Authentik
In this example our authentik instance is hosted at https://auth.example.com/ and is running version 2026.2.1
Our Knocknoc instance is a cloud instance with URL https://authentiktest.knoc.cloud. If you are using a cloud server, replace with your own URL, or if you are using an on-premises server, this is the base URL to your Knocknoc server. Note: The Group Name in Knocknoc needs to match the Group Name provided by authentik.
Authentik have a guide on Knocknoc integration here: https://integrations.goauthentik.io/security/knocknoc/
Authentik config
- Create SAML property mappings
- Go to Customization -> Property Mappings
- Click on Create to create your first mapping
- Type: SAML Provider Property Mapping
- Name: SAML to Knocknoc realName
- SAML Attribute Name: realName
- Expression: return user.name
- Click Finish
- Click on Create to create your second mapping
- Type: SAML Provider Property Mapping
- Name: SAML to Knocknoc groups
- SAML Attribute Name: groups
- Expression: for group in user.ak_groups.all(): yield group.name
- Click Finish
- Click on Create to create your third mapping
- Type: SAML Provider Property Mapping
- Name: SAML to Knocknoc duration
- SAML Attribute Name: sessionDuration
- Expression: return 540
(Change 540 to the number of minutes required for sessions) - Click Finish
- Go to Customization -> Property Mappings
- Create Knocknoc provider
- Go to Applications -> Providers
- Click on create to create the Knocknoc provider
- Select SAML Provider
- Name: Knocknoc Provider
- Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
- Protocol setttings ->
- Advanced flow setttings ->
- Authentication flow: default-authentication-flow (Welcome to authentik!)
- Invalidation Flow: default-provider-invalidation-flow (Logged out of application)
- Authentication flow: default-authentication-flow (Welcome to authentik!)
- Advanced protocol settings ->
- Signing Certificate: authentic Self-signed Certificate
- Sign assertions: Enabled
- Sign responses: Disabled
- Sign logout requests: Disabled
- Verification Certificate: leave unchanged on default
- Encryption Certificate: leave unchanged on default
- Property mappings: Selected User Property Mappings ->
- SAML to Knocknoc realName
- SAML to Knocknoc groups
- SAML to Knocknoc duration
- authentik default SAML Mapping: Username
- NameID Property Mapping: authentik default SAML Mapping: Username
- Assertion valid not before: minutes=-5
- Assertion valid not on or after: minutes=5
- Session valid not on or after: minutes=86400
- Service Provider Binding: Post
- Defaule NameID Policy: Persistent
- Digest algorithm: SHA256
- Signature algorithm:SHA256
- Click Finish
- Create Knocknoc application
- Go to Applications -> Applications
- Click on create to create the Knocknoc Application
- Name: Knocknoc
- Slug: knocknoc
- Group: Knocknoc
- Provider: Knocknoc Provider
- Policy engine mode: any
- Click Create to finish
- Click on the newly created Knocknoc application
- Select the Policy / Group / User Bindings tab
- Click on Bind existing Group / User / Policy
- Select the Groups / Users that are to be allowed access to Knocknoc and create
- Get Knocknoc Provider Metadata URL
- Go to Applications -> Providers
- Click on Knocknoc Provider
- Under Metadata, click on Copy download URL (You will need this for the next step)
Knocknoc SAML config
- Log into Knocknoc admin and go to Settings
- Public URL: https://authentiktest.knoc.cloud
- Metadata URL: Paste the download URL copied in the previous step
Authentik have a guide on Knocknoc integration here: https://integrations.goauthentik.io/security/knocknoc/