Skip to main content

SAML

SAML is an in-depth topic, however it represents the best option for securing users, and providing centralized user management. There are many SAML providers, and no single convention on configuration and implementation. Knocknoc is tried and tested with a few of them, and the configuration customizable enough to be adapted to work with any standard SAML2 implementation.

SAML is the preferred authentication provider with Knocknoc, if you are unfamiliar with SAML here is an overview on the general principles and terms.

SAML and Knocknoc

Knocknoc can support 2 IdPs, one for the user logins and one for the admin interface login. This lets MSPs or security teams be able to manage the users, without being granted ACLs to the services being protected.

In single IdP environments Knocknoc supports users and admins from a single authentication source. Admin access can be authorized using groups or other keys within the IdP response.

Implementing SAML in Knocknoc

When configuring SAML in Knocknoc:

  1. Identify the IdP and SP: Knocknoc is the SP, and your provider is the IdP (e.g OKTA, EntraID, Jumpcloud).
  2. Configure Assertions: Customize the assertions to include the necessary user information, this can include sending group information and/or static assertions.
  3. Select Bindings and Profiles: Choose appropriate bindings and profiles based on your use case.
  4. Test the SAML Flow: Ensure that the authentication flow works as expected and is secure, SAML responses can be tested using tools like SAML trace.
  5. Monitor and Update: Regularly monitor the SAML setup and update as necessary, considering any new security patches or compliance requirements.

Keys and certificates

If your SAML integration requires a key/certificate to be created, using the below OpenSSL commands will generate a suitable keypair. 

  1. Generate a new certificate and key, this can be done on a Linux host using the below command.
    openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ -out user-demo-knoc-cloud.crt -keyout user-demo-knoc-cloud.key

 

If the PKCS12 (.PFX) format is required:

  1. Convert the certificate to pfx using the following command.
    openssl pkcs12 -export -out user-demo-knoc-cloud.pfx -inkey user-demo-knoc-cloud.key -in user-demo-knoc-cloud.crt
  2. Enter a password and note it down.
  3. Import Certificate, select the pfx certificate you just created and enter the password.

Back to top