Skip to main content

SAML with EntraID (Azure AD)

Create Application

Navigate to the Microsoft Entra admin center, then go to Identity -> Applications -> Enterprise Applications
Click New Application, and then Create your own application, type a name for your application, like 'knocknoc-dev'. and choose "Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

The following assumes your knocknoc instance is located at https://demo.knoc.cloud. Wherever you see that, please substitute it for your own instance URL.

Assign Groups

Go to Step 1 and Assign a User or group. Ideally you should use a group, as Knocknoc maps Groups to Acls, and the names have to match.

Then go to Step 2, Single Sign-on and select SAML.

Here is where the fun begins!
In the Basic SAML section, set the Indentifier (Entity ID) to your knocknoc instance URL: https://demo.knoc.cloud

Reply URL (Assertion Consumer Service URL) (ACS)
Set this to https://demo.knoc.cloud/api/saml/acs

Leave the Optional Basic SAML Configuration options blank at this stage and click Save.

Claims and Attributes

Edit the Attributes and Claims section now.
In the Requires Claim section, edit the Unique User Identifier by clicking it.
For the Name Identified Format choose: Persistent
and the Attribute for Source, and the Source Attribute is user.userprinipcalname, select Save when done.

Add a group Claim, select Security Groups and Select Group ID for the Source Attribute. Select Save when done.

SAML Certificates

Now go back to the SAML based Signon section, and in section 3 - SAML Certificates, download the Certificate Raw

Then download the federation Metadata XML.

Knocknoc Config


In the admin section go to Settings, eg https://demo.knoc.cloud/admin/settings

Type in your PublicURL eg https://demo.knoc.cloud/

For the SAMLMetaDataFile, upload the xml file you downloaded from the previous step.
For the SAMLCertFile, upload the Certificate you downloaded in the previous step.

Copy the Login URL from section 4 in the Entra Samp Sign section and paste it into SAMLMetadataUrl

Make a new cert and key:
openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key

Then convert the cert to pfx:
openssl pkcs12 -export -out user-demo-knoc-cloud.pfx -inkey user-demo-knoc-cloud.key -in user-demo-knoc-cloud.crt
Enter a password and note it down.

Upload SAML Certificate

Back into Entra ID -> SAML Certificates - Edit. Import Certificate, select the pfx certificate you just created, and enter the password.
Click Add
Then make the new certificate Active, but clicking the dots menu on the right and choosing Make Certificate Active.