Okta: Learner Dashboard SSO Configuration Guide

Table of Contents:

• Step 1. Access your SAML settings in CanIPhish
• Step 2. Create an Application in Okta
• Step 3. Configure SSO in CanIPhish
• Step 4. Update the Okta App to support IdP-initiated SSO
• Step 5. Assign the CanIPhish Application to users in Okta
• Appendix A: Additional Guidance For Common Issues

To setup SAML-based single sign-on within Okta, please follow the below steps:

Step 1. Access your SAML settings in CanIPhish

1.1. Login to your CanIPhish Cloud Platform account and traverse to the Platform Settings page.

1.2. Click on Authentication Settings > Learner Single Sign-On to show your SSO configuration.

1.3. Make a note of both the Single Sign-On URL and Audience URI values (we'll need these in the following step).

Step 2. Create an Application in Okta

2.1. Login to Okta with an admin account and visit the administrator dashboard.

2.2. In the Okta menu (on the left), click "Applications" and then click the "Applications" sub-heading.

2.3. Click "Create App Integration".

2.4. Select SAML 2.0 as the application type, and then click Next.

2.5. Give the app a name of your choosing (e.g. CanIPhish Learner Dashboard), and optionally upload CanIPhish's logo. Once complete, click Next.

2.6. In the Single sign-on URL field, enter in the URL copied earlier and leave "Use this for Recipient URL and Destination URL ticked.

2.7. In the Audience URI (SP Entity ID) field, enter in the value copied earlier.

2.8. In Name ID format, select EmailAddress from the dropdown.

2.9. Leave the default values for "Default RelayState", "Application username" and "Update application username on" 

2.10. Scroll down to Attribute Statements (optional) and enter the following Name and Value pairing:

Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Name format: URI Reference

Value: user.email

2.11. Scroll to the bottom and Click Next

2.12. For the Feedback page, tick "This is an internal app that we have created". Then click Finish!

Step 3. Configure SSO in CanIPhish

3.1. Before jumping back into the CanIPhish Cloud Platform, open the newly created application and click on the "Sign On" tab (this should be open by default after creating the application).

3.2. Scroll down to the Metadata details section and make a note of the Metadata URL (copy it to clipboard). We'll need this when configuring SSO in CanIPhish.

3.3. Jump back into the CanIPhish Cloud Platform and traverse to the Platform Single Sign-On section.

3.4. Select the "Enter metadata document URL" option and then paste in the Metadata URL we just copied from Okta.

3.5. In the "SAML Attribute Mapping (Email)" field, paste the Attribute field name we configured earlier in Okta. This should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

3.6. By default, CanIPhish will send users an access token to log in to their learner dashboard. If SSO is configured, you could choose to Allow or Prohibit this method of access. We recommend providing users with the option to use their preferred access method and leave this as Allowed.

3.7. Click Activate SSO!

3.8. Confirm that "SSO Status" field has changed from Inactive to Active. If there are any issues, a small popup should appear notifying you of the issue.

3.9. You will notice a new field called "SSO Relay State" has appeared under the "Configuration For The Identity Provider" section. Make a note of this value as it will be used in Step 4.

Step 4. Update the Okta App to support IdP-initiated SSO

4.1. Jump back into the newly created "CanIPhish Learner Dashboard" Okta Application and then click on the "General" menu item and then the Edit button under "SAML Settings":

4.2. Click Next to go to the "Configure SAML" tab.

4.3. Paste the "SSO Relay State" value copied in Step 3.9 into the "Default RelayState" field:

4.4. Scroll to the bottom of the page and click Next, followed by Finish.

Step 5. Assign the CanIPhish Application to users in Okta

5.1. Jump back into the Application created in Okta and click on the Assignments tab.

5.2. Click on the Assign dropdown button and then click on "Assign to People" or "Assign to Groups".

5.3. Assign the CanIPhish Okta Application to any groups or users who should have access to the CanIPhish Cloud Platform. When finished, click the Done button.

Appendix A: Additional Guidance For Common Issues

Receiving A Generic Authentication Error From CanIPhish

Please confirm that under step 2.10 the attribute name exactly matches the SAML Attribute Mapping listed in CanIPhish. If there is a mismatch or this attribute doesn't exist, email addresses won't flow through correctly. The value should be as follows:

• http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Once this is correct, please Deactivate the SSO configuration and then Reactivate the SSO configuration. This resets SSO accounts on our end and will allow you to login.

Receiving A RelayState Error

If you've just setup SSO or have made any changes within the Okta app, please wait up to 5 minutes for the configuration to flow through Okta's systems. If the issue is still occurring 5 minutes after the last configuration update was made, please contact the CanIPhish Support Team for assistance.