How do I enable Single Sign-On (SSO) with Agari Phishing Defense?

Agari Phishing Defense now includes the ability for you to enable a Single Sign-On (SSO) mechanism for authenticating users in your organization, via the SAML 2.0 protocol.

With Single Sign-On, you can:

• Create a one-click login experience. You can bind your existing corporate login identities (accounts) to the Agari Phishing Defense username, which eliminates the need for a separate Agari Brand Protection password.
• Revoke user access centrally. When an employee leaves the company, you can remove Agari Phishing Defense access within the SSO provider rather than having to log directly into Agari Brand Protection portal.
• Provide optional secondary authentication. You can allow specific users (for example, contractors not available in your identity provider system) to authenticate exclusively with the credentials stored in Agari Phishing Defense (which effectively bypasses the single sign-on mechanism). You can also allow specific users to authenticate with the credentials stored in Agari Brand Protection only in the event when the SSO identity service fails (for example, during outages).

Step by step instructions to enable Single Sign-On for your organization:

1. Log in to Agari Phishing Defense and goto Manage > Organization.
2. Navigate to the User Account Settings configuration.
3. Select Enable.

You will then be taken to the Single Sign-On Configuration page:

4. Select the Name identifier Format from the dropdown box.
5. In the dialog box, enter the following information:

• SAML 2.0 Endpoint (HTTP) URL  (This is sometimes referred to as the “destination” or “SAML Recipient” in Identity Provider systems.)
• Public Certificate (X.509)

Both of these values should be provided to you from your Single Sign-On identity provider.

5. Click Test Settings to validate the Endpoint URL and certificate values provided by your identity provider. The Test Settings button calls the Identity Provider with the public certificate credential at the location you enter.

If the settings are correct, your browser will be redirected to Agari Phishing Defense with a success message displayed.

7. Click Save Settings at the bottom of the page to save all settings for your organization and enable Single Sign-On for user accounts.

Warning: At this point, Single Sign-On will be enabled and:

• All existing users will receive an email that instructs them how to perform the one time binding of their Agari username to their SSO account to use their Single Sign-On identity provider credentials when accessing Agari Phishing Defense.
• Users currently logged into the system will continue their sessions without interruption; however, they will be directed to the Identity Provider on subsequent login attempts

Logging In

Your user’s login process with SSO enabled will depend on how you implement SSO.  

For identity provider initiated  SSO, your users will not need to enter a credential or go to the Agari login page.  They will initiate their connection to Agari through your organization’s identity service provider and be logged in.

For service provider initiated SSO, your users will come to the Agari login page at ep.agari.com and enter their email address. They will not be presented with a password field on the Agari Brand Protection login page, unless you enable secondary authentication. Instead, they will be redirected to your identity provider. If users are not already authenticated with the identity provider, they will be prompted to authenticate. (Your identity provider may present authentication in several screens.) Once users have authenticated with the identity provider, they are redirected once again to the Phishing Defense Overview page.