We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Single Sign-On and Just In Time Provisioning

  • Last updated on
Notes
  • These configurations can only be performed by Barracuda PhishLine Administrators who are able to manage other Barracuda PhishLine users (i.e., Administrators with the User Administration - Can Manage All Users role.)
    If you do not have sufficient permissions, you will not see this choice from the System menu.
  • These configurations affect users of Barracuda PhishLine, not end users who receive training and other content through Barracuda PhishLine campaigns.

Single Sign-On

Single Sign-On (SSO) enables users to log into Barracuda PhishLine using your organization's common authentication service. When you configure SSO, users see an additional button on the Barracuda PhishLine login screen which they can use to authenticate through your organization's identity provider.  

This optional SSO solution is implemented with the SAML2 specification.  

Just In Time provisioning, described in the next section, is not required for Single Sign-On functionality. However, Single Sign-On must be enabled to use Just In Time provisioning. 

Important

It is your responsibility to make sure that your identity provider will only authenticate and authorize users that should have accounts in the Barracuda PhishLine system.

SSOloginArrow.png

To enable Single Sign-On:

  1. Navigate to System > Single Sign On.
  2. Click New.
  3. Complete the information in this section. If you need help with any of the information, ask the system administrators in your organizaiton. 
    • Configuration Name –  This name will be the label for the new button on the Barracuda PhishLine login screen when SSO is enabled, as shown above. It is not part of the SAML2 configuration itself. 
    • Configuration Description – Optional description of the configuration record. It is not part of the SAML2 configuration itself.
    • Enable JIT Provisioning – Used only if you are also configuring Just In Time Provisioning. See Just In Time Provisioning section below for information. 
  4. Click Save
  5. Select the Active checkbox to activate this configuration.
  6. Select the Debug checkbox if instructed to do so by a Barracuda representative. 
  7. The following three fields are populated automatically. You need these fields to configure authentication forwarding in your identity provider. Take note of the settings for the following fields and enter them in your identity provider system. Contact your system administrator if you need assistance with this part of the configuration.  
    • SP Entity ID

    • SP Assertion Consumer Service

    • SP Single Logout Service

    • Name ID Format

  8. In the Identity Provider section, enter information you obtain from your identity provider. Again, contact your system administrator if you need assistance with this part of the configuration.   
    You need the following information: 
    • IdP Entity Id
    • IdP Single Sign On Service
    • IdP Single Logout Service
    • IdP X.509 Certificate
  9. Click Save

Just In Time (JIT) Provisioning 

Some Barracuda PhishLine administrators prefer not to create all users manually. Just In Time (JIT) provisioning enables new users to log in without an account, then the system creates an account automatically. 

Just In Time Provisioning requires a valid SSO configuration.

Notes
  • All new users created through JIT provisioning will have the same permissions, set on the Security Group Configuration page, described below.  
  • If you change the default permissions, it will affect new users going forward, but will not retroactively change permissions of accounts already created through SSO. If you want to change permissions for a user account, you must go to System > User Manager, regardless of how the account was created.
Important

It is your responsibility to change the configuration for new users if you do not want new users to have administrative privileges. By default, new users are added as administrators - members of all groups.

To enable Just In Time Provisioning along with SSO provisioning, follow these steps:

  1. Navigate to System > Single Sign On.
  2. Click New.
  3. Complete the information in this section. If you need help with any of the information, ask the system administrators in your organization. 
    • Configuration Name –  This name will be the label for the new button on the Barracuda PhishLine login screen when SSO is enabled, as shown above. It is not part of the SAML2 configuration itself. 
    • Configuration Description – Optional description of the configuration record. It is not part of the SAML2 configuration itself.
    • Enable JIT Provisioning – Select this checkbox to enable Just In Time Provisioning.
  4. Click Save
  5. As mentioned in the note above, by default, new users added through JIT provisioning are added as Administrators. You can change their roles by changing their Security Group assignments. 
    When the page refreshes, click Security Group Configuration
  6. On the  SAML Provisioning Group Manager page, notice that all group checkboxes are selected by default, giving all new users Administrative privileges. Clear any of the checkboxes for any groups for which you DO NOT want new users to have permissions.

  7. Click the Return to the Single Sign On (SSO) SAML2 link in the top right of the page. 
  8. Select the Active checkbox to activate this configuration.
  9. Select the Debug checkbox if instructed to do so by a Barracuda representative. 
  10. The following three fields are populated automatically. You need these fields to configure authentication forwarding in your identity provider. Take note of the settings for the following fields and enter them in your identity provider system. Contact your system administrator if you need assistance with this part of the configuration.  
    • SP Entity ID

    • SP Assertion Consumer Service

    • SP Single Logout Service

    • Name ID Format

  11. In the Identity Provider section, enter information you obtain from your identity provider. Again, contact your system administrator if you need assistance with this part of the configuration.   
    You need the following information: 
    • IdP Entity Id
    • IdP Single Sign On Service
    • IdP Single Logout Service
    • IdP X.509 Certificate
  12. Click Save.
Last updated on