SAML-based single sign-on (SSO) gives members of your organization access to Knowi through an identity provider (IdP) of your choice.
The following Identity Providers (IdP's) have been integrated:
To use SAML, you must have a cloud identity provider (IDP) or federation service in place that supports authentication via SAML 2.0. For more information about SAML 2.0, see http://en.m.wikipedia.org/wiki/SAML_2.0
You must have an "Admin" default security role or a custom role with "user:settings:saml" enabled to set up SAML. For more information about default roles, see Default Security Role Reference. For more information about custom roles, see Managing Custom Roles.
Getting Started
SAML authentication needs to first be enabled by Knowi. To update your license for this feature, contact your account manager or open a support request in Knowi's Help Center by clicking Contact Us.
Once your license is updated, navigate to the SAML tab in the Settings section of Knowi, then click the Add button to see the following configuration options. Note that any changes to configuration options do not take effect until you click the Save button at the bottom of the page.
SAML Auth Settings
Knowi requires the IdP URL, IdP Issuer, and IdP Certificate to authenticate your IdP.
Note: Dynamic configuration with IdP Metadata is not supported at this time.
IdP URL: The URL where Knowi will go to authenticate users.
IdP Issuer: The unique identifier of the IdP.
IdP Certificate: The public key to let Knowi verify the signature of IdP responses.
Default Groups and Roles
You can set a default role and groups for new SAML users. In the User Roles and Groups section, enter the names of any Knowi roles or groups to which you want to assign new Knowi users when they first log in to Knowi.
These groups and roles are applied to new users at their initial login. The groups and roles are not applied to pre-existing users, and they are not reapplied if they are removed from users after the users’ initial login.
User Attributes Setting
In the following fields, specify the attribute name in your IdP’s SAML configuration that contains the corresponding information for each field. The SAML attribute names tells Knowi how to map those fields and extract their information at login time. Knowi isn’t particular about how this information is constructed, it’s just important that the way you input it into Knowi matches the way that the attributes are defined in your IdP.
Name |
Value |
userId | user.id |
userEmail | user.email |
userLogin | user.login |
Signing out of Knowi when using Single Sign-On
To completely sign out, you must sign out of Knowi and close the browser.
- Click the Logout button on the bottom-left menu of the navigation bar
- Close the Web browser
Using Knowi with Single Sign-On
When using Knowi with Single Sign-On, you cannot
-
be sent a forgotten password email
-
change your password in your profile
FAQ
- Q: Can I use an alternate login with SAML?
- Knowi email/password logins are available for Admin users. This option is useful as a fallback during SAML Auth setup should SAML config problems occur later, or if you need to support some users who do not have accounts in your SAML directory.
- Q: Can I merge an existing Knowi user to SAML or vice versa?
- You can merge or transfer a user between authentication types (Knowi email/password, LDAP, SAML, SSO). This can be done using the Management API or from the UI.