SAML with EntraID (Azure AD)

Create Application

Navigate to the Microsoft Entra admin center, then go to Identity -> Applications -> Enterprise Applications
Click New Application, and then Create your own application, type a name for your application, like 'knocknoc-dev'. and choose "Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

The following assumes your knocknoc instance is located at https://demo.knoc.cloud. Wherever you see that, please substitute it for your own instance URL.

Setting Up the IdP

Create Application

1. Navigate to the Microsoft Entra admin center and login with administrator credentials.
2. Go to Identity and select Applications than Enterprise Applications
   
3. Click New Application
4. Click Create your own application.
5. Type a name for your application (e.g  knocknoc)
6. Check "Integrate any other application you don't find in the gallery (Non-gallery)"
7. Click Create.

Assign Groups

Go

1. Click "Assign users and groups"
2. Click "None Selected" under groups.
3. Add the user groups you wish to Stepaccess 1Knocknoc protected services.
   

Note: Knocknoc and AssignEntraID agroup Usernames orneed group.to Ideallymatch youfor shouldautomatic useuser aassignment. group,Best aspractice is to have at least one group per Knocknoc mapsprotected Groups to Acls, and the names have to match.
service.

So

SAML youConfiguration

will

need
1. Click anSet Entraup Groupsingle forsign eachon.
Knocknoc Group, and that needs to contain the ACLs you want that group to have.

Then go to Step 2, Single Sign-on and select

2. Click SAML.

Here is where the fun begins!

Basic Saml Configuration




3. In the Basic SAML section, setadd the links to your Knocknoc instance.
   1. Set the Indentifier (Entity ID) to your knocknoc instance URL: https://demo.knoc.cloud/cloud/api/saml/metadata
      

   2. Set the Reply URL (Assertion Consumer Service URL) (ACS)
      Set this to https://demo.knoc.cloud/api/saml/acs

   3. Leave the Optional Basic SAML Configuration options blank at this stage and click Save.
      
      

4. In the Attributes & Claims andsection Attributes

   1. Update the Required Claim, changing the Name Identifier Format to Persistent
      
      
      

   

   2. Remove

      all other Claims.

   3. Add a group Claim,Claim. select
      1. Select Security Groups
      and
      2. Select Group ID for the Source Attribute. Select
      Save
      3. Check "Customize the name of the group claim"
      4. Add the Name as, groups.
      5. Click save when done.
         
         
         

      

      Remove

   4. Add in a New Claim
      1. Set the otherName Claims,as and"realName".
      add
      2. Leave backSource inas Attribute.
      3. Set Source Attribute to "user.displayname".

          

         
         
   5. Add another New Claim
      1. Set the following:
         Name

         

         as

         "SessionDuration"

      2. Leave Source as Attribute.
      3. Set SessionDurationSource Attribute to whatever you want the default SessionsDurationlogin duration in seconds for users logging in to be.Knocknoc. You can manually override this with a user attribute later.
         later

         for specific users.

         
         

   6. Add a third New Claim
      1. Set the Name as "username"
      2. Leave Source as Attribute.
      3. Set Source Attribute "user.userprincipalname"
         
         
         
         

5. SAML Certificates
   

   Upload

   your own certificate created like so:

   On your own PC or similar:
   Make

   1. Generate a new certcertificate and key:key, this can be done on a Linux host using the below command.
      openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key
      
      Then
   convert
   2. Convert the certcertificate to pfx:pfx using the following command.
      openssl pkcs12 -export -out user-demo-knoc-cloud.pfx -inkey user-demo-knoc-cloud.key -in user-demo-knoc-cloud.crt
      
   3. Enter a password and note it down.
      

   4. Import itCertificate, toselect the token signingpfx certificate sectionyou just created and enter the password.
   5. Then make itthe active
      new
      certificate

      Active by clicking the dots on the right and choosing Make Certificate Active.
      

      
      

   Then download

   6. Download the federation Metadata XML.
      
      

6. Set Up Knocknoc
   1. Copy the Login URL, this will be required for the Knocknoc SAML config.

Knocknoc SAML Config

1. Login In the Knocknoc admin sectioninterface.
go
2. Click toon Settings,Settings egon https://demo.knoc.cloud/admin/settingsthe left.
   

Type

3. Under inPublic yourURL PublicURLenter egyou https://demo.knoc.cloudknocknoc -url. DON'TNote: do not add a / at the end!
   end

   of the URL.

4. For the SAMLMetaDataFile, upload the xml file you downloaded from theEntraID.
previous step.

5. For the SAMLCertFile, upload the Certificatecertificate (.crt) file you downloadedcreated in during the previousSAML step.
   Configuration.
6. For the SAMLKeyFile, upload the Keykey (.key) file you downloadedcreated in during the previousSAML step.
   
   Configuration.

Copy

7. For the SAMLMetadataUrl, paste the Login URL from section 4copied in theStep Entra6 Samp Sign section and paste it into SAMLMetadataUrl

   Make a new cert and key:
   openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key
   
   Then convertof the certprevious tosection.
   

pfx:
openssl pkcs12 -export -out user-demo-knoc-cloud.pfx -inkey user-demo-knoc-cloud.key -in user-demo-knoc-cloud.crt
Enter a password and note it down.



Upload SAML Certificate

Back into Entra ID -> SAML Certificates - Edit. Import Certificate, select the pfx certificate you just created, and enter the password.


8. Click Add
   ThenSave.
make the new certificate Active, but clicking the dots menu on the right and choosing Make Certificate Active.