Training Quarters
Enable quarters and set date ranges (Years are managed in Training
Configuration)
Module Deadlines
Set completion deadlines for each training module per quarter
Progress Thresholds
Define status levels for employee progress
At-Risk
Users below this % are flagged as at-risk
%
Passing
Required % to be marked complete
%
Reminder Schedule
When to send email reminders
Friendly Reminder
Initial reminder before quarter ends
days
Escalation Notice
Escalated reminder for incomplete training
days
SMTP Configuration
Email server settings for sending reminders
Predefined
Loading...
Checking configuration...
Custom SMTP
Configure your own SMTP server settings below
Email Templates
Customize reminder email content
Available Variables (click to copy)
Identity Provider
Connect your organization's identity provider for SSO
Not configured
Redirect URI — copy this into your IdP app
Azure AD Setup Guide
1
Go to Azure Portal → Microsoft Entra ID → App registrations → New registration
Name:
TrustStrike Training, Supported account types: Single tenant2
Select Platform → Web → paste the Redirect URI from above → Register
3
Go to Overview → copy Application (Client) ID and Directory (Tenant) ID
4
Go to Certificates & secrets → New client secret → Add description (
truststrikelabs) and Expires (12 months) → Add → copy the Value
Azure shows two fields: Secret ID (a GUID — ignore this) and Value (the actual secret). Copy the Value — it's only shown once. Using the Secret ID causes
AADSTS7000215.5
Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions → add
openid, profile, email
6
Go to Token configuration → Add groups claim → select Security groups → Add
This enables group-based role mapping for admin/employee assignment.
Credentials
Okta Setup Guide
1
Go to Admin → Applications → Create App Integration → OIDC - OpenID Connect → Web Application
2
Set Sign-in redirect URI to the Redirect URI above
3
Copy Client ID and Client Secret from the General tab
4
Note your Okta Domain (e.g.,
yourcompany.okta.com)
Credentials
Google Workspace Setup Guide
1
Go to Google Cloud Console → APIs & Services → Credentials → Create OAuth Client ID
Application type: Web application
2
Add the Redirect URI above to Authorized redirect URIs
3
Copy Client ID and Client Secret
Credentials
Generic OIDC Setup Guide
1
Create an OIDC / OAuth 2.0 application in your identity provider
2
Set the Redirect URI to the value above
3
Get your Client ID, Client Secret, and Discovery URL
Discovery URL usually ends with
/.well-known/openid-configurationCredentials
Azure AD SAML Setup Guide
1
Go to Entra admin center → Enterprise applications → New application → Create your own → name:
TrustStrike Training → Integrate any other application you don't find in the gallery (Non-gallery) → Create
2
Single sign-on → select SAML → Section 1 Basic SAML Configuration → Edit:
3
Section 2 Attributes & Claims → Click Unique User Identifier (Name ID) → change source to
user.mail, format to Email address
4
Section 3 SAML Certificates → copy the App Federation Metadata Url and paste it below
5
Copy your Azure Tenant ID
6
Go to Enterprise applications → TrustStrike Training → Properties (left sidebar) → Set Assignment required? to No → Save
Okta SAML Setup Guide
1
Go to Applications → Create New App Integration → SAML 2.0 → Next
2
Set Single sign-on URL and Audience URI (SP Entity ID) — provided after setup
Name ID format: EmailAddress, Application username: Email
3
Add attribute statements:
email → user.email, firstName → user.firstName, lastName → user.lastName
4
Copy the Metadata URL from the Sign On tab
Credentials
ADFS Setup Guide
1
Open AD FS Management → Relying Party Trusts → Add Relying Party Trust
Choose Claims aware
2
Add claim rules: Rule 1: Send LDAP Attributes → E-Mail Address. Rule 2: Transform → E-Mail → Name ID → Email format
Credentials
The federation metadata URL is auto-constructed as
https://{hostname}/FederationMetadata/2007-06/FederationMetadata.xmlGoogle Workspace SAML Setup Guide
1
Go to Google Admin Console → Apps → Web and mobile apps → Add App → Add custom SAML app
2
Copy the SSO URL, Entity ID, and Certificate from Google's IdP details page
3
In Service Provider Details, enter the ACS URL and Entity ID (provided after setup)
Name ID format: EMAIL, Name ID: Basic Information > Primary email
Credentials (manual entry)
Generic SAML Setup Guide
1
Create a SAML 2.0 application in your identity provider
2
Set ACS URL and SP Entity ID (provided after setup)
Name ID format: Email
3
Get your Federation Metadata URL (or SSO URL + Entity ID + Certificate)
Credentials
or enter manually
Group Mapping
Map identity provider groups to TrustStrike admin and employee roles
Not configured
Azure AD Setup
1
Go to entra.microsoft.com → Groups → New group → create two Security groups:
truststrike-admin — add your admin users
truststrike-employees — add all employee users
Group type: Security, Membership type: Assigned
2
Go to App registrations → your SSO app → Token configuration → Add groups claim → select Security groups → Add
3
Go to Groups → click each group → copy the Object ID and paste below
Group Object IDs
Okta Setup
1
Go to Directory → Groups → create two groups:
truststrike-admin — add your admin users
truststrike-employees — add all employee users
2
Go to Applications → your SSO app → Sign On tab → OpenID Connect ID Token → set Groups claim filter to
Matches regex .*
3
Go to Directory → Groups → click each group → copy the Group ID from the URL and paste below
Group IDs
Google Workspace Setup
1
Go to admin.google.com → Directory → Groups → create two groups:
truststrike-admin@yourdomain.com — add your admin users
truststrike-employees@yourdomain.com — add all employee users
2
Google Workspace sends group membership in the
groups claim automatically when configured via Admin SDK → Groups
3
Copy each group's email address and paste below
Group Identifiers
Generic OIDC Setup
1
Create two groups in your identity provider:
truststrike-admin — add your admin users
truststrike-employees — add all employee users
2
Configure your IdP to include a
groups claim in the ID token containing group names or IDs
3
Copy each group's ID or name (whatever appears in the
groups claim) and paste below
Group Identifiers
SCIM Provisioning
Automatically sync users and groups from your identity provider
SCIM Provisioning Endpoint
Azure SCIM Setup
1
Go to entra.microsoft.com → Enterprise applications → New application → Create your own application
Name:
TrustStrike SCIM, select Integrate any other application (non-gallery)2
Open the app → Provisioning → New configuration → select Bearer Token
Paste the SCIM Endpoint from above as Tenant URL. Leave Secret Token empty → click Test Connection → then Create
3
Go to Attribute Mapping → open Provision Microsoft Entra ID Users → keep only these mappings, delete all others:
Delete all other mappings (title, addresses, phone numbers, etc.) — unsupported attributes cause provisioning to fail for all users.
4
Go to Attribute Mapping → open Provision Microsoft Entra ID Groups → set Enabled to No
The
/Groups endpoint is not supported — leaving it enabled causes Azure to quarantine provisioning and sync zero users.5
Assign Azure groups to the SCIM app — Azure only provisions users/groups explicitly assigned to the app. Without this, provisioning syncs zero users.
- In Azure Portal, go to Enterprise Applications → select your SCIM app (e.g. TrustStrike SCIM)
- Click Users and groups (left sidebar)
- Click + Add user/group
- Under Users and groups → click None selected
- Search and select:
truststrike-adminandtruststrike-employees - Click Select → Assign
If you skip this step, provisioning logs will show “0 users in scope” even though provisioning is enabled.
6
Set Provisioning Status to On → Save → click Start provisioning
Azure syncs users every ~40 minutes. First sync may take a few minutes.
Okta SCIM Setup
1
Go to Applications → your SSO app → General tab → change Provisioning to SCIM
2
Go to the Provisioning tab → Integration → set:
SCIM connector base URL: paste the SCIM Endpoint from above
Unique identifier:
Authentication Mode: HTTP Header (leave token empty)
Unique identifier:
userNameAuthentication Mode: HTTP Header (leave token empty)
3
Under Provisioning → To App, enable Create Users, Update User Attributes, and Deactivate Users
4
Go to Push Groups tab → Push Groups → Find groups by name → push
truststrike-admin and truststrike-employees
5
Go to Assignments tab → assign the groups
truststrike-admin and truststrike-employees to the app
Okta only provisions users who are assigned to the application.
Google Workspace SCIM Setup
Google Workspace does not natively support SCIM outbound provisioning to third-party apps. Users will be created on first SSO login instead. You can use the Sync Users button in the Users tab to bulk-import users from Keycloak.
SCIM Setup
1
In your identity provider, find the SCIM / Provisioning settings
2
Set the SCIM Base URL to the endpoint above. Leave the bearer token empty.
3
Map the required attributes:
userName, active, emails, externalId, name.givenName, name.familyName
Remove any unsupported attributes (title, addresses, phone numbers, etc.)
4
Assign your
truststrike-admin and truststrike-employees groups for provisioning
5
Enable provisioning and trigger an initial sync