SAML with ADFS

The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Wherever you see that, please substitute it for your own instance URL.

Setting Up the IdP (ADFS)

CreateDefine anthe ApplicationClaim Description

Log in to the Windows Server running ADFS
In Server Manager, select Tools, and then select AD FS Management.

Expand

~~Go to Identity~~Service and select ~~Applications~~Claim ~~than~~Descriptions

~~Enterprise~~

Select ~~Applications~~Add Claim Description on the right hand panel

Set Display name to something meaningful, eg: Knocknoc Persistent Identifier

Set Short Name to Knocknoc

Set the Claim type to: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Tick both boxes underneath, Publish this claim ...

Once saved it should look like the below:

Define the Relying Party Trust

Navigate to Relying Party Trusts underneath the AD FS section (within the AD FS Management MMC)

Select Add Relying Party Trust from the right hand panel

Select Claims aware and Start to step through the wizard

Select Import data about the relying party published online

Enter the URL of your server, eg: https://demo.knocknoc.io/api/saml/metadata

Select Next

If you receive a TLS error, you must enable TLS/1.2 via the registry (see https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#configure-for-strong-cryptography) and note below [1]

Enter a Display name, eg: Knocknoc and click Next

Select an appropriate access control policy and consider MFA, this can be changed later
Click ~~New~~Next ~~Application~~

A summary is now shown, click Next

Select Configure claims issuance policy for this application, click Close

Define the Relying Party Trust

Once on the Edit Claim Issuance Policy section
Click ~~Create~~Add ~~your own application.~~Rule
~~Type~~Select aTransform and Incoming Claim, click Next

Name the rule, eg: Knocknoc

Incoming claim type should be set to Windows account name

Outgoing claim type: Name ID

Outgoing name ~~for~~ID ~~your~~format: ~~application~~Persistent ~~(e.g knocknoc)~~

~~Check "Integrate any other application you don't find in the gallery (Non-gallery)"~~Identifer
Click ~~Create.~~Finish and Apply

It should appear similar to the below

TLS errors and enabling TLS/1.2

If you receive TLS/SSL errors trying to validate the metadata file, you may need to enable TLS/1.2 via your registry.

Registry configuration to enable TLS/1.2:

Assign Groups

Click "Assign users and groups"
Click "None Selected" under groups.
Add the user groups you wish to access Knocknoc protected services.

Note: Knocknoc and EntraID group names need to match for automatic user assignment. Best practice is to have at least one group per Knocknoc protected service.

SAML Configuration

Click Set up single sign on.
Click SAML.
In the Basic SAML section, add the links to your Knocknoc instance.
1. Set the Indentifier (Entity ID) to https://demo.knoc.cloud/api/saml/metadata
2. Set the Reply URL (Assertion Consumer Service URL) to https://demo.knoc.cloud/api/saml/acs
3. Leave the Optional Basic SAML Configuration options blank at this stage and click Save.
In the Attributes & Claims section
1. Update the Required Claim, changing the Name Identifier Format to Persistent
2. Remove all other Claims.
3. Add a group Claim.
  1. Select Security Groups
  2. Select Group ID for the Source Attribute.
  3. Check "Customize the name of the group claim" Under Advanced Options
  4. Add the Name as, groups.
  5. Click save when done.
4. Add in a New Claim
  1. Set the Name as "realName".
  2. Leave Source as Attribute.
  3. Set Source Attribute to "user.displayname".
5. Add another New Claim
  1. Set the Name as "sessionDuration"
  2. Leave Source as Attribute.
  3. Set Source Attribute to the default login duration in seconds for users logging in to Knocknoc. You can manually override this with a user attribute later for specific users.
6. Add a third New Claim
  1. Set the Name as "username"
  2. Leave Source as Attribute.
  3. Set Source Attribute "user.userprincipalname"
Go to SAML Certificates section
1. Generate a new certificate and key, this can be done on a Linux host using the below command.
  openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key
2. Convert the certificate to pfx using the following command.
  openssl pkcs12 -export -out user-demo-knoc-cloud.pfx -inkey user-demo-knoc-cloud.key -in user-demo-knoc-cloud.crt
3. Enter a password and note it down.
4. Import Certificate, select the pfx certificate you just created and enter the password.
5. Then make the new certificate Active by clicking the dots on the right and choosing Make Certificate Active.
6. Download the federation Metadata XML.
Set Up Knocknoc
1. Copy the Login URL, this will be required for the Knocknoc SAML config.

Knocknoc SAML Config

Login In the Knocknoc admin interface.
Click on Settings on the left.
Under Public URL enter you knocknoc url. Note: do not add a / at the end of the URL.
For the SAMLMetaDataFile, upload the xml file you downloaded from EntraID.
For the SAMLCertFile, upload the certificate (.crt) file you created in during the SAML Configuration.
For the SAMLKeyFile, upload the key (.key) file you created in during the SAML Configuration.
For the SAMLMetadataUrl, paste the Login URL copied in Step 6 of the previous section.
Click Save.

Final Testing

Assuming you granted your own user permission to one or more Knocknoc groups in EntraID, you should now be able to login to Knocknoc using SSO.

Browse to https://demo.knoc.cloud
There should now be an "SSO Login" button.
Click this, if you are not already authenticated to your IdP you should now be directed to the IdP login page. Note: If you are already authenticated you'll simply be redirected to an authenticated Knocknoc session.
If ACLs have already been added you should also see these now say Granted.

If this all works, congratulations! You've successfully run the SAML gauntlet.