Skip to main content

Ping Identity

Ping Identity SSO

Configure 1KosmosPingOne as a SAML identity provider (IdP) for Knocknoc. Once connected, your usersUsers authenticate against 1Kosmos — including its biometric and passwordless factors —Ping, and Knocknoc maps their group membership to access entitlements.

This example assumes your Knocknoc instance is at https://<tenant>.knoc.cloud. Substitute your own instance URL throughout (e.g. https://demo.knoc.cloud).

In this integration:

  • Knocknoc is the Service Provider (SP) — it consumes the SAML assertion.
  • 1KosmosPingOne is the Identity Provider (IdP) — it authenticates the user and issues the assertion.
┌──────────┐

These 1.steps Accesscover request ┌──────────┐ │ User │ ─────────────────────▶ │ Knocknoc │ └──────────┘ │PingOne (SP)cloud). PingOne for └────┬─────┘Enterprise and PingFederate 2.expose the same building blocks — a SAML AuthnRequestapplication, attribute 5.mapping, Assertionand returnedan IdP metadata +URL group claimsso ┌───────────────┐the └──────────────────────────Knocknoc-side values 1Kosmosare identical 4.and Authenticatedthe flow (IdP)transfers with └───────────────┘minor 3.menu Userdifferences.

authenticates (biometric / passwordless)

User vs Admin SAML. Knocknoc supports SAML for the user portal and, separately, for the admin interface.interface, The two useusing different endpoint paths (/api/saml/... vs /api/admin/saml/...). Configure Users first; once confirmed working, extend to Admins while keeping a local break-glass admin account.

Before you begin

You will need:

  • Community administratorAdministrator access to your 1Kosmos AdminXPingOne tenant.environment.
  • Administrator access to your Knocknoc instance.
  • AnThe identityKnocknoc provider already configured in AdminX (Settings > IdP Configuration). 1Kosmos allows one IdP per tenant.
A directory integration (AD / LDAP) connected in AdminX ifgroups you intend to passgate groupaccess membershipwith already seecreated Passing(or grouptheir membershipnames to hand).

A note on metadata. Unlike Entra ID — which publishes a hosted App Federation Metadata URL you paste straight into Knocknoc — 1Kosmos, when acting as the IdP, provides only a downloadable metadata XML file plus individual endpoint values. Before rollout, confirm how your Knocknoc build accepts IdP metadata (hosted URL, uploaded file, or manual endpoint entry); this determines which method you use in Step 3.

Step 11: — Gather IdP details from 1Kosmos

In AdminX, go to Settings > IdP Configuration and open your identity provider.

Value Where to find it IdP Entity ID Generated fromCreate the Name field under Core Configuration SSO URL Service URL Endpoints → Single SignOn Service SLO URL (optional) Service URL Endpoints → Single Logout Service Signing certificate Signing Certificate → Options > View & Download Certificate (X.509 .pem) Metadata XML SAML Metadata → Download

Set Authentication Request to Signed (recommended). Keep these to hand — you will use them in Step 3.

Step 2: Add Knocknoc as a SAML app in 1KosmosPingOne

    In AdminX,the PingOne admin console, go to ApplicationsConnections > Applications. Click the + (Add ApplicationApplication). UnderEnter Customa Appname (e.g. Knocknoc), select SAML 2.0 GenericApplication, and click Add IntegrationConfigure.

    2.1 Application details

    Field Value Application name Knocknoc Application access URL https://<tenant>.knoc.cloud/

    ClickIn NextProvide App Metadata.

    ,

    2.2 SAML settings

    Field Value NameID Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent NameID Value username (the user's UPN / login identifier)

    2.3 Claims mapping

    Knocknoc readschoose fourManually Enter specific claims. The claim names must match exactly — username, realName, sessionDuration and groups. In the Claims Mapping section, click Add new for each:set:

    Claim name (required) 1Kosmos source Notes username User.Username The user's login identifier. realName display-name attribute 1Kosmos has no displayname by default — map to a full-name attribute, or create one mapped to the directory displayName. sessionDuration integer, e.g. 480 Login duration in minutes, whole number, no quotes. Confirm whether your 1Kosmos build can emit a fixed value or requires a session/per-user attribute. groups mapped group attribute See Step 4. Customise the claim name to exactly groups.

    Click Next.

    2.4 Advanced options

    Field Value (Users) Value (Admin)
    ACS URLs https://<tenant>.knoc.cloud/api/saml/acs https://<tenant>.knoc.cloud/api/admin/saml/acs Entity ID https://<tenant>.knoc.cloud/api/saml/metadata https://<tenant>.knoc.cloud/api/admin/saml/metadata

    Click ACSSave.

    Shortcut: instead of manual entry you can select Import From URL

    and point PingOne at the Knocknoc SP metadata endpoint (https://<tenant>.knoc.cloud/api/saml/acsmetadata) to populate ACS and Entity ID automatically. Generate the Knocknoc keypair first (Step 4) so the SP certificate is present in the metadata.

    Step 2: Set the NameID format

    In the application's Configuration > SAML settings, set:

    Field Value Subject NameID Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    Map the subject (SAML_SUBJECT) to the user's Username.

    Step 3: Configure attribute mapping

    Knocknoc reads four specific claims. The claim names must match exactly. On the Attribute Mapping page, add each pair (claim name on the left, PingOne attribute on the right) and tick Required where noted:

    Claim name (required) PingOne attribute Notes username https://<tenant>.knoc.cloud/api/admin/saml/acsUsername Required. The user's login identifier. ACS Method POSTrealName POSTFormatted (full name) If unavailable, use a display-name attribute, or combine Given Name + Family Name. Signing certificate (optional)sessionDuration Uploadliteral Knocknoc'svalue, public-keye.g. .pem480 if Knocknoc signs its requests sameLogin duration in minutes (whole number). Enter as a literal/expression value, not a directory attribute. groups Group Names Emits the names of every group the user belongs to.

    Click Save.

    AlwaysThe confirmsessionDuration claim controls the exactKnocknoc Entitylogin IDsession length and ACSis URLindependent againstof yourPingOne's KnocknocAssertion Validity Duration (the lifetime of the SAML configurationassertion screen before going live.itself).

    Step 3:4: Configure Knocknoc (SP)

      In PingOne, open the application's Configuration tab and copy the IdP Metadata URL. Toggle the application on to enable it. In Knocknoc, log in to the admin interface and open Settings.
        ProvideIn the 1KosmosMetadata IdPURL metadatafield, usingpaste the methodPingOne yourIdP build supports (hosted metadata URL, uploaded metadata XML from Step 1, or manual entry of Entity ID + SSOMetadata URL + signing certificate). Click Generate new keypair, andthen save.Save. (Optionally, supply your own keys/certificate manually.) Click Save.

        Manual-entryBecause referencePingOne (ifserves youra buildlive, supportshosted it):

        metadata
        URL, Knocknoc fieldstays Pastein fromsync 1Kosmoswith (Step 1) IdP Entity ID Entity ID IdP SSO URL Single SignOn Service IdP SLO URL (optional) Single Logout Service IdPPing's signing certificate Signingautomatically — no manual certificate (.pem)handling required.

        Step 4: Passing group membership

        Knocknoc maps the groups claim to its access entitlements (ACLs). 1Kosmos does not emit a groups attribute by default — the standard session attributes are only firstname, lastname, status, username, email and phone. You must create and map it.

        1. Create a session attribute Go to Settings > 1Kosmos Attributes > Add new. Name it groups.

        2.5: Map it to your directory In your AD / LDAP directory integration, map the new attribute to the directory's group field (for example, Active Directory memberOf). Without this mapping the claim ships empty.

        3. Expose it as a claim Confirm groups is present in the Knocknoc app's Claims Mapping (Step 2.3), with the claim name set to exactly groups.

        Matching groups in Knocknoc.Knocknoc

        PingOne's Group Names attribute sends human-readable group names, so use Knocknoc's by-name matching: set each Knocknoc matches the group values it receives against thegroup's Group Name field on each Knocknoc group. Decide your scheme up front:

          By name —to the claimexact carries human-readablePingOne group namesname (e.g. US-Admin-SSH); use those strings as the Group Name in Knocknoc. By GUID/Object ID — the claim carries directory object IDs (e.g. 6a696eec-482f-4b40-97c8-9ea3dba8ac3a); use those IDs as the Group Name in Knocknoc. .

          Multi-value check. Verify on a test user that 1KosmosPingOne emits multiple groups as repeated <AttributeValue> elements rather than a single delimited string. Knocknoc expects discrete values; a delimited string is the most common cause of group-mapping failures.

          Step 5:6 — Test

          1. Browse to https://<tenant>.knoc.cloud/. An SSO Login button should be present.
          2. Click it. If not already authenticated to 1Kosmos,Ping, you are redirected to the 1KosmosPingOne sign-in page.
          3. Authenticate (scan the QR code with the 1Kosmos mobile app, or enter username, password and OTP).Authenticate.
          4. Confirm you are returned to Knocknoc and that any ACLs tied to your groups now show Granted.

          Once Users work, repeat for the Admin interface using the /api/admin/saml/... endpoints — and keep a local break-glass admin in case SAML breaks.

          Troubleshooting

          Symptom Likely cause
          Redirect loop / "invalid issuer" Entity ID mismatch — checkconfirm it ends in /api/saml/metadata (or /api/admin/saml/metadata)
          Assertion rejected WrongKnocknoc keypair not generated, or expired signing certificate; re-download from Step 1, or regenerate the KnocknocIdP keypairMetadata URL is wrong/unreachable
          User authenticates but lands with no access groups claim empty (check directorythe Group Names mapping) or the Knocknoc Group Name in Knocknoc doesn't match the claimPingOne valuegroup (name vs GUID)
          All users land in one group Groups arriving as a delimited string, not repeated <AttributeValue> elements
          Session ends too soon / too late sessionDuration claim missing or wrong; it is whole minutes (e.g. 480)
          "NameID format" error Subject NameID format mismatch — confirm Persistent on both sides

          Reference — value exchange

          Direction Values
          1KosmosPingOne → Knocknoc EntityIdP ID,Metadata URL (carries SSO URL, SLOEntity URLID (optional),and signing certificate, metadata XMLcertificate)
          Knocknoc → 1KosmosPingOne Application access URL, SP Entity ID (/api/saml/metadata), ACS URL (/api/saml/acs, POST), SP signingEntity certID (optional)/api/saml/metadata)

          Need help? Contact Knocknoc support or your solutions engineer.

          Back to top