SAML with Authentik
In this example our Authentik instance is hosted at https://auth.example.com/ and is running version 2024.12.2
Our Knocknoc instance is a cloud instance with URL https://authentiktest.knoc.cloud. If you are using a cloud server, replace with your own URL, or if you are using an on-premise server, this is the base URL to your Knocknoc server.
Note: The Group Name in Knocknoc needs to match the Group Name provided by Authentik.
Authentik config
- Create SAML property mappings
- Go to Customization -> Property Mappings
- Click on Create to create your first mapping
- Type: SAML Provider Property Mapping
- Name: SAML to Knocknoc realName
- SAML Attribute Name: realName
- Expression: return user.name
- Click Finish
- Click on Create to create your second mapping
- Type: SAML Provider Property Mapping
- Name: SAML to Knocknoc groups
- SAML Attribute Name: groups
- Expression: for group in user.ak_groups.all(): yield group.name
- Click Finish
- Click on Create to create your third mapping
- Type: SAML Provider Property Mapping
- Name: SAML to Knocknoc duration
- SAML Attribute Name: sessionDuration
- Expression: return 540
(Change 540 to the number of minutes required for sessions) - Click Finish
- Create Knocknoc provider
- Go to Applications -> Providers
- Click on create to create the Knocknoc provider
- Type: SAML Provider
- Name: Knocknoc Provider
- Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
- ACS URL: https://authentiktest.knoc.cloud/api/saml/acs
- Issuer URL: https://auth.example.com
- Service Provider Binding: Post
- Audience: https://authentiktest.knoc.cloud/api/saml/metadata
- Authentication flow: default-authentication-flow (Welcome to authentik!)
- Invalidation Flow: default-provider-invalidation-flow (Logged out of application)
- Signing Certificate: authentic Self-signed Certificate
- Sign assertions: Enabled
- Sign responses: Disabled
- Verification Certificate: leave unchanged on default
- Encryption Certificate: leave unchanged on default
- Property mappings: Selected User Property Mappings
- SAML to Knocknoc realName
- SAML to Knocknoc groups
- SAML to Knocknoc duration
- Authentic default SAML Mapping: Username
- NameID Property Mapping: authentik default SAML Mapping: Username
- Assertion valid not before: minutes=-5
- Assertion valid not on or after: minutes=5
- Session valid not on or after: minutes=86400
- Digest algorithm: SHA256
- Signature algorithm: RSA-SHA256
- Click Finish
- Create Knocknoc application
- Go to Applications -> Applications
- Click on create to create the Knocknoc Application
- Name: Knocknoc
- Slug: knocknoc
- Group: Knocknoc
- Provider: Knocknoc Provider
- Policy engine mode: any
- Click Create to finish
- Click on the newly created Knocknoc application
- Select the Policy / Group / User Bindings tab
- Click on Bind existing Group / User / Policy
- Select the Groups / Users that are to be allowed access to Knocknoc and create
- Get Knocknoc Provider Metadata URL
- Go to Applications -> Providers
- Click on Knocknoc Provider
- Click on Copy download URL (You will need this for the next step)
Knocknoc SAML config
- Log into Knocknoc admin and go to Settings
- Public URL: https://authentiktest.knoc.cloud
- Metadata URL: Paste the download URL copied in the previous step
SAML Key file and SAML Cert file are currently required fields in Knocknoc.
You can generate a certificate and key on a Linux host with the command
openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key