Azure Single Sign On (SCIM Admin Provisioning) connects your Azure Active Directory to your Phriendly Phishing account for company administrative requiring access to the Phriendly Phishing portal. When an administrator is configured in your Azure AD, they will automatically synchronise as a company administrator in your Phriendly Phishing account. When an administrator is removed from your Azure AD, they will be removed from your Phriendly Phishing account.
This help article will take you through setting up Azure Single Sign-On to allow administrators to log into the Phriendly Phishing Portal using their Azure credentials.
- Create a New Enterprise Application in Azure AD
- Provision of your Enterprise Application
- Map required attributes and Assigning Provisioning Scope
- Assign Groups to Provisioning
- Configure to Phriendly Phishing portal
Note: If you have already implemented Azure SCIM User Provisioning you can skip to the Assign Groups to Provisioning section.
Create a New Enterprise Application in Azure AD
1. Sign in to the Azure Active Directory Portal.
2. Select Enterprise applications.
3. Select New application then Create your own application.
4. Enter a name for your application, choose the option "integrate any other application you
don't find in the gallery" and select Create to add the new application. Once added it should open up to the application overview.
Provision of your Enterprise Application
1. You will need details from the Phriendly Phishing Portal to configure the application.
Log in to your Phriendly Phishing account and select Settings then User Synchronisation.
2. Select Admin SSO Set Up, expand 'Admin Synchronisation' then select Azure SCIM
This will show you the URL and token that is required in step 3.
3. On the Overview page of you application you created, select Provisioning in the left panel.
4. Select Get Started
5. Set Provisioning Mode to 'Automatic' and under Admin Credentials enter the tenant URL and Secret token you retrieved in step 2 from the Phriendly Phishing Portal.
6. Select Test Connection, then if the connection is successful, select Save.
Map Required Attributes and Assign Provisioning Scope
1. Select the Provisioning tab, then Edit Attribute Mapping.
2. Expand 'Mappings' then select Provision Azure Active Directory Users.
3. Scroll to the bottom and select Show Advanced Options, then Edit Attribute List for Customerappsso.
4. At the bottom of the list, enter these custom attributes in the Name column, leaving
defaults for the other columns. (see the below screenshot)
Default Attributes(Required)
First name of learner
▪ urn:ietf:params:scim:schemas:extension:PH2:2.0:User:givenName
Surname of learner
▪ urn:ietf:params:scim:schemas:extension:PH2:2.0:User:surName
Email of learner
▪ urn:ietf:params:scim:schemas:extension:PH2:2.0:User:mail
7. Once all have been added select Save, then Yes.
8. Adjust the mappings so they match the following screenshot.
This can be done by selecting the AD Attribute, editing the Target Attribute then selecting Ok.
9. You will also need to set the Matching Precedence value for Objectid to 1.
You can do this by editing the attribute, set Match object using this attribute to Yes, then enter the value 1. Then select Ok
Note: You may be required to edit the matching precedence for UserPrincipalName as only a single attribute can be set to 1.
10. Once complete, select Save and then Yes.
11. Expand 'Settings' and assign scope to be Sync Only assigned Users and Group.
1. On the Overview page of the application, select Users and Groups.
2. Select Add user/group.
3. Select User and Groups to search the group/s you want to assign.
4. Select Assign
Start Provisioning 1. In the Overview page of the application, select Provisioning then Start Provisioning.
This step may not be required if you have already done this when implementing Azure SCIM User Provisioning.
Configure Single Sign-On (SSO)
1.In the Overview page of the application Select Single Sign-on.
2. Select SAML.
3. Select Edit on Basic SAML configuration.
4. Select Add Identifier and Add Reply URL to enter the below information.
Identifier: PH2System
Reply URL: https://launch.phriendlyphishing.com/company_admin/saml/acs
5. Select Save.
6. In section 3 select Download Certificate (Base64)
Open the .cert file downloaded with notepad and copy all the text to the clipboard.
Go to https://www.samltool.com/fingerprint.php and paste the copied text on X.509 Cert field then
select Algorithm “sha256” and click on “Calculate fingerprint”
Copy and save the Formatted FingerPrint to use later in the guide.
7. In section 4, copy and save the Login URL and Logout URL to use later in the guide.
Configure Phriendly Phishing Portal
1. In the Phriendly Phishing portal where you retrieved the URL and token, add the group name/s that you previously assigned and select Save. Note: it will need to be an exact match to the group name in your Azure AD.
2. Scroll down and expand SSO Setting to select Azure.
3. Use the details you have saved previously to fill in the fields from the configuring SSO section of this guide.
Sign-in page URL: Login URL from step 7
Logout page URL: Logout URL from step 7
Certificate fingerprint: Formatted Fingerprint from step 6
Then select Save Settings.
4. Select Enabled for SSO Settings.
5. Select Enabled for Admin Synchronisation.
6. Select Trigger Sync.
7. When you refresh the page you will be signed out and can log back in via the standard Sign in which will redirect you to your company Azure SSO login. After authentication, you can access the platform.
8. You can see the select the notifications icon to see the summary of the admin sync.
You have now completed the implementation of Azure Single Sign-On (SSO SCIM Admin Provisioning)!
Comments
0 comments
Please sign in to leave a comment.