of the page.
2.10. On the right side of the page, click the Plus symbol.
2.11. In the "New Field" popup, enter the following Field Name and tick the "Include in SAML assertion" flag, followed by clicking the Save button.
Field name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
2.12. In the Edit Field popup that has appeared, select Email from the available dropdown Values, leave the SAML Assertion Flag as its default value (ticked) and then click Save.
2.13. Click the Save button on the top right side of the page to save the current state of the SAML Application.
Step 3. Configure SSO in CanIPhish
3.1. Before jumping back into the CanIPhish Cloud Platform, click the "More Actions" button on the top right side of the OneLogin application page and then click the "SAML Metadata" sub-menu item which will initiate a file download. Make a note of this file as we'll need it for this step.
3.2. Jump back into the CanIPhish Cloud Platform and traverse to the Platform Single Sign-On section.
3.3. Under the "Configuration For CanIPhish" section, upload the Metadata Document downloaded earlier from Google Workspace. When the file is specified, click the Upload Document button.
3.4. Once successfully uploaded, you can view the document by clicking the metadata.xml text that appears.
3.5. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in OneLogin. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
3.6. (Optional) Enter the email address of an existing CanIPhish user who should still be allowed to login to CanIPhish directly using an email address and password (i.e. without SSO). We recommend adding at least 1 user. In the event there is an issue with the SSO config, you won't be entirely locked out of your tenant.
3.7. Click Activate SSO!
3.8. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.
Step 4. Assign the CanIPhish Application to users or groups in OneLogin
4.1. There are a number of ways this can be done. You can either directly assign the application to users or attach it to roles. We'll showcase how to attach it to a role. Jump back into the Application created in OneLogin and click on the Access menu item on the left panel.
4.2. Select the role you want to have access to the CanIPhish SAML Application and then click Save up the top right (example showing a "Training Admin" role below).
4.2. Click on the Assign dropdown button and then click on "Assign to People" or "Assign to Groups".
4.3. Assign the CanIPhish OneLogin Application to any groups or users who should have access to the CanIPhish Cloud Platform. When finished, click the Done button.
Step 5. Provision a role for users in CanIPhish
5.1. Jump back into your CanIPhish Cloud Platform account and traverse back to the "Platform Management" page (scrolling to the top to see "User Management").
5.2. If there are any users who you've assigned the CanIPhish OneLogin Application to who don't yet have a role within your CanIPhish tenant, click on the "Add New User" button. If everyone already has a role, you can skip Step 5.
5.3. In the respective field, provide the users First & Last Name, Email Address, and Role of their account (i.e. Platform Admin, Platform User, or Platform Reporter). Once complete, click the Save button.
5.4. The user will be sent an email notification inviting them to finalize the creation of their new account and login using single sign-on. You're all done. SSO has been successfully configured!
Getting single sign-on setup can be complex. If you run into any issues, please don't hesitate to contact the team at CanIPhish for assistance.
Comments
0 comments
Please sign in to leave a comment.