Skip to main content

SAML with OKTA

The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Wherever you see that, please substitute it for your own instance URL.

Setting Up the IdP

Create an Application

  1. Click Create App Integration
  2. Select SAML 2.0
  3. Set an App name. (e.g Knocknoc)
  4. Optional: Upload a logo.
  5. Click Next.
  6. Click OK
  7. Enter the Single sign-on URL (e.g https://demo.knoc.cloud/api/saml/acs)
  8. Leave Use this for Recipient URL and Destination URL ticked.
  9. Enter the Audience URL (SP Entity ID URL e.g https://demo.knoc.cloud/api/saml/metadata)
  10. Leave Default Relay State blank
  11. Set Name ID Format as Persistent
  12. Set Application user as Okta Username
  13. Click Show advanced settings
  14. Upload your own certificate, one can be created on a Linux machine using the following command.
    openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key
  15. Leave other options default
  16. Add an Attribute statement with the following settings

image.png

SAML Signing Certificates

  1. Delete the original certificate, it is likely SHA1 where the newly generated one is SHA2
  2. View the IDP metadata and save it as an XML file.

Assignments

  1. Assign the Application to your users.
  2. Enable the option to send Groups, to allow the users to be automatically assigned to the correct ACLs.

Knocknoc SAML Config

  1. Login In the Knocknoc admin interface.
  2. Click on Settings on the left.
  3. Under Public URL enter you knocknoc url. Note: do not add a / at the end of the URL.
  4. For the SAMLMetaDataFile, upload the xml file you downloaded from OKTA.
  5. For the SAMLCertFile, upload the certificate (.crt) file created in the previous section.
  6. For the SAMLKeyFile, upload the key (.key) file created in the previous section.
  7. For the SAMLMetadataUrl, paste the Metadata Details, Metadata URL from the Okta control panel.
  8. Click Save.

Final Testing

Assuming you granted your own user permission to one or more Knocknoc groups in OKTA, you should now be able to login to Knocknoc using SSO.

  1. Browse to https://demo.knoc.cloud
  2. There should now be an "SSO Login" button.
  3. Click this, if you are not already authenticated to your IdP you should now be directed to the IdP login page. Note: If you are already authenticated you'll simply be redirected to an authenticated Knocknoc session.
  4. If ACLs have already been added you should also see these now say Granted.

If this all works, congratulations! You've successfully run the SAML gauntlet.

Back to top