Single Sign On enables you to connect your Active Directory with the Phriendly Phishing for company administrators to log into the Phriendly Phishing dashboard.
Requirements: To create an AD application you must have admininistrator access to your company's Active Directory instance.
Note: If you have already created an AD application to synchronise users to the Phriendly Phishing portal please skip to 2.1.7 Configuring the Phriendly Phishing portal
How to Create AD group
1. Within Active Directory please create a security group named Phriendly Phishing Admins (Or your preferred naming convention).
2. Add all members to the newly created AD group that you would like to provide SSO access to the Phriendly Phishing portal.
How to configure AD Single Sign On SAML Settings
1. Open AD FS Management console.
2. Click Add Relying Party Trust in the Action panel.
3. Click Start.
4. On Select Data Source step, Select Enter data about the relying party manually for Data Source, then click Next.
5. Enter a name for Display name (as below), then click Next
6. Choose profile step, select AD FS profile.
7. Leave Configure Certificate windows as default, then click Next
8. In Configure URL, select Enable support for the SAML 2.0 Web SSO protocol and enter consumer URL (https://launch.phriendlyphishing.com/company_admin/saml/acs)
9. On Configure Identifiers step type PH2System, then click Add, and click Next.
10. Don’t take any action on Configure Multi-factor Authentication Now step, click Next.
11. For Choose Issuance Authorization Rules step, select Permit all users to access this relying party, click Next.
12. Make sure Opens the Edit Claim Rules… is checked and then click Close to finish the wizard.
Note: The claim rule editor should open by default. If it doesn’t, select your Relying Party Trust and click ‘Edit Claim Rules…’ in the Actions Panel.
13. Add the claim rules by clicking Add Rule
- Click Add Rule.
- Select Send LDAP Attributes as Claims for Claim rule template and click Next.
- Enter the Claim rule name: ph2_claim_rule
- Select Active Directory for Attribute store
- Set Mapping LDAP attributes to outgoing claim types as below:
- Click Finish.
14. Setup PH2_SP Relying Party Trust
- Double-click on the new Relying Party Trust PH2_SP to open the properties window (or click properties on Right Actions Panel).
- Switch to the Endpoints tab, click Add SAML and on the new window we will configure as below:
* Endpoint type: SAML Assertion Consumer
* Binding: POST
* Trusted URL: https://launch.phriendlyphishing.com/company_admin/saml/acs
- Click Add SAML button to add new endpoint:
* Endpoint type: SAML Logout
* Binding: Redirect
* Trusted URL: https://launch.phriendlyphishing.com/company_admin/saml/logout
* Response URL: https://launch.phriendlyphishing.com/company_admin/saml/logout
- Open Signature tab, click Add…
- Navigate to the PhriendlyPhishing.crt, click Open and Apply.
Note: the certificate is attached to this email, please rename it from ‘PhriendlyPhishing.crt.txt’ to ‘PhriendlyPhishing.crt’.
15. Get fingerprint from ADFS
- Go to the ADFS management console. Navigate to AD FS > Certificates (as pictured below). Then double-click on Token-signing.
- Open the ‘Details’ tab. Copy the Value of the Thumbprint field. This will be used in the next section.
16. Set up Authentication Policies
- Open AD FS management console, navigate to path ADFS > Authentication Policies
- Click Edit Global Primary Authentication… on the right action panel.
- Within the Edit Global Authentication Policy window navigate to the Primary’ tab, within the Extranet window select Forms Authentication and Certificate Authentication.
- Within the Intranet window select Forms Authentication and Certificate Authentication. Then click Apply and OK.
How to setup Active Directory (AD) Single Sign in Phriendly Phishing
1. Go to the settings cog in the top right hand corner of your dashboard
2. Select User Synchronisation tab and expand the Single Sign On Setup
3. Enter the below required fields:
Sign-in page URL
Logout page URL
Value copied in Step 15 of Configure SAML Settings
Created in Step 1 and 2 of Create AD group
Replace <IdP domain> with your AD FS Identity Provider domain
5. Click Save Settings.
6. Switch Single Sign On to Enabled.
7. Click Generate SSO Synchronise Script to download your required PowerShell script.
Running the PowerShell Script manually
1. From any AD connected machine, run the downloaded PowerShell script with Administrator privileges. Note: ‘Remote Server Administration Tools’ will need to be installed on the machine that you are running the PowerShell script.
2. When prompted enter your Token which can be obtained by expanding Single Sign On Setup within the Phriendly Phishing portal.
3. Please wait until the end of the process. PowerShell will close once complete.
4. Please attempt to sign into your portal by clicking Sign In with ADFS.