NOTE: Azure AD Single sign-on can now be configured with Hoxhunt Azure AD Gallery App.
Please use following instructions in new implementations: https://docs.microsoft.com/fi-fi/azure/active-directory/saas-apps/hoxhunt-tutorial
Overview
Configure Azure AD Single Sign-On for Hoxhunt App
Assign users and groups to Azure SSO application
How to renew a certificate
You can make it easier for your employees to access Hoxhunt App (https://app.hoxhunt.com/) by setting up Single Sign-On (SSO) that utilizes your Identity Provider (IdP). If you don't wish to configure SSO, employees can log in to Hoxhunt App via Magic Links.
NOTE: Setting up SSO is optional. It doesn't affect the core functionality of Hoxhunt phishing awareness training and reporting suspicious emails. If SSO is not set up, users can still use Magic Link (one-time) authentication instead to access Hoxhunt Dashboard.
NOTE: SSO and Magic Link authentication methods are exclusive. When SSO is enabled, all users must authenticate via SSO and Magic Links cannot be used for authentication.
Configure Azure AD Single Sign-On for Hoxhunt App
Log in to the Azure Portal with your credentials. Go to Azure Active Directory.
Step 1. Select ”Enterprise Applications” and "New application"
Step 2. Select “Non-Gallery application”.
NOTE: If your view doesn't correspond to these instructions, please switch back to the old app gallery experience as shown below.
Step 3. Enter the name for the application (for example “Hoxhunt SSO”), and click Add.
Step 4. Under Manage select “Properties”. The default options for a new application are correct. Add the Hoxhunt logo attached from the end of this article, and click Save.
Step 5. Under "Manage", select “Single sign-on” and change the mode to “SAML”.
Step 6. Edit "Basic SAML Configuration"
- Enter the SAML Consumer URL (provided by Hoxhunt) to the Identifier (Entity ID) field.
- Enter the SAML Consumer URL (provided by Hoxhunt) to the Reply URL (Assertion Consumer Service URL) field.
Step 7. Edit "User Attributes & Claims"
- Change Source Attribute for Unique User Identifier (Name ID) to “user.mail” from the User Identifier drop-down menu.
- Delete the pre-set additional claims by clicking “…” and then selecting “Delete” for each pre-set token.
Step 8. Click "Add new claim" to add the following Claims (leave namespace blank):
Name | Value (depends on the naming) |
user.firstname | (user's firstname typically user.givenname) * |
user.lastname | (user's lastname typically user.surname) * |
user.department | (user's department) |
user.country | (user's working country) |
*=mandatory
Step 9. Download "Certificate (Base 64) and get the Login URL and send them to Hoxhunt.
Assign users and groups to Azure SSO application
After adding Hoxhunt application to AD tenant, you need to assign users to the Hoxhunt SSO application.
1. Go to Enterprise Applications and click on the Hoxhunt SSO application you just created.
2. Under Manage section select Users and Groups.
3. Select + Add user.
4. In the Add Assignment dialog, click on "Users and Groups: None Selected".
5. Add the users or user groups you wish to assign to Hoxhunt SSO application, and then click Select.
6. Selected users and groups are not listed under Users and Groups. Select Assign to complete the process.
(For more information, please refer to this article from Microsoft to assign users to the Hoxhunt SSO application.)
Congratulations! You are all done.
How to renew a certificate
You should renew the SSO certificate before it expires to avoid any downtime in the SSO service. Please follow the instructions from Microsoft:
When finished, please send the certificate to support@hoxhunt.com and ask for SSO certificate renewal.
Troubleshooting
If you have trouble logging in via SSO, please check this article.