Configuring SAML SSO with Microsoft Entra ID (formerly Azure AD)

If you're needing assistance with setting up Entra ID SSO, the following information will provide helpful guidance throughout the process.

This article contains the following sections:

• Getting Setup in Knack

• Knack SAML Provider Settings

  • Retrieving the Assertion Consumer Service URL (ACS)

• Basic Configuration in Microsoft Entra ID

• Attributes and Claims in Entra ID

• SAML Certificates Additional Settings

  • Summary of SAML Certificates Settings

• Troubleshooting Tips

1. Getting Setup in Knack

To begin, follow these steps to create your SAML-based SSO configuration in Knack:

• Navigate to your Knack login page and select the Login view's settings:
  
• Select the "Add Provider" button and select "SAML 1.1 or 2.0". This will open the configuration form where you can customize your SSO login button:
  
• Upon making your selection, a configuration form will appear, presenting fields essential for setting up your Azure SSO instance. At the top of this SSO configuration form, you will find options to customize the login button that will be incorporated into your login page:

2. Knack SAML Provider Settings

To configure Microsoft Entra ID with Knack, you'll need specific information for the Provider Settings:

Before entering in information for these fields, you'll need to retrieve the Assertion Consumer Service URL (ACS) from Knack’s SSO XML configuration. This ACS URL will be utilized in a subsequent step to configure Entra ID:

Retrieving the Assertion Consumer Service URL (ACS)

To successfully save the SAML configuration form in Knack, it is necessary to fill in all required fields. Begin by entering a placeholder URL (e.g., URL.com) in the Provider Entry Point field, and populate the Issuer and the four ID property fields with any placeholder characters. This approach serves as a temporary measure to allow you to save the SAML SSO configuration:

Once the above required fields are saved, download the XML metadata file from the configuration form by clicking the button higlighted below. The ACS URL will be visible in the downloaded XML:

This action will prompt your browser to open a new XML file, allowing you to view the Assertion Consumer Service URL:

• • Europe-based apps: https://eu-api.knack.com/v1/applications/YOUR_APP_ID/auth/Azure/return
  • US-based apps: https://us-api.knack.com/v1/applications/YOUR_APP_ID/auth/Azure/return
  • HIPAA/GovCloud apps: https://usgc-api.knack.com/v1/applications/YOUR_APP_ID/auth/Azure/return

3. Basic Configuration in Microsoft Entra ID

With the ACS URL retrieved from your Knack app's SSO XML configuration file, you can now proceed to configure SAML SSO on the Entra ID side.

During this process, you'll also gather necessary data from Entra ID to input into the Provider Settings within the Knack configuration form.

Using the ACS URL retrieved above, configure the basic SSO settings in Entra ID:

• Identifier (Entity ID): This should be the base URL of your Knack live app (e.g., https://example.knack.com/your-app).
• Reply URL (Assertion Consumer Service URL): Use the ACS URL you downloaded in the prior step.

4. Attributes and Claims in Entra ID

The next step is to collect the Attributes and Claims from Entra ID:

An example of the structure that should be entered into the four property fields in Knack is as follows:

• ID: http://schemas.microsoft.com/identity/claims/objectidentifier
• First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
• Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
• Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

This is an example of what the configuration may resemble:

5. SAML Certificates Additional Settings

The SAML Certificates page provides you with the option to download the Certificate (Base 64). Once downloaded, you will need to copy and paste this certificate into the Identity Provider's Certificate field in Knack's SAML SSO configuration form:

The format of the downloaded text will appear as follows:

-----BEGIN CERTIFICATE----- 

MIID... (Base64 content) ... 

(More Base64 content)

 -----END CERTIFICATE-----

Please ensure you copy the entire text from the beginning to the end, including the lines marked " -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- ".

Then, paste this complete text into the Identity Provider's Certificate field in Knack, formatted as shown below:

You will need to obtain the Login URL, which should be entered in the Provider Entry Point field within Knack:

 

Next, you will need to identify the Issuer, which can be found in the Overview section of your Entra ID application as the "Application ID".

For example:

Then, you can copy and paste the Application ID into the Issuer field in Knack:

You have now successfully configured all required fields; other optional fields are available for further customization as needed.

Summary of SAML Certificates Settings:

• SAML Certificates: Download and copy the Certificate (Base 64) from Entra ID and paste it into Knack’s Identity Provider’s Certificate field.
• Login URL: Add to Knack’s Provider Entry Point field.
• Issuer: Use the Application ID from Entra ID’s Overview and paste it into Knack’s Issuer field.

Here is an example of how the Provider Settings section in Knack may appear once configured:

Troubleshooting Tips

• Login Permissions: Ensure new user registration is enabled if you want new users to log in via SSO without pre-existing Knack accounts:
  
  • If this setting is set to "Yes", any user will have the ability to access and create a new account through the SSO instance.
• Case Sensitivity: Matching case is crucial for attributes.