The OutThink Command Centre is a secure on-line portal for managing your end-users, training campaigns, attack simulations, and interacting with analytics results and reporting. Only named and trusted administrators should be granted the rights to access the application.
This article describes how to set up federation with your identity provider (IdP) supporting the SAML 2.0 protocol. When you set up the federation, new administrative users of the OutThink platform can use your own IdP-managed organizational account to sign in to the OutThink Command Centre.
1. Provide IdP Metadata to OutThink
Please supply your IdP’s XML metadata file to OutThink. Your IdP MUST support the HTTP-POST
binding for the SingleSignOnService.
If you don’t have such a file, please supply the following values for your IdP:
entityID
SingleSignOnService
location URL (HTTP-POST binding)- X509Certificate (public key of your signing certificate).
2. Determine list of domains to the federated
Provide OutThink with a full list of all domains to be federated via your Identity Provider.
For instance: example.com
, auth.example.com
, example-partner.net
.
IMPORTANT: If the domains to be federated do not match the Identity Provider’s authentication domain, or a host within the domain, a DNS TXT record will need to be added to all such domains which point to the Identity Provider’s SingleSignOnService
location URL. As an example:example.com. IN TXT DirectFedAuthUrl=https://auth-for-example.com/adfs
For more details, see Microsoft’s documentation at:
https://learn.microsoft.com/en-gb/entra/external-id/direct-federation#step-1-determine-if-the-partner-needs-to-update-their-dns-text-records
3. Configure your Identity Provider
The OutThink Platform is supported by Microsoft Entra ID, which acts as the SAML Service Provider (SP).
SAML SP entityID (Pre-Production) = Contact your OutThink Customer Success representative
SAML SP entityID (Production) = Contact your OutThink Customer Success representative
SAML SP AssertionConsumerService (ACS) = https://login.microsoftonline.com/login.srf
In the SAML response’s assertion:
- The subject’s
NameID
SHOULD be in theurn:oasis:names:tc:SAML:2.0:nameid-format:persistent
format and SHOULD be set to the email address of the authenticated user. - The email address of the authenticated user MUST also be included as an
emailaddress
claim attribute (format:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
).
4. Notes
- The POSTed
authn
request will be accompanied by aRelayState
(to be echoed back in the POSTed response) and aUserName
(the email address of the user to be authenticated by your IdP) - Even if your IdP’s metadata indicates that it wants signed
authn
requests, a current limitation of the Microsoft Entra ID SAML SP is that it doesn’t sign authn requests; this is why the public key of Microsoft’s signing certificate is not supplied in this document - IdP-initiated SSO is not supported.
Was this helpful?
3 / 4