SAML-based single sign-on (SSO) gives members of your organization access to Knowi through an identity provider (IdP) of your choice.
The following Identity Providers (IdP's) have been integrated:
To use SAML, you must have a cloud identity provider (IDP) or federation service in place that supports authentication via SAML 2.0. For more information about SAML 2.0, see http://en.m.wikipedia.org/wiki/SAML_2.0
You must have an "Admin" default security role or a custom role with "user:settings:saml" enabled to set up SAML. For more information about default roles, see Default Security Role Reference. For more information about custom roles, see Managing Custom Roles.
SAML authentication needs to first be enabled by Knowi. To update your license for this feature, contact your account manager or open a support request in Knowi's Help Center by clicking Contact Us.
Once your license is updated, navigate to the SAML tab in the Settings section of Knowi, then click the Add button to see the following configuration options. Note that any changes to configuration options do not take effect until you click the Save button at the bottom of the page.
SAML Auth Settings
Knowi requires the IdP URL, IdP Issuer, and IdP Certificate to authenticate your IdP.
Note: Dynamic configuration with IdP Metadata is not supported at this time.
IdP URL: The URL where Knowi will go to authenticate users.
IdP Issuer: The unique identifier of the IdP.
IdP Certificate: The public key to let Knowi verify the signature of IdP responses.
Default Groups and Roles
You can set a default role and groups for new SAML users. In the User Roles and Groups section, enter the names of any Knowi roles or groups to which you want to assign new Knowi users when they first log in to Knowi.
These groups and roles are applied to new users at their initial login. The groups and roles are not applied to pre-existing users, and they are not reapplied if they are removed from users after the users’ initial login.
User Attributes Settings
In the following fields, specify the attribute name in your IdP’s SAML configuration that contains the corresponding information for each field. The SAML attribute names tells Knowi how to map those fields and extract their information at login time. Knowi isn’t particular about how this information is constructed, it’s just important that the way you input it into Knowi matches the way that the attributes are defined in your IdP.
Additional SAML attributes supported by Knowi
- contentFilter: The contentFilter attribute lets you set content filters for your users. Like all other attributes, it can be on groups or directly on a user within your IDP and they stack up like the 'group' attribute. Please note that it might be necessary to enable attribute aggregation on your IDP for stackable attributes. If no contentFilter attribute is present, content filters for that user will be unset, meaning the user has access to the full data.
- dashboardUrl: sets the dashboard that a user sees after logging in. You can either paste the entire URL or just the dashboard ID part from a URL, both should work. If this attribute is not present, the most recently opened dashboard will be displayed for return logins and the playground will be launched for new users.
- role: sets the user role, only one role per user is supported at this time. If no role is provided from an attribute, the default role from the SAML configuration will be used.
- groups: The groups that the user will be part of in Knowi. Users can be put into multiple groups in Knowi by adding more than one 'group' attribute. If no groups attribute is present, the default groups from your SAML config will be used.
- logoutUrl: this attribute, a full URL, for example, https://www.knowi.com will cause the user to be redirected to that URL upon logout. If this attribute is not set, the knowi home page will be opened upon logout.
Signing out of Knowi when using Single Sign-On
To completely sign out, you must sign out of Knowi and close the browser.
- Click the Logout button on the bottom-left menu of the navigation bar
- Close the Web browser
Using Knowi with Single Sign-On
When using Knowi with Single Sign-On, you cannot
be sent a forgotten password email
change your password in your profile
Q: Can I use an alternate login with SAML?
- Knowi email/password logins are available for Admin users. This option is useful as a fallback during SAML Auth setup should SAML config problems occur later, or if you need to support some users who do not have accounts in your SAML directory.
Q: Can I merge an existing Knowi user to SAML or vice versa?
- You can merge or transfer a user between authentication types (Knowi email/password, LDAP, SAML, SSO). This can be done using the Management API or from the UI.