Single Sign-On enables you to connect your Active Directory with the Phriendly Phishing for company administrators to log into the Phriendly Phishing dashboard.
Requirements: To create an AD application you must have administrator access to your company's Active Directory instance.
Note: If you have already created an AD application to synchronise users to the Phriendly Phishing portal please skip to 2.1.7 Configuring the Phriendly Phishing portal.
How to Create an AD group
1. Within Active Directory please create a security group named Phriendly Phishing Admins (Or your preferred naming convention).
2. Add all members to the newly created AD group that you would like to provide SSO access to the Phriendly Phishing portal.
How to configure AD Single Sign-On SAML Settings
1. Open AD FS Management console.
2. Click Add Relying Party Trust in the Action panel.
3. Click Start.
4. On the Select Data Source step, Select Enter data about the relying party manually for Data Source, then click Next.
5. Enter a name for Display name (as below), then click Next.
6. Choose profile step, select AD FS profile.
7. Leave Configure Certificate windows as default, then click Next.
8. In Configure URL, select Enable support for the SAML 2.0 Web SSO protocol and enter consumer. URL (https://launch.phriendlyphishing.com/company_admin/saml/acs)
9. On Configure Identifiers step type PH2System, then click Add and click Next.
10. Don’t take any action on Configure Multi-factor Authentication Now step, click Next.
11. For Choose Issuance Authorization Rules step, select Permit all users to access this relying party, click Next.
12. Make sure Opens the Edit Claim Rules… is checked and then click Close to finish the wizard.
Note: The claim rule editor should open by default. If it doesn’t, select your Relying Party Trust and click ‘Edit Claim Rules…’ in the Actions Panel.
13. Add the claim rules by clicking Add Rule
- Click Add Rule.
- Select Send LDAP Attributes as Claims for Claim rule template and click Next.
- Enter the Claim rule name: ph2_claim_rule
- Select Active Directory for Attribute store
- Set Mapping LDAP attributes to outgoing claim types as below:
- Click Finish.
14. Setup PH2_SP Relying Party Trust.
- Double-click on the new Relying Party Trust PH2_SP to open the properties window (or click properties on Right Actions Panel).
- Switch to the Endpoints tab, click Add SAML and on the new window we will configure as below:
* Endpoint type: SAML Assertion Consumer
* Binding: POST
* Trusted URL: https://launch.phriendlyphishing.com/company_admin/saml/acs
- Click Add SAML button to add new endpoint:
* Endpoint type: SAML Logout
* Binding: Redirect
* Trusted URL: https://launch.phriendlyphishing.com/company_admin/saml/logout
* Response URL: https://launch.phriendlyphishing.com/company_admin/saml/logout
- Open Signature tab, click Add…
- Please download the required Phriendly Phishing Certificate then navigate to the PhriendlyPhishing.crt, click Open and Apply.
15. Get fingerprint from ADFS.
- Go to the ADFS management console. Navigate to AD FS > Certificates (as pictured below). Then double-click on Token-signing.
- Open the ‘Details’ tab. Copy the Value of the Thumbprint field. This will be used in the next section.
16. Set up Authentication Policies.
- Open AD FS management console, navigate to path ADFS > Authentication Policies.
- Click Edit Global Primary Authentication… on the right action panel.
- Within the Edit Global Authentication Policy window navigate to the Primary’ tab, within the Extranet window select Forms Authentication and Certificate Authentication.
- Within the Intranet window select Forms Authentication and Certificate Authentication.
- Then click Apply and OK.
How to setup Active Directory (AD) Single Sign-On Phriendly Phishing
1. Go to the settings cog in the top right-hand corner of your dashboard.
2. Select the User Synchronisation tab and expand the Single Sign-On Setup.
3. Enter the below required fields:
Sign-in page URL
Logout page URL
Value copied in Step 15 of Configure SAML Settings
Created in Step 1 and 2 of Create AD group
Replace <IdP domain> with your AD FS Identity Provider domain
5. Click Save Settings.
6. Switch Single Sign-On to Enabled.
7. Click Generate SSO Synchronise Script to download your required PowerShell script.
Running the PowerShell script manually
1. From any AD connected machine, run the downloaded PowerShell script with Administrator privileges. Note: ‘Remote Server Administration Tools’ will need to be installed on the machine that you are running the PowerShell script.
2. When prompted enter your Token which can be obtained by expanding Single Sign-On Setup within the Phriendly Phishing portal.
3. Please wait until the end of the process. PowerShell will close once complete.
4. Please attempt to sign in to your portal using ADFS login details.
Please sign in to leave a comment.