SAML with ADFS

The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Wherever you see that, please substitute it for your own instance URL.

 

Create certificates

Create a key/certificate pair on your local machine

1. Generate a new certificate and key, this can be done on a Linux host using the below command.
   openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key
2. Enter a password and note it down.
3. This will be required for both sides of the connection, Windows AD FS and Knocknoc

Knocknoc SAML Config

1. Login In the Knocknoc admin interface (eg: https://your-knocknoc.cloud/admin/)
2. Click on Settings on the left.
   
3. Under Public URL enter you knocknoc url. Note: do not add a / at the end of the URL.
4. For the SamlMetadataUrl enter your ADFS host, adding /FederationMetadata/2007-06/federationmetadata.xml
   1. eg: https://your-adfs-site/FederationMetadata/2007-06/federationmetadata.xml
5. For the SAMLCertFile, upload the certificate (.crt) file you created in during the Certificate creation.
6. For the SAMLKeyFile, upload the key (.key) file you created in during the Certification creation.
   
7. Click Save.
8. You can verify this worked correctly by visiting https://your-knocknoc.cloud/api/saml/metadata and observing the downloaded metadata file.

Setting Up the IdP (ADFS)

Define the Claim Description

1. Log in to the Windows Server running ADFS

2. In Server Manager, select Tools, and then select AD FS Management.

3. Expand Service and select Claim Descriptions
4. Select Add Claim Description on the right hand panel
   
5. Set Display name to something meaningful, eg: Knocknoc Persistent Identifier
6. Set Short Name to Knocknoc
7. Set the Claim type to: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
8. Tick both boxes underneath, Publish this claim ...
9. Once saved it should look like the below:

Define the Relying Party Trust

1. Navigate to Relying Party Trusts underneath the AD FS section (within the AD FS Management MMC)

2. Select Add Relying Party Trust from the right hand panel

3. Select Claims aware and Start to step through the wizard
4. Select Import data about the relying party published online
5. Enter the URL of your server, eg: https://demo.knocknoc.io/api/saml/metadata
6. Select Next
7. If you receive a TLS error, you must enable TLS/1.2 via the registry (see https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#configure-for-strong-cryptography) and note below [1] 
8. Enter a Display name, eg: Knocknoc and click Next
9. Select an appropriate access control policy and consider MFA, this can be changed later
10. Click Next 
11. A summary is now shown, click Next
12. Select Configure claims issuance policy for this application, click Close

Define the Claim Issuance Policy

1. Once on the Edit Claim Issuance Policy section

2. Click Add Rule
3. Select Transform and Incoming Claim, click Next
4. Name the rule, eg: Knocknoc
5. Incoming claim type should be set to Windows account name
6. Outgoing claim type: Name ID
7. Outgoing name ID format: Persistent Identifer
8. Click Finish and Apply
9. It should appear similar to the below

 

TLS errors and enabling TLS/1.2

If you receive TLS/SSL errors trying to validate the metadata file, you may need to enable TLS/1.2 via your registry.

Registry configuration to enable TLS/1.2:

 

 

Final Testing

Assuming you granted your own user permission to one or more Knocknoc groups in EntraID, you should now be able to login to Knocknoc using SSO.

1. Browse to https://demo.knoc.cloud
2. There should now be an "SSO Login" button.
3. Click this, if you are not already authenticated to your IdP you should now be directed to the IdP login page. Note: If you are already authenticated you'll simply be redirected to an authenticated Knocknoc session.
4. If ACLs have already been added you should also see these now say Granted.

If this all works, congratulations! You've successfully run the SAML gauntlet.