Skip to main content

SAML

SAML is an in-depth topic, however it represents the best option for securing users, and providing centralized user management. There are many SAML providers, and no single convention on configuration and implementation. Knocknoc is tried and tested with a few of them, and the configuration customizable enough to be adapted to work with any standard SAML2 implementation.

SAML is the preferred authentication provider with Knocknoc, if you are unfamiliar with SAML here is an overview on the general principles and terms.

SAML and Knocknoc

Knocknoc can support two IdPs (or integrations), one for the User logins and one for the Admin interface login. This lets MSPs or security teams manage users and ACLs, without being granted ACLs to the services being protected.

In single IdP environments Knocknoc supports users and admins from a single authentication source. Admin access can be authorized using groups or other keys within the IdP response.

Implementing SAML in Knocknoc

When configuring SAML in Knocknoc:

  1. Identify the IdP and SP: Knocknoc is the SP, and your provider is the IdP (e.g. OKTA, EntraID, Jumpcloud).
  2. Configure Assertions: Customize the assertions to include the necessary user information, this can include sending group information and/or static assertions.
  3. Select Bindings and Profiles: Choose appropriate bindings and profiles based on your use case.
  4. Test the SAML Flow: Ensure that the authentication flow works as expected and is secure, SAML responses can be tested using tools like SAML trace.
  5. Monitor and Update: Regularly monitor the SAML setup and update as necessary, considering any new security patches or compliance requirements.

SAML URLs

If you want to skip ahead and know SAML, the below information should help you get going quickly:

  1. Metadata URL: https://demo.knoc.cloud/api/saml/metadata (use /api/admin/saml/metadata for Admin SAML)
  2. ACS URL to https://demo.knoc.cloud/api/saml/acs (use /api/admin/saml/acs for Admin SAML)
  3. Login URL as https://demo.knoc.cloud/api/login/saml (or /api/admin/login/saml for Admin SAML)

Note for Admin SAML integration the URLs include an 'admin' as above.

User versus Admin SAML

SAML users are automatically created should they log in to Knocknoc, however their group membership must match an existing Group/Knoc definition for any onward access to be obtained.

For Admins, the Admin user must first be created in the Knocknoc Admin portal before a SAML-based login can occur.

Note that the User and Admin SAML domains are separate, allowing you to use one IdP for Users and another entirely different one for Admins.

SAML-only mode, disabling local users

You can disable local-users, forcing SAML only, within the Admin -> Settings page. Disable anytime if local-users are required. 

When enabled, this automatically forwards users to your IDP to streamline access and avoid confusion during major rollouts. This can be combined with the "Instant referrer redirect (no countdown)" option which redirects users straight to the service they were trying to access. Goes hand-in-glove with the SAML-only login feature mentioned above, resulting in a fast but secure redirect experience, granting just in time network access without friction.

Screenshot 2026-05-15 at 20.28.19.png

 

Back to top