Service Provider (SP) initiated SAML authentication allows users to start the login process directly from Knowi's login page, rather than requiring login to begin from your identity provider (IdP). This streamlines the user experience by letting users access Knowi directly and get redirected to their configured identity provider for authentication.
Prerequisites
Before enabling SP-initiated SAML, you must have:
- Existing SAML configuration: SP-initiated login uses the same SAML configuration as IdP-initiated login. If you haven't set up SAML yet, complete the basic SAML configuration first using our External Authentication using SAML guide.
- Admin privileges: You must have an "Admin" default security role or a custom role with "user:settings:saml" enabled.
- Enterprise license: SAML authentication must be enabled on your Knowi license. Contact your account manager if this feature isn't available.
- IdP configuration: SP-initiated SAML may need to be enabled on your Identity Provider side if required by your IdP settings.How SP-Initiated SAML Works
How SP-Initiated SAML Works
With SP-initiated SAML:
- User visits Knowi: Users can go directly to your Knowi login page
- User provides organization identifier: Users enter their organization name to identify their SAML configuration
- Knowi initiates authentication: Knowi redirects users to the configured identity provider for that organization
- IdP authenticates: Your identity provider handles user authentication
- Return to Knowi: After successful authentication, users are redirected back to Knowi with access granted
- This differs from IdP-initiated flow where users must start from your identity provider's portal.
Video walkthrough:
Setting Up SP-Initiated SAML
SP-initiated SAML works automatically once your basic SAML configuration is valid. However, you must configure an organization name to enable the feature:
- Navigate to Settings → User settings → SAML in your Knowi workspace
- Open your existing SAML configuration (or create a new one if needed)
- In the SAML configuration form, locate the Organization name field
- Enter a unique organization identifier (this will be used in your login URL and by users during login)
- Complete any other required SAML settings
- Click Save to apply the changes
Important: Once your SAML settings are valid, both IdP-initiated and SP-initiated login methods will work simultaneously.
Video Walkthrough:
Organization Name Usage
The organization name you configure serves multiple purposes:
- Direct URL Access: Creates a direct login URL in the format:
https://[your-knowi-domain]/saml/login/[organization-name] - Login Identification: Users reference this name during the login process to identify which SAML configuration to use
- Multi-tenant Support: Allows multiple organizations with different SAML configurations on the same Knowi instance
How to Login Using SP-Initiated SAML
Users have three methods to initiate SP-initiated SAML login:
Method 1: Direct URL Access
Users can navigate directly to: https://[your-knowi-domain]/saml/login/[organization-name]
This immediately redirects them to the configured identity provider for authentication.
Method 2: Login Page with SAML Button
- Users visit your Knowi login page and click Login
- Click the Login with SAML button
- In the popup window, enter the organization name
- Get redirected to your identity provider for authentication
- Return to Knowi after successful authentication
Method 3: Email Field Shortcut
- Users visit your Knowi login page and click Login
- In the Email field, enter the organization name (instead of an email address)
- Click the Login button
- Knowi automatically detects this as an organization name and initiates SAML flow
- Get redirected to your identity provider for authentication
- Return to Knowi after successful authentication
Note: Method 3 is a convenience feature that allows users to bypass the SAML popup by entering their organization name directly in the email field.