KnowBe4 Hardening Guide
Security awareness training platform hardening for KnowBe4 including SAML SSO, admin access, and campaign security
Overview
KnowBe4 is a leading security awareness training platform providing phishing simulations and training. As a platform managing employee training data and conducting security tests, KnowBe4 security configurations directly impact training integrity and data protection.
Intended Audience
- Security engineers managing awareness programs
- IT administrators configuring KnowBe4
- Security awareness managers
- GRC professionals assessing training programs
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers KnowBe4 console security including SAML SSO, admin access, campaign configuration, and audit logging.
Table of Contents
1. Authentication & SSO
1.1 Configure SAML Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SAML SSO for KnowBe4 console access.
Prerequisites
- KnowBe4 admin access
- Platinum or Diamond subscription
- SAML 2.0 compatible IdP
ClickOps Implementation
Step 1: Access SSO Settings
- Navigate to: Account Settings → Account Integrations → SAML
- Enable SAML authentication
Step 2: Configure SAML
- Configure IdP settings:
- Entity ID
- SSO URL
- Certificate
- Download KnowBe4 metadata for IdP
Step 3: Test and Enforce
- Test SSO authentication
- Enable SSO enforcement
- Configure admin fallback
Time to Complete: ~1-2 hours
1.2 Enforce Multi-Factor Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2(1) |
Description
Require MFA for all KnowBe4 admin users.
ClickOps Implementation
Step 1: Enable Console MFA
- Navigate to: Account Settings → Security Settings
- Enable MFA requirement
- Configure MFA methods
Step 2: Configure via IdP
- Enable MFA in identity provider
- Use phishing-resistant methods
2. Access Controls
2.1 Configure Admin Roles
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Implement least privilege for admin access.
ClickOps Implementation
Step 1: Review Admin Types
- Navigate to: Account Settings → Admins
- Review admin roles:
- Account Owner
- Full Admin
- Reports Only
- Sub-Account Admin
- Assign minimum necessary role
Step 2: Apply Least Privilege
- Use Reports Only for viewers
- Limit Full Admin access
- Regular access reviews
2.2 Limit Admin Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Minimize and protect admin accounts.
ClickOps Implementation
Step 1: Inventory Admins
- Review all admin accounts
- Document admin access
Step 2: Apply Restrictions
- Limit owners to 2-3 users
- Require MFA for all admins
- Monitor admin activity
3. Campaign Security
3.1 Configure Phishing Campaign Security
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 17.3 |
| NIST 800-53 | AT-2 |
Description
Secure phishing simulation campaigns.
ClickOps Implementation
Step 1: Configure Campaign Notifications
- Notify IT/security of campaigns
- Allowlist simulation domains
- Configure landing pages securely
Step 2: Protect Campaign Data
- Limit access to results
- Configure data retention
- Protect employee privacy
3.2 Configure API Security
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-12 |
Description
Secure API access.
ClickOps Implementation
Step 1: Review API Keys
- Navigate to: Account Settings → API
- Review API access
- Document key purposes
Step 2: Secure Keys
- Store keys securely
- Rotate regularly
- Monitor usage
4. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | KnowBe4 Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/MFA | 1.1 |
| CC6.2 | Admin roles | 2.1 |
NIST 800-53 Rev 5 Mapping
| Control | KnowBe4 Control | Guide Section |
|---|---|---|
| IA-2 | SSO | 1.1 |
| AC-6 | Admin roles | 2.1 |
| AT-2 | Training | 3.1 |
Appendix B: References
Official KnowBe4 Documentation:
- Trust Center (SafeBase)
- Security Statement
- Knowledge Base
- SAML Integration Overview
- SCIM Configuration Guide
API Documentation:
Compliance Frameworks:
- SOC 2 Type 2, ISO 27001:2022, ISO 27701, ISO 27017, ISO 27018, FedRAMP Moderate, CSA STAR — via Security Statement
- FedRAMP Moderate Authorization Announcement
Security Incidents:
- How a North Korean Fake IT Worker Tried to Infiltrate Us (July 2024)
- North Korean Fake IT Worker FAQ
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO and campaign security | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide