Skip to main content

SAML with Authentik

In this example our Authentik instance is hosted at https://auth.example.com/ and is running version 2024.12.2

Our Knocknoc instance is a cloud instance with URL https://authentiktest.knoc.cloud. If you are using a cloud server, replace with your own URL, or if you are using an on-premise server, this is the base URL to your Knocknoc server.

Note: The Group Name in Knocknoc needs to match the Group Name provided by Authentik. 

Authentik config

  • Create SAML property mappings
    • Go to Customization -> Property Mappings

    • Click on Create to create your first mapping
    • Type: SAML Provider Property Mapping
    • Name:  SAML to Knocknoc realName
    • SAML Attribute Name: realName
    • Expression: return user.name
    • Click Finish
    • Click on Create to create your second mapping
    • Type: SAML Provider Property Mapping
    • Name:  SAML to Knocknoc groups
    • SAML Attribute Name: groups
    • Expression:  for group in user.ak_groups.all(): yield group.name
    • Click Finish
    • Click on Create to create your third mapping
    • Type: SAML Provider Property Mapping
    • Name:  SAML to Knocknoc duration
    • SAML Attribute Name: sessionDuration
    • Expression: return 540
      (Change 540 to the number of minutes required for sessions)
    • Click Finish
  • Create Knocknoc provider
    • Go to Applications -> Providers
    • Click on create to create the Knocknoc provider
    • Type: SAML Provider
    • Name: Knocknoc Provider
    • Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
    • ACS URL: https://authentiktest.knoc.cloud/api/saml/acs
    • Issuer URL: https://auth.example.com
    • Service Provider Binding: Post
    • Audience: https://authentiktest.knoc.cloud/api/saml/metadata
    • Authentication flow: default-authentication-flow (Welcome to authentik!)
    • Invalidation Flow: default-provider-invalidation-flow (Logged out of application)
    • Signing Certificate: authentic Self-signed Certificate
    • Sign assertions: Enabled
    • Sign responses: Disabled
    • Verification Certificate: leave unchanged on default
    • Encryption Certificate: leave unchanged on default
    • Property mappings: Selected User Property Mappings
      •  SAML to Knocknoc realName
      • SAML to Knocknoc groups
      • SAML to Knocknoc duration
      • Authentic default SAML Mapping: Username
    •  NameID Property Mapping: authentik default SAML Mapping: Username
    • Assertion valid not before: minutes=-5
    • Assertion valid not on or after: minutes=5
    • Session valid not on or after: minutes=86400
    • Digest algorithm: SHA256
    • Signature algorithm: RSA-SHA256
    • Click Finish
  • Create Knocknoc application
    • Go to Applications -> Applications
    • Click on create to create the Knocknoc Application
    • Name: Knocknoc
    • Slug: knocknoc
    • Group: Knocknoc
    • Provider: Knocknoc Provider
    • Policy engine mode: any
    • Click Create to finish
    • Click on the newly created Knocknoc application
    • Select the Policy / Group / User Bindings tab
    • Click on Bind existing Group / User / Policy
    • Select the Groups / Users that are to be allowed access to Knocknoc and create
  • Get Knocknoc Provider Metadata URL
    • Go to Applications -> Providers
    • Click on Knocknoc Provider
    • Click on Copy download URL (You will need this for the next step)

Knocknoc SAML config

SAML Key file and SAML Cert file are currently required fields in Knocknoc.
You can generate a certificate and key on a Linux host with the command
openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key