Skip to main content

SAML with Authentik

In this example our Authentikauthentik instance is hosted at https://auth.example.com/ and is running version 2024.12.22026.2.1

Our Knocknoc instance is a cloud instance with URL https://authentiktest.knoc.cloud. If you are using a cloud server, replace with your own URL, or if you are using an on-premise server, this is the base URL to your Knocknoc server. Note: The Group Name in Knocknoc needs to match the Group Name provided by Authentik.authentik. 

Authentik have a guide on Knocknoc integration here: https://integrations.goauthentik.io/security/knocknoc/ 

Authentik config

  • Create SAML property mappings
    • Go to Customization -> Property Mappings

    • Click on Create to create your first mapping
    • Type: SAML Provider Property Mapping
    • Name:  SAML to Knocknoc realName
    • SAML Attribute Name: realName
    • Expression: return user.name
    • Click Finish
    • Click on Create to create your second mapping
    • Type: SAML Provider Property Mapping
    • Name:  SAML to Knocknoc groups
    • SAML Attribute Name: groups
    • Expression:  for group in user.ak_groups.all(): yield group.name
    • Click Finish
    • Click on Create to create your third mapping
    • Type: SAML Provider Property Mapping
    • Name:  SAML to Knocknoc duration
    • SAML Attribute Name: sessionDuration
    • Expression: return 540
      (Change 540 to the number of minutes required for sessions)
    • Click Finish
Advanced flow setttings ->
    Authentication flow: default-authentication-flow (Welcome to authentik!)
    Invalidation Flow: default-provider-invalidation-flow (Logged out of application) Advanced protocol settings ->
    • Signing Certificate: authentic Self-signed Certificate
    • Sign assertions: Enabled
    • Sign responses: Disabled
    Sign logout requests: Disabled Verification Certificate: leave unchanged on default Encryption Certificate: leave unchanged on default Property mappings: Selected User Property Mappings ->
    •  SAML to Knocknoc realName
    • SAML to Knocknoc groups
    • SAML to Knocknoc duration
    • Authenticauthentik default SAML Mapping: Username
     NameID Property Mapping: authentik default SAML Mapping: Username Assertion valid not before: minutes=-5 Assertion valid not on or after: minutes=5 Session valid not on or after: minutes=86400 Service Provider Binding: Post Defaule NameID Policy: Persistent Digest algorithm: SHA256 Signature algorithm: RSA-SHA256 Click Finish
    • Create Knocknoc application
      • Go to Applications -> Applications
      • Click on create to create the Knocknoc Application
      • Name: Knocknoc
      • Slug: knocknoc
      • Group: Knocknoc
      • Provider: Knocknoc Provider
      • Policy engine mode: any
      • Click Create to finish
      • Click on the newly created Knocknoc application
      • Select the Policy / Group / User Bindings tab
      • Click on Bind existing Group / User / Policy
      • Select the Groups / Users that are to be allowed access to Knocknoc and create
      Get Knocknoc Provider Metadata URL
      • Go to Applications -> Providers
      • Click on Knocknoc Provider
      • ClickUnder Metadata, click on Copy download URL (You will need this for the next step)

      Knocknoc SAML config

      SAML Key file and SAML Cert file are currently required fields in Knocknoc.
      You can automatically generate a certificate and key pair from withing the Knocknoc Admin UI, or manually generate on a Linux host with the command
      openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key

      Authentik have a guide on Knocknoc integration here: https://integrations.goauthentik.io/security/knocknoc/

      Back to top