# Frequently Asked Questions

### Okta SSO

**Is Herd available as a pre-built app in the Okta marketplace?**

No. The Herd application is not available in the Okta marketplace, so you'll need to set up Herd as a custom app integration directly in your Okta admin console.

***

**Which sign-in method and application type should I use for Herd in Okta?**

When creating the app integration, select **OIDC – OpenID Connect** as the sign-in method and choose **Web Application** as the application type. Name it something like "Herd" or "Herd Security" so it's easy for admins to recognize later.

***

**Who should be assigned to the Herd Okta application?**

Only users who need access to the Herd admin console should be assigned to the Okta app. General end users should not be added to this application, because it is intended only for admin access to Herd.

***

**What information do I need to share with Herd to complete Okta SSO setup?**

After you create the app integration, Okta will generate a **Client ID** and **Client Secret** in the Client Credentials section. Securely share both values with the Herd team (for example, on a live call or via a password vault) so our engineers can complete the backend configuration.

***

**What redirect URLs should I configure in Okta for Herd?**

Once Herd confirms the backend configuration is complete, update the app's Login settings:

* Set the **Sign-In Redirect URI** to your organization's Cognito login URL, for example: `https://ORGANIZATIONID.auth.us-west-2.amazoncognito.com/oauth2/idpresponse` (Replace `ORGANIZATIONID` with the value provided by Herd.)
* Set the **Sign-Out Redirect URI** to `https://app.herdsecurity.io`.

***

### Okta Group & App Sync

**What does Okta group sync do in Herd?**

Okta group sync pulls your existing groups from your Okta tenant into Herd and automatically attaches those groups to their respective users. This lets you assign trainings, campaigns, events, and stacks to groups instead of managing assignments at the individual-user level.

***

**What permissions are required on the Okta API token for group and app sync?**

You'll need an Okta API token with the following scopes:

* **Group Sync:** `okta.users.read`, `okta.groups.read`, and `okta.roles.read`
* **App Sync:** `okta.apps.read`

These permissions allow Herd to read users, groups, roles, and apps from your Okta tenant.

***

**How do I find and share my Okta domain with Herd?**

Your Okta domain is visible in the browser URL when you're logged into the Okta admin console and is typically formatted as `company-url.okta.com`. Copy that domain and enter it into the Okta domain field in the Herd Okta Configuration Settings, along with your Okta API token.

***

**Where do I enter my Okta domain and API token in Herd?**

In the Herd admin console, go to **Setup** (in the left-hand toolbar), then under **Okta Integration**, open **Okta Configuration Settings**. Enter your Okta domain in the first box and your Okta API token in the second box, then click **Save Configuration**.

***

**How do I start syncing Okta groups and apps into Herd?**

Once your Okta domain and API token are saved in Herd, click **Sync groups** to pull group information from Okta into Herd. Groups will automatically be attached to the corresponding users. To enable the Security Advisor feature, you should also sync apps so Herd can see which applications users are assigned to in Okta.

***

### Azure AD SSO

**How does Herd's Azure AD SSO architecture work?**

Herd uses AWS Cognito as the identity broker, which federates to Azure AD for authentication. The flow is:

> User → Herd App → AWS Cognito → Azure AD → User Authenticated

This lets users sign in with their existing Azure AD credentials while Herd delegates authentication to Azure AD through Cognito.

***

**Do I need a separate app registration for Azure AD SSO and Azure AD User Sync?**

Yes. The SSO app registration is separate from the User Sync app registration. SSO requires different redirect URIs, token configuration, and delegated permissions than the read-only app used for syncing users and groups.

***

**Which IDs and secrets do I need from Azure AD for SSO?**

From your Azure AD SSO app registration, you must capture:

* **Application (client) ID**
* **Directory (tenant) ID**
* A **Client Secret** (the secret *Value*, not the Secret ID)

Copy the secret value immediately after creating it, because Azure AD will not show it again.

***

**Why might I see "Invalid client secret provided" during SSO setup?**

This error typically occurs when the **Secret ID** was copied instead of the secret **Value** when you created the client secret. To fix it, create a new client secret in Azure AD, copy the **Value** column, and update the secret in AWS Cognito under your Azure AD identity provider settings.

***

**What should I check if users can't sign in via Azure AD SSO or are not being created in Herd?**

If users see "User not found / Cannot create user," it usually means the user doesn't exist in Herd and couldn't be auto-created. Make sure you:

* Run **Azure AD User Sync** first to import users into Herd, or
* Verify that Azure AD is configured to include the **email claim** in ID tokens so Herd can create and match users based on their email address.

***

### Azure AD User & Group Sync

**What does Azure AD user and group sync do in Herd?**

Azure AD sync connects Herd to your Azure Active Directory so Herd can automatically pull in users and groups from your tenant. This keeps your Herd roster aligned with your directory, reduces manual user management, and helps you keep onboarding and off-boarding clean and consistent.

***

**Which Microsoft Graph permissions does the Azure AD sync app need?**

In the Azure AD app registration used for sync, you must add the following **Application** permissions for Microsoft Graph:

* `Directory.Read.All` – Read directory data
* `User.Read.All` – Read all users
* `Group.Read.All` – Read all groups
* `GroupMember.Read.All` – Read group memberships

After adding them, you must click **Grant admin consent** for your organization.

***

**What values do I need to configure Azure AD sync in Herd?**

From the Azure AD app registration you created for sync, you'll need:

* **Tenant ID** (Directory tenant ID)
* **Client ID** (Application client ID)
* **Client Secret** (the secret Value you created)

In Herd, go to **Settings → Azure AD Sync**, enter these values, click **Test Connection**, and if successful, click **Save**.

***

**What does a 403 Forbidden error mean when testing the Azure AD sync connection?**

A 403 Forbidden error usually means that required permissions are missing or admin consent has not been granted. Check that all four Microsoft Graph Application permissions are present, confirm they show a green checkmark after **Grant admin consent**, wait 5–10 minutes for changes to propagate, and then retry the connection test.

***

**Can the Azure AD sync app modify or delete anything in my directory?**

No. The app registration for Azure AD sync is configured with read-only permissions (`Directory.Read.All`, `User.Read.All`, `Group.Read.All`, `GroupMember.Read.All`). It can read users, groups, and memberships to sync them into Herd, but it cannot modify or delete objects in your Azure AD tenant.

***

### Training Tracks

**Can a user be on multiple tracks at the same time?**

Yes. A user can be assigned to as many tracks as needed. Each track runs its cadence independently.

***

**What happens if I change the cadence after assigning users?**

The cadence is snapshotted at assignment time. Existing assignments are unaffected. To change the cadence for existing users, remove them from the track and re-assign with the new settings.

***

**Can I reorder trainings after users have started?**

Yes. Reordering only affects trainings the user hasn't received yet. Their current in-progress training is not changed.

***

**What if a user completes a training before the next cadence window?**

Herd queues the next training at the scheduled time regardless. Completing early doesn't move the next delivery date up — unless Catch-Up is enabled and the threshold is exceeded.

***

**Can I export completion data?**

Yes. From the **Assignment** tab, use **Export** to download a CSV of user progress for the track.

### Whitelisting email domains – Google Workspace <a href="#whitelisting-email-domains--top-5-faqs-google-work" id="whitelisting-email-domains--top-5-faqs-google-work"></a>

**1. Who should use this whitelisting method in Google Workspace?**\
This method is for **Google Workspace administrators** who have permission to manage Gmail settings at the admin console level. It’s intended for org-wide configuration, not for individual end users changing their own Gmail settings.

**2. Which Herd-related domains should I whitelist?**\
You should whitelist any emails you create that use the domains `@x7k2m.net` or `@okta-auth-verify.com`. The username portion can vary; as long as the **domain** is allowlisted, messages from those domains will not be marked as spam for your users.

**3. Where do I go in the Admin console to find the email allowlist?**\
From `https://admin.google.com`, sign in with your admin account, then go to:\
Apps → Google Workspace → Gmail → **Spam, phishing and malware** (or **Security**, depending on your UI).\
There you’ll find the **Email allowlist / Approved senders**-type setting where you can add trusted domains and addresses.

**4. Should I add a full domain or specific email addresses to the allowlist?**\
You can add either:

* A full domain (for example, `herdsecurity.io`) to allow all senders from that domain, or
* A specific address (for example, `notifications@service.com`) if you only want to trust one sender.

The page recommends adding the **domains** you use for simulations so that all emails from those domains bypass spam filtering.

**5. How long do allowlist changes take to apply to my users?**\
After you save your changes in the Gmail allowlist settings and confirm the organizational units they apply to, it can take **several minutes** for the new policy to propagate across all user accounts. You may need to wait a short time before testing delivery with real messages.

<details>

<summary><strong>Whitelisting email domains – Google Workspace</strong></summary>

**1. Who should use this whitelisting method in Google Workspace?**\
This method is for **Google Workspace administrators** who have permission to manage Gmail settings at the admin console level. It’s intended for org-wide configuration, not for individual end users changing their own Gmail settings.

**2. Which Herd-related domains should I whitelist?**\
You should whitelist any emails you create that use the domains `@x7k2m.net` or `@okta-auth-verify.com`. The username portion can vary; as long as the **domain** is allowlisted, messages from those domains will not be marked as spam for your users.

**3. Where do I go in the Admin console to find the email allowlist?**\
From `https://admin.google.com`, sign in with your admin account, then go to:\
Apps → Google Workspace → Gmail → **Spam, phishing and malware** (or **Security**, depending on your UI).\
There you’ll find the **Email allowlist / Approved senders**-type setting where you can add trusted domains and addresses.

**4. Should I add a full domain or specific email addresses to the allowlist?**\
You can add either:

* A full domain (for example, `herdsecurity.io`) to allow all senders from that domain, or
* A specific address (for example, `notifications@service.com`) if you only want to trust one sender.

The page recommends adding the **domains** you use for simulations so that all emails from those domains bypass spam filtering.

**5. How long do allowlist changes take to apply to my users?**\
After you save your changes in the Gmail allowlist settings and confirm the organizational units they apply to, it can take **several minutes** for the new policy to propagate across all user accounts. You may need to wait a short time before testing delivery with real messages.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://herd-security.gitbook.io/herd-security-docs/frequently-asked-questions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.