CybSafe can integrate with a variety of Single Sign-On (SSO) applications to create a seamless login experience for your users.
Setting up single sign on also gives you the ability to provision users onto the platform via 'Just in time provisioning' (JIT).
Here is a list of all the possible SSO integrations and how to set them up:
If you get stuck at all, you can contact the CybSafe team via [email protected]
If you would like to connect multiple SSO's or use a different provider to the three listed above you will need to purchase our Custom SSO bolt on.
CybSafe recommends
Every organisation's setup is different however below are a few tips for our recommended setup.
Make sure you match your attribute you connect to us for email to the attribute you use in provisioning that is matched to emails[type eq "work"].value. If not this could cause duplicate profiles to be created via just in time provisioning.
If you are going to turn on user provisioning typically this is your user information source of truth. When using a provisioning integration its best to turn off "update user details on login".
If you want to control who has access to CybSafe via SSO turn off just in time provisioning in the login settings. Otherwise CybSafe will create a profile on the platform for any user who does not exist if the click on login with SSO
If any users accessing CybSafe are not part of your tenancy ensure you toggle on "Use passphrase or single sign-on" in the login settings so they can log in using a passphrase instead of SSO.
Enabling passphrase measurement is a great way to get more behaviour data on your users password hygiene.
Azure Single Sign-On
Configure Microsoft Azure SSO (Entra) so your people can login seamlessly.
Follow the steps below to configure how your users log in to CybSafe.
Setting up SSO using Microsoft Azure (SSO)
First, log in to CybSafe using your administrative credentials.
Navigate to the Identity management page and select the "Login" tab.
This page can be found under "Settings" in the admin navigation pane.
Click on the "Add connection" button and select ‘Azure AD’.
You’ll be redirected to a Microsoft login page. Sign in with your Microsoft admin credentials.
NB! if you encounter any issues, you may need to setup a new admin profile on CybSafe with the same email address as your Microsoft credentials.
Once signed in, accept CybSafe’s permission requests.
You’ll be returned to CybSafe and asked to sign in to your CybSafe account, just to confirm the link between your accounts.
The CybSafe app will now automatically be in your Entra Enterprise applications list account and you can assign it to the users you wish to have access.
Tip: When an account is setup using Single Sign-On, as Azure is connected to CybSafe, every user signed in within your tenant is then authorised to use CybSafe.
If the user has not been created or has not logged into CybSafe, to ensure the best user experience. The user will be automatically created with just In Time provisioning.
Configuring SSO in CybSafe
Once you have set up SSO, you will have a few settings to tailor the login experience for your people.
Define login method, this is useful if you have users accessing CybSafe who are not part of your tenant.
Turn on passphrase measurement
Turn off just in time provisioning (JIT).
Read more in the configuring your SSO login settings section.
G suite Single Sign-On
Configure SSO with Google workspace so your people can login seamlessly.
Follow the steps below to configure how your users log in to CybSafe.
Setting up SSO using G suite
First, log in to CybSafe using your administrative credentials.
Navigate to the Identity management page and select the "Login" tab.
This page can be found under "Settings" in the admin navigation pane.
Click on the "Add connection" button and select ‘G Suite’.
You’ll be redirected to your G Suite login page. Sign in.
Once signed in, accept Cybsafe’s permission requests.
You’ll be returned to CybSafe and asked to sign in to your CybSafe account, just to confirm the link between your accounts.
Once you’ve completed the above steps, your people can begin signing in to CybSafe using their Google Account!
Tip: When an account is setup using Single Sign-On, as G Suite is connected to CybSafe, every user signed in within your tenant is then authorised to use CybSafe.
If the user has not been created or has not logged into CybSafe, to ensure the best user experience. The user will be automatically created with just In Time provisioning.
Configuring SSO in CybSafe
Once you have set up SSO, you will have a few settings to tailor the login experience for your people.
Define login method, this is useful if you have users accessing CybSafe who are not part of your tenant.
Turn on passphrase measurement
Turn off just in time provisioning (JIT).
Read more in the configuring your SSO login settings section.
Okta Single Sign-On
Setting up Okta single sign on is possible using our SAML 2.0 connection option.
You will need to setup a new application within Okta and then add the relevant details to CybSafe.
If you do not have the option or capability to select SAML 2.0 under the add connection menu please get in contact with us via [email protected]
Setup within Okta
The first step is to create a custom app integration within Okta.
Please see the Okta guide in their helpcentre or contact Okta for any assistance with this step.
The SAML settings to be configured within Okta are as follows:
Single sign on URL
Replace <custom-sso-slug> with your SSO url, typically this is your organisations name. You will need to ensure this matches the configuration within CybSafe.
Audience URI (SP Entity ID)
https://app.cybsafe.com/ - Please note: you must write this out manually in your OKTA app setup. Copying and pasting the address will cause an error.
Default RelayState
Leave this empty
Name ID format
EmailAddress
Application username
Attribute Statements:
**ensure you double check your attributes and map accordingly, the above is the standard, however your setup may vary**
Navigate to the sign on page once you have saved your new custom app, click on “Identity Provider metadata” and then copy & paste the URL.
It will look similar to:
https://<yourbusiness>.okta.com/app/exk3w3zpz8Ro44zJv356/sso/saml/metadata
You will need to add this URL to your SSO setup within CybSafe.
Remember to add users to the application once you have completed the next part of the setup.
Setup within CybSafe for Okta
First, log in to CybSafe using your administrative credentials.
Navigate to the Identity management page and select the "Login" tab.
This page can be found under "Settings" in the admin navigation pane.
Click on the "Add connection" button and select ‘SAML 2.0’.
You will then be presented with the "Connect SAML 2.0" configuration page.
Fill in the details as follows:
Provider: Select Okta.
SSO Slug: Enter the information you added as part of <custom-sso-slug> in the Single Sign on URL for Step 1 within Okta. You will only require the slug, not the whole URL.
Access details SSO button: You can add a word to your SSO button should you wish to.
Access details SSO description: You can add a custom description to your login page to help users.
Access details for provider metadata url: Add the metadata URL you copied in Step 2 for the setup within Okta.
Update user details on login toggle: Toggle this on if you want to update user details when they login. If you are managing user data through a provisioning integration then ensure this is turned off.
User attributes.
Add in your user attributes from your Okta to match to our profile information.
'First name', 'Last name' and 'Email' are required all other attributes are optional, they can also be managed by a provisioning integration.
Click on 'Save'.
Configuring SSO in CybSafe
Once you have set up SSO, you will have a few settings to tailor the login experience for your people.
Define login method, this is useful if you have users accessing CybSafe who are not part of your tenant.
Turn on passphrase measurement
Turn off just in time provisioning (JIT).
Read more in the configuring your SSO login settings section.
Custom Single Sign-On setup
If you wish to use a different SSO provider to Azure, G Suite or Okta you will need to purchase our Custom SSO bolt on.
With this bolt on you can build a custom connection with any provider using SAML or configure multiple connections to your account.
Configure your SAML app
You will need to configure your SAML app in your IDP admin console.
Use the below details to do so.
<sso-slug> should be replaced by whatever word you would like to be added to your Unique SSO login url for CybSafe. Typical customers use their company name.
eg. Acme is setting up their SSO, their URL's will look like this. https://app.cybsafe.com/sso-login/acme/
entity_id
https://app.cybsafe.com/
redirect_url (Assertion Consumer Service)
https://app.cybsafe.com/api/v1/sso/r1/signin/<sso-slug>/
SP initiation url
https://app.cybsafe.com/sso-login/<sso-slug>/
Once you have configured your own custom SAML app, make sure you copy your metadata URL from your IDP to add to CybSafe.
Configure custom SSO within CybSafe.
Now you need to configure your SSO connection in CybSafe.
First, log in to CybSafe using your administrative credentials.
Navigate to the Identity management page and select the "Login" tab.
This page can be found under "Settings" in the admin navigation pane.
Click on the "Add connection" button and select ‘SAML 2.0’.
You will then be presented with the "Connect SAML 2.0" configuration page.
Fill in the details as follows:
Provider: Select your provider.
SSO Slug: Enter your desired slug for your unique SSO login URL. this is the word you entered into the <sso-slug> section of the URL's above.
Access details SSO button: You can add a word to your SSO button should you wish to.
Access details SSO description: You can add a custom description to your login page to help users.
Access details for provider metadata url: Add the metadata URL from your IDP.
Update user details on login toggle: Toggle this on if you want to update user details when they login. If you are managing user data through a provisioning integration then ensure this is turned off.
User attributes.
Add in your user attributes from your IDP to match to our profile information.
'First name', 'Last name' and 'Email' are required all other attributes are optional, they can also be managed by a provisioning integration.
Click on 'Save'.
Configuring SSO in CybSafe
Once you have set up SSO, you will have a few settings to tailor the login experience for your people.
Define login method, this is useful if you have users accessing CybSafe who are not part of your tenant.
Turn on passphrase measurement
Turn off just in time provisioning (JIT).
Read more in the configuring your SSO login settings section.
Configuring your SSO login settings
Once you have set up your Single Sign-On (SSO), you will have a few settings that can be turned on to tailor your users login experience.
To access your SSO login settings navigate to the Identity management page and select the "Login" tab.
The Login settings will show under the table with all of your connections.
Login method
Use single sign-on only.
Selecting this setting will only present SSO as a login option if a user navigates using your unique SSO login url or enters their email in our standard login page.
This setting should only be used if everyone on the CybSafe platform can use your SSO setup.
Don't forget to click "Save" once you toggle on the setting.
Use passphrase or single sign-on.
Selecting this setting will provide an option for your users to login using either SSO or their passphrase.
This is useful if you have users accessing CybSafe who cannot use SSO within your organisation.
Passphrase measurement.
Selecting this setting will prompt your people to set up a back-up passphrase for their account. Your people will still use SSO to login to the CybSafe platform, however they have a back-up option.
This then gives CybSafe the ability to measure the entropy of this passphrase and offer your people the opportunity to improve their behaviour.
Users will also be informed if their passphrase has been identified in a data breach.
Don't forget to click "Save" once you toggle on the setting.
You can then view information on these improved behaviours within our reporting.
Just-in-time user provisioning
Select this to automatically add people to CybSafe when they first click login with SSO, if they dont already have an account.
To ensure the best user experience, users will be automatically created with just in time provisioning if they are authenticated by your SSO integration.
If you are controlling access to CybSafe or tightly managing your licence usage you may want to turn off this setting.
Don't forget to click "Save" once you select the setting.
Editing your SSO connections
Within the table you have options to edit, deactivate and delete any connections you have made.
Clicking the three dots to the right hand side of any connection gives you the following options;
Edit: Enables you to tweak any settings for the connection such as updating user details upon login or change any user attribute mapping.
Deactivate: Will turn off that particular connection.
Delete: Will permanently delete the connection from CybSafe.
The table also contains your unique Single Sign-On link, this can be shared with employees for a seamless login experience.
You can also use this URL to create direct links to the cybsafe platform where users will have a seamless login experience, more info in, How to make links to the CybSafe platform.
Troubleshooting
Follow the steps below for any common issues encountered with SSO.
Duplicate profiles
Typically this is caused by a mismatch of your users email attribute being sync'd to CybSafe via a provisioning integration and what is configured in the SSO details.
You should first identify which field is being sent to our email attribute via your SCIM connection
emails[type eq "work"].value
You should then ensure this same attribute is mapping to Email within the SSO configuration.
Incorrect groups
If you are noticing your users being aligned to groups that do not match what you are configuring via your provisioning integration.
You may need to turn off "Update user details on login.
If you are not using a provisioning integration and are relying on SSO to update your user profiles, you may have the mapping incorrect. Edit the connection and check if it is accurate.
Users unable to login
If you find users are not able to login, check the following
Attribute mapping is correct.
Your correct connection is active within CybSafe.
Ensure the user does not have any duplicate profile in both an active or deactivated state.
Check you have available licences for the number of users required.
Still have questions?
If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!