As described in Single Sign-On, Single Sign-On (SSO) enables users to log into Security Awareness Training using your organization's common authentication service.
This optional SSO solution is implemented with the SAML2 specification.
Just In Time Provisioning
Some Security Awareness Training administrators prefer not to create all users manually. Just In Time (JIT) provisioning enables new users to log in without an account, then the system creates an account automatically.
Just In Time provisioning, described in the steps below, is not required for Single Sign-On functionality. However, if you want to use Just In Time provisioning, you must enable SSO.
Enabling Single Sign-On
To enable Single Sign-On:
- Navigate to System > Single Sign On (SAML2).
- Click New.
- Complete the information in this section. If you need help with any of the information, ask the system administrators in your organization.
- Configuration Name – This name will be the label for the new button on the Security Awareness Training login screen when SSO is enabled, as shown above. It is not part of the SAML2 configuration itself.
Configuration Description – Optional description of the configuration record. It is not part of the SAML2 configuration itself.
Enable JIT Provisioning – Used only if you are also configuring Just In Time Provisioning.
- Click Save.
- The following steps describe the option of setting up Just In Time Provisioning. To bypass these steps, continue below with Step 9.
- As mentioned in the note above, by default, new users added through JIT provisioning are added as Administrators. You can change their roles by changing their Security Group assignments.
When the page refreshes, click Security Group Configuration. On the SAML Provisioning Group Manager page, the Campaign Administrator and Everyone - All Users Must Be In This Group checkboxes are selected by default, giving all new users Administrative privileges. If you also want new users to be able to administer users, select the Client User Administrator - Can Manage All checkbox.
- Click the Return to the Single Sign On (SSO) SAML2 link in the top right of the page.
- Select the Active checkbox to activate this configuration.
Select the Force Identity Provider Login checkbox to ensure the user always enters their user and password when they are redirected to the identity provider.
- Select the Debug checkbox if instructed to do so by a Barracuda Networks representative.
- The following three fields are populated automatically. You need these fields to configure authentication forwarding in your identity provider. Take note of the settings for the following fields and enter them in your identity provider system. Contact your system administrator if you need assistance with this part of the configuration.
SP Entity ID
This default can be modified to meet the requirements of your Identity Provider (IdP).
SP Assertion Consumer Service
SP Single Logout Service
Name ID Format
- In the Identity Provider section, enter information you obtain from your identity provider. Again, contact your system administrator if you need assistance with this part of the configuration.
You need the following information:- IdP Entity Id
- IdP Single Sign On Service
- IdP Single Logout Service
- IdP X.509 Certificate
- Click Save.