LogoLogo
Get Demo
  • 💫NEXT-GENERATION PRODUCT
    • Introduction
    • Getting Started
      • 1. Invite System Users
      • 2. Add Target Users
        • Add Users via CSV
        • Add users via SCIM
          • SCIM Setup in Azure AD
          • SCIM Setup in Okta
          • SCIM Setup in Onelogin
          • SCIM Setup in Jumpcloud
        • Add users via LDAP
        • Add Users via API
      • 3. Email Deliverability
        • Microsoft 365
          • M365: Direct Email Creation
          • M365: Whitelisting
        • Google Workspace
          • Google: Direct Email Creation
          • Google: Whitelisting
        • Exchange 2013 and 2016
      • 4. Track Opened Emails
      • 5. Allow Phishing URLs
        • Whitelist for Office 365
        • Whitelist for Google Workspace
        • Whitelist for Exchange 2013/2016
        • Whitelist in Security Solutions
      • 6. Setup Phishing Reporter
        • Step 1. Download Phishing Reporter
        • Step 2. Deploy Phishing Reporter
          • How to Deploy Add-In in Microsoft 365
          • How to Deploy Add-In in Exchange Admin Center
          • How to Deploy Add-In in Google Workspace
          • How to Deploy Add-In in Outlook
            • Troubleshooting Phishing Reporter Add-In on Outlook Desktop
      • 7. Incident Responder Setup
        • Step 1. Integrate Threat Intel Partners
        • Step 2. Mail Configurations
          • Microsoft 365
          • Google Workspace (Gsuite)
          • Exchange (EWS)
    • Platform
      • Dashboard
        • Dashboard Widgets
        • Incident Responder Widgets
        • Threat Sharing Widgets
        • Phishing Simulator Widgets
      • Threat Intelligence
      • Email Threat Simulator
        • Start Scan
        • View Scan Report
        • Create Trusted Account on Exchange
        • Start Scan on O365 Email Account
        • Start Scan on Google Workspace Email Account
      • Threat Sharing
        • Communities
        • Incidents
      • Phishing Simulator
        • Manage Phishing Scenarios
          • Phishing Scenarios
          • Email Templates
          • Landing Pages
        • Phishing Campaign Manager
        • Phishing Campaign Reports
        • Settings
          • DNS Services and Domains
          • Exclude IP Address
      • Callback Simulator
        • Manage Callback Scenarios
          • Callback Scenarios
          • Callback Email Templates
          • Callback Templates
        • Callback Campaign Manager
        • Callback Campaign Reports
        • Settings
          • Callback Phone Numbers
      • Vishing Simulator
        • Vishing Templates
        • Vishing Campaign Manager
        • Vishing Campaign Reports
      • Smishing Simulator
        • Manage Smishing Scenarios
          • Smishing Scenarios
          • Text Message Templates
          • Landing Page Templates
        • Smishing Campaign Manager
        • Smishing Campaign Reports
        • Settings
          • Manage DNS and Domains
          • Exclude IP Addresses
      • Quishing Simulator
        • Manage Quishing Scenarios
          • Quishing Scenarios
          • Quishing Templates
          • Quishing Landing Page Templates
        • Quishing Campaign Manager
        • Quishing Campaign Reports
        • Settings
          • DNS and Domains
          • Excluding IP Address
      • Awareness Educator
        • Training Library
        • Enrollments
        • Certificates
        • Training Reports
        • Training Completion Queries
      • Incident Responder
        • Incident Responder Dashboard
        • Investigations
        • Integrations
        • Playbook
        • Mail Configurations
          • Microsoft 365
          • Exchange
          • Google Workspace
        • Cross Company Integration
      • Phishing Reporter
        • Phishing Reporter Customization
        • Phishing Reporter Deployment
          • How to Deploy the Add-in in Microsoft 365
          • Phishing Reporter Page View Failure Due to Deprecated Exchange Online Tokens
          • Microsoft Ribbon Phishing Reporter
          • Microsoft Page View Phishing Reporter
          • How to Deploy the Add-in in Exchange Admin Center
          • How to Deploy the Add-in in Google Workspace
          • Phishing Reporter Announcement Email Template
        • Diagnostic Tool
        • Integrating Microsoft Phishing Reporting Button with Keepnet
        • Integrating Microsoft Defender with Keepnet Phishing Reporter
        • Troubleshooting Phishing Reporter on Outlook Desktop
      • Reports
        • Advanced Reports
        • Executive Reports
        • Scheduled Reports
        • Gamification Report
      • Company
        • Target Users
        • Companies
          • Company Groups
        • Company Settings
          • Privacy
            • Account Privacy
            • Data Privacy
          • AI Ally Settings
          • SMTP Settings
          • Direct Email Creation
            • Direct Email Creation for Google Workspace
            • Direct Email Creation for Microsoft 365
          • Notification Templates
          • Google User Provisioning
          • REST API
          • White Labeling
          • Proxy Settings
          • SAML Settings
            • How to Configure SAML on ADFS
            • How to Configure SAML on Google Workspace
            • How to Configure SAML on Azure AD
            • How to Configure SAML on CyberArk
            • How to Configure SAML on Okta
          • SCIM Settings
            • Getting Started with SCIM
            • Azure AD SCIM Integration
            • Okta SCIM Integration
            • Onelogin SCIM Integration
            • Jumpcloud SCIM Integration
          • SIEM Integrations
            • Splunk Integration
            • Syslog Integration
          • LDAP
          • Allowed Domains
        • System Users
          • People
          • Roles
        • Audit Log
        • Job Log
      • Free Phishing Email Analysis Service
    • Miscellaneous
      • Whitelisting
        • How to Whitelist an IP Address in Office 365
        • How to Whitelist an IP Address in Exchange 2013 and 2016
        • How to Whitelist an IP Address in Google Workspace
        • How to Whitelist in Mimecast
        • Whitelisting in Other Security Solutions
        • Whitelisting the Pictures on Microsoft Outlook Apps
        • Keepnet Tools Whitelisting Guidelines
        • Understanding Email Delivery Errors
        • Tracking Email Opens in Phishing Simulations
      • User Profile
      • Multi-Factor Authentication (MFA) Settings
      • On-Premise Requirement Checker
      • Platform Requirements
        • Portal UI Requirements
        • Phishing Reporter Requirements
        • Diagnostic Tool Requirements
      • Maintenance Tool
      • Understanding the Preferred Language Setting
  • 📚RESOURCES
    • Platform Security
    • Volume & Performance
    • Customer Help Desk
    • Product Update/Maintenance
    • Research Methodology
    • Release Notes
      • 2025
      • 2024
      • 2023
      • 2022
      • 2021
      • 2020
  • ⚖️Legal Hub
    • For Customers
      • Customer Terms of Service
      • Product Specific Terms
      • Jurisdiction Specific Terms
      • Data Processing Agreement
      • Regional Data Hosting Policy
      • Product and Services Catalog
      • Acceptable Use Policy
      • Keepnet Security Program
      • Microsoft CoPilot Usage Policy
    • For Everyone
      • Website
        • Terms of Use
        • Privacy Policy
        • Cookie Policy
      • Free Phishing Email Analysis
        • Terms of Service
        • Privacy Policy
      • Transparency Report
Powered by GitBook

Copyright © Keepnet Labs LTD. All rights reserved.

On this page
  • Azure AD Settings
  • How to Test SAML Configuration
  • How to Assign Different Roles to Users over SAML
  • Video Tutorial

Was this helpful?

Export as PDF
  1. NEXT-GENERATION PRODUCT
  2. Platform
  3. Company
  4. Company Settings
  5. SAML Settings

How to Configure SAML on Azure AD

This document explains the steps of integrating the Azure AD identity provider with the platform over SAML to log in to the platform by using your Azure AD account.

Azure AD Settings

Please follow the steps below to set up SAML settings correctly on the Azure AD side.

  • Log in to the Azure AD with a privileged account that can create applications.

  • Go to the Azure Active Directory panel from the main dashboard.

  • Click on Enterprise Applications > New Application > Create your own application and then fill out the following fields.

    • Name of the application: Please write the name of the application.

    • Type of the application: Select the "Integrate any other application you don't find in the gallery (Non-gallery)" option.

  • Click the Create button to create the application.

After the application is created, please follow the steps below.

  • Click on the Single Sign On option on the application menu on the left.

  • Click on the SAML option.

  • On the Setup Single Sign-On with SAML page, choose the Upload metadata file option.

  • Leave the Azure AD settings open. Now log into the platform and navigate to Company > Company Settings > SAML Settings.

    • Click the + NEW button. Keep this page also open, as you'll need the settings throughout this process.

    • Go to the "SAML Configuration For Your Identity Provider" section and click on the "Download Metadata" button to download the metadata file.

  • Return to Azure AD settings and upload the metadata file you downloaded by selecting the "Upload Metadata File" option.

  • A pop-up for "Basic SAML Configuration" will appear. Save your changes and close this pop-up.

  • Make sure you are still on the "Set up Single Sign-On with SAML" page and go to the "Attributes & Claims" section:

    • Click on the existing rule under "Required claim", change the "user.principalname" to "user.mail", and save.

    • Delete the four existing rules under the "Additional Claims".

    • At the top of the page, click on the "+ Add New Claim" button and create the following claims:

      • First Claim: Name it "firstName" with the source attribute "user.givenname". Leave the "Namespace" field empty and save.

      • Second Claim: Name it "lastName" with the source attribute "user.surname". Leave the "Namespace" field empty and save.

      • Third Claim: Name it "phoneNumber" with the source attribute as either "user.mobilephone" or "user.telephonenumber". Leave the "Namespace" field empty and save.

  • Under the "SAML Certificates" field, click on the "Federation Metadata XML" button to download the XML file.

  • Return to the SAML settings tab you left open on the platform. Upload the XML file by clicking the "Upload Metadata" button under "SAML Configuration For Keepnet Labs".

  • While still on the SAML settings page, enter a "Name" for your SAML settings. Also, in the "Allowed Domains" field, add your email domain and click the + Add button to include it in the allowed domains list.

  • Click the Save button at the bottom of the SAML settings page to create SAML settings on the platform.

  • Navigate back to the SAML settings in Azure AD. Under "Users and Groups", add the admin user who will log in to the platform with Single Sign-On (SSO).

How to Test SAML Configuration

Check whether the configuration works or not by following the steps below.

  • Make sure the admin who will log in to the platform over SAML is created in the platform under the Company > System Users page.

  • Go to the platform login page.

  • Enter the email address. The email domain must be defined in the SAML settings under the "Allowed Domains" list.

  • The platform will redirect you to the Azure AD SSO page to authenticate.

  • If the authentication is verified, the user will be redirected to the platform, and the login step will be completed.

How to Assign Different Roles to Users over SAML

Let's assume there are three administrators who will manage the platform, each with different roles and privileges. The example table below shows that Josh will have the default Company Admin role, which does not include privileges to create sub-companies and many other privileges compared to Reseller users.

User's Name
User's Permission

Josh

Company Admin

William

Reseller

Robert

Reseller

In this example, let's follow the steps below.

  • Log in to the platform. Navigate to Company > Company Settings > SAML Settings and modify your SAML settings.

    • At the bottom of the page, change the Default Role to "Company Admin." Users without the "spRole" defined in Azure AD will be assigned the Company Admin role by default when authenticated over SAML.

  • Go to Azure AD and access the SAML application settings.

  • Click on Single Sign-On from the left menu.

  • Navigate to "Attributes & Claims" and click the Edit button.

  • Click the "+ Add New Claim" button and configure the following:

    • Name it "spRole".

  • Select the Source as "Transformation".

    • From dropdown, select the Transformation as "Contains()".

    • Parameter 1 (input) will be in Attribute format.

    • Attribute Name will be "user.userprincipalname".

    • For Value field, please write the William's email address who is Reseller.

    • Parameter 2 (Output) will be Attribute format.

    • Attrbiute Name will be "Reseller".

    • For William, that's all we do. Now let's repeat the same steps for Robert.

    • Click + Add Transformation button and select the Transformation as "Contains()".

    • Value will be Robert's email address such as "robert@test.com"

    • Parameter 2 (Output) will be Attribute.

    • Attribute Name will be "Reseller".

  • Click the "Add" button to add your additional claim.

  • To test the settings, ask William, Robert, and Josh to log in to the platform and check their roles.

Now, the William and Robert who will log in to the platform over SAML will have the Reseller role. The other users who will log in to the platform over SAML will have the default role which is Company Admin.

Video Tutorial

This video tutorial shows the above documentation steps for integrating the Azure AD identity provider with the platform over SAML to log in to the platform by using your Azure AD account.

PreviousHow to Configure SAML on Google WorkspaceNextHow to Configure SAML on CyberArk

Last updated 3 months ago

Was this helpful?

You can do this with any permission. You can create a in the platfrom and define the custom role name instead of Reseller and the users will login to the platfrom over the specified custom permission role.

💫
custom role