SafeTitan Onboarding Demo

Portal to use during the demo:

https://demoportal-cus.safetitan.com

Credentials.

rebecca@demoportal-cus.safetitan.com

Azure AD - TO BE REMOVED AFTER RECORDING
https://login.microsoftonline.com/

Credentials:

deirdre@deirdrepttest.onmicrosoft.com

3Pj7H36H!vM7Xye+7i>00fh(Q^xjUMWlSfl29hn!uY33+o5RMp3Sdq[<rKR>]iF0

Introduction.

SafeTitan is a behaviour-driven security awareness solution that delivers security training in real-time. It allows you to strengthen your human firewall through the use of Phishing simulation and cyber security training.

Today I will be demonstrating the full onboarding cycle with an Azure Active Directory. We will be performing an integration with SafeTitan and Azure Active Directory to import users, set up Direct Mail Inject which is how we send Phishing simulations and SSO.

Lets start with all the steps to be completed on our Azure Active Directory portal.

Azure AD Configuration

1. Register the App on Azure.

To complete all the steps on your azure Active directory, you must have admin level access to the AD. If this is not the case, please seek access or assistance from someone who has admin level access to your Azure Active Directory.

Log in to your Office 365 admin centre. Once logged in, lets go to you Identity centre under all the admin centre sections.

Once you are in the Azure AD centre, browse to App Registrations, and click on New Registration. We are going to fill in these details, lets call this app SafeTitan. We are going to keep these settings at default. Under the Redirect URIs, I am going to select the Platform Web. and for the redirect URI, I am going to enter in my SafeTitan portal URL that I recieved in my welcome email.

Once this is filled in, I am going to click register. Once its created, I am going to go to Authentication on the middle column of the screen. Under this section I am going to add a second URI. Under the Web URI section, I am going to click Add URI, and here I am going to enter my Safetitan poral URL, but with /auth/osignedin appended to the end of the URL. This URL will be in relation to the SSO part of the set up. Once added, I am going to click Save. On the overview window that appears, I am going to take note of the Client ID and the Directory ID in my note pad, and labelling them accordingly. I will need this later on in my SafeTitan Portal.

2. Create an Application Secret.

Next I am going to go to Certificates and Secrets. Here I am going to generate a client secret for my SafeTitan App, to connect to my SafeTitan Portal. I am going to click on New Client Secret. I am going to call this secret SafeTitan and set the expiry to 24 months. click on save, and once created, I am going to copy this value ID into my notepad also. It is important to take note of this before moving from this screen, as the value will then be hidden once leaving this page.

3. Set Application Permissions.

Next I am going to see the permissions for this App. I am going to select API permissions on the middle column of the page. The I am going to click Add a Permission. On the side window that appears, I am going to select Microsoft graph API, and here I am going to chose both Delegated and Application Permissions. Under Delegated Permissions, I need to select OpenID, Email and Profile. Under Application Permissions. I am going to use the search bar to search for User. I am going to find the User folder, and open that up, under here I am going to select the permissions User.ReadWrite I am going to again use the search bar to search for Mail. I am going to find the Mail folder, and open that up, under here I am going to select the permissions Mail.ReadWriteAll and Mail.Read. Finally. I am going to use the search bar to find Directory. Open up the Directory folder, under here I am going to select the permissions Directory.ReadAll.

Once all the permissions have been selected, lets click add permissions. You can see the permissions have no been granted for admin consent, so I am going to click the button here that says Grant Admin consent for... and it will grant consent for all these permissions.

SafeTitan Portal Configurations.

4. Active Directory Sync

We have no completed all steps necessary on our Admin Azure portal, its time to move to the SafeTitan Portal configuration. Lets log into our portal using our Welcome email. This will walk us through re-settings your password. I have already reset my password, so I am just going to log in.

Once logged in, I am going to first do an active directory sync, this will import all of my users from Active Directory into the User list on the SafeTitan portal.

To do this, I am going to go to Configuration < AD sync. Here I am going to go to the Azure AD tab, since the Active Directory I am using is Azure. Under this tab there is a check box, I am going to check the box to enable the Azure AD sync and start filling in the details in the form that appear.

The main areas to focus on for this form here is the top three text fields. Here is where I need my notepad that I took note of all my IDs from Azure. In the top field, I am going to enter my Client/Application ID. In the Next field I am goin to enter that Value ID I took note of, and the third field will be the Tenant or Directory ID.

After filling in all these necessary fields, I can come further down the list where I can look at who I will be importing from my Active Directory. If I want to import everyone, I do not need to interact with any other fields. However, if I want to import a group or selection of groups from my Azure AD, I can click on this box here, called restrict to groups. Then I can specify what groups from my Active Direct I want to import into my SafeTitan Account. I am going to type in my group name here, once I have done that, I am going to click "Save Settings". This will save all the information I have added in here. Once saved, I am going to trigger a test sync, just to ensure the SafeTitan Account can connect to my Azure AD. I can see here this is shown it connected successfully, now I am going to trigger the sync by clicking this blue button. Now that has been triggered, my users will start be imported into the SafeTitan portal. We will check in on that later on.

5. Set up SSO

Next step is to set up SSO, or Single Sign on. This will allow your users to log in with their Microsoft credentials when they need to access their account to sit their assigned training. This is both a security measure and saves your end users time creating passwords. Lets go to Settings < Authentication. Here you will see a drop down menu which is by default set to Identity. We are going to change this to OpenID Connect. This will open more fields to enter in details.

For the post logout Direct URI and Redirect URI we are going to use the same URL, and this URL will be the one we added as a redirect URI on our Azure AD SafeTitan App settings. This is our SafeTitan URL with /auth/osignedin appended to the end of it.

For IDP we are going to keep the default value which is AzureAD

For Authority we are going to add the URL https://login.microsoftonline.com/tenantID which I have on my notepad.

For the Client ID we are going to add the Client ID from my notepad also.

For the Client Secret, this should already be redacted coming from the Azure AD sync settings we have saved.

Domain hint, just simply use your domain in here.

Username Claim, we are going to keep this empty.

Once these have been filled lets click save and SSO is set up. This will take 24 hours to propagate and start taking effect.

6. Direct Mail Injection.

Now lets move to the next step, which is setting up DMI. Since we are syncing in with Azure AD, we have the benefit of using DMI or direct mail injection. This is where we do not sending fake phishing emails as regular emails, instead we place the mail into the users inbox. This prevents and campaigns we are sending from not reaching the end user through your mail defences. To set this up I am going to go to Phishing Settings under the settings tab I am already in. Here I am going to click on the Microsoft API Delivery tab. I am going to check this box to enable the feature, and I am going to enter in the Tenant ID from my notepad and click save.

After this has saved, I am going to go back into the Microsoft API settings, and you will see two new tabs have appeared. I am going to open up the manual settings here, and enter in the Client ID from my notepad and the client secret should already be populated for you. Click Save and DMI is now set up.

We have one final thing to do and that is add the SafeTitan IPs to your Office 365 allow list. The reason why we do this is because DMI is only used for Phishing Campaigns, however, the training campaigns are sent like regular emails. To prevent these from being blocked through your email defences, we are going to add the sending IPs to your allow lists.

So lets go to our general admin centre in Microsoft. Find the Security tab to go into your security admin centre. Form here scroll down to Email and Collaboration and click on Policies and Rules. Under here click Threat Policies and then Anti-Spam. In this section I am going to edit the Connection Filter Policy (default). here you will see a box for the allowed IPs. I am going to enter in the two SafeTitan IPs to this list and click save.

168.245.104.162

192.254.120.51

This was the last thing left to do, now we are officially set up, lets go back to SafeTitan and check our users are available to see. As you can see my users have been imported, I am not officially ready to start creating campaigns to send to my users.