Disclaimer: Most of these steps are done inside Azure AD and are subject to change at Microsoft's discretion. The screenshots and links may change as Microsoft updates their systems. Agari and HelpSystems Technical Support may not be able to offer assistance with this process, and may direct you to contact Microsoft Azure Support for further help.
Below is an example of how you can configure SSO between Agari and Azure.
- Login to Azure
- Navigate to Enterprise applications - All applications.
- Choose + New application .
- Choose Non-gallery application.
- Choose a Name for the application.
- OPTIONAL: Choose Properties, upload a logo, and click Save.
- Select Single sign-on and select SAML as the sign-on method.
- Populate the Identifier (Entity ID) as illustrated on step 11 ep.agari.com.
- Populate the Reply URL (Assertion Consumer Service URL) as illustrated in step 11.
- Populate the Sign-on URL (Optional) as illustrated on step 11 (This URL contains the sign-in page for this application that will perform the service provider-initiated single sign-on. Leave it blank if you want to perform an identity provider-initiated single sign-on).
- Then click Save and close the Basic SAML Configuration window.
- Download the Certificate (Base64).Copy the Login URL.
- Navigate to Users and Groups and select Add user.
- Choose your relevant Agari user(s) and then click Select.
- Then choose Assign.
- Login to Agari Phishing Defense.
- Navigate to Manage > Organizations.
- Scroll down to the User Account Settings section and choose to Enable next to Single Sign-On.
- Paste the Azure Login URL (previously copied from Azure portal).
- Open the Certificate (Base64) in notepad and select the contents as-is in their entirety.
- Copy and paste the Azure Certificate (Base64) note contents as-is in their entirety.
- Then click the Test Settings button.
- If prompted, select the Azure AD account you wish to test with.
- If the test is successful, click Save Settings.
- Click OK to confirm the switch over to Single Sign-on.
- NOTE: Existing Agari users will be notified they need to reactivate against Azure AD. Sample email below:
- Sample of an APD user selecting Authenticate with Identify Provider via their emailed reactivation link.
- Test logging into to Agari Phishing Defense via Azure AD SSO.
- Configure at least one user with fail-over or local-only authentication (a common best practice is to use a shared account, such as a help desk or publicly mail-enabled team distribution list. For audit trail purposes, it may be best to only use such an account for disaster recovery purposes).
- Navigate to Manage > Users (https://<domain>.ep.agari.com/users).
- Select at least one User, select the Secondary Authentication checkbox, select the fail-over option you prefer, enter and document the password, and then click Update.
BEST PRACTICE RECOMMENDATIONS
- Retire/remove any APD users that are no longer needed.
- Prior to the SSO switchover, notify your remaining users to expect the Agari/Azure activation email.
- After your SSO implementation is validated, establish an Organization Administrator user that utilizes local authentication.