Configuring a new Knack App with certificates

How to setup SSO in Knack for the first time

1️⃣

Log into the City's ServiceNow Portal and create a request indicating that you want to create a Knack application in Microsoft Entra and assign to the ESA (Enterprise Systems Administration) group. Make sure to indicate yourself and/or team members as Configuration Owners so you can setup SSO in Entra.

Create a login enabled Knack page if one has not yet been made.

Then, navigate to the login page Settings in the Knack builder by selecting the pencil icon on the login form.

2️⃣

Select the Add Provider button

An Add Credentials modal will appear, you will select SAML 1.1 or 2.0 for the Provider Type

3️⃣

Enter COACD as the Provider Name.

We use custom buttons for our logins but if your app is not, the button and font colors below are the standard colors.

Provider Name: COACD

Button Color: #163f6e

Button Font Color: #ffffff

4️⃣

Next enter Provider Settings. Provider Entry Point should remain the same for all apps unless something changes with Azure Active Directory. The Provider Entry Point can be confirmed with CTM or found in the metadata file near the <SingleSignOnService> tag from its Location attribute. https://login.microsoftonline.com/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/saml2.

For Issuer, this uniquely identifies your app and cannot change once set since CTM uses this to name the app instance in Entra. The app instance must be recreated in Microsoft Entra if this is to change in the future. Issuer is prepended with atd.knack.com/ following by your app-name

5️⃣

Leave the Identity Provider's certificate and Private signing certificate boxes empty. As of Mar 2025, the IP Cert in now Required by Knack. To bypass this step you will need to paste a formatted cert in this box so we can save and download the metadata file. Do Not use an existing app's IP Cert. Instead temporarily enter the formatted Decryption Private Cert from 1Password until we can replace with the real IP Cert from Microsoft Entra.

6️⃣

Locate our self-signed SSL certificates in 1Password as Self-Signed x509 SSL Certificates for SAML/ADFS.

Our Self-Signed certs are listed under the valid date range and show Valid From and Valid To dates.

Select Copy for the Decryption Private Key and paste in the Decryption private certificate box. Do the same for the Decryption Public Key and paste in the Decryption public certificate box. These certificates have already been formatted with headers with the Private Key formatter and the X509 Formatter.

7️⃣

Logout URL can be left blank until needed and if applicable to your app.

Authentication Context will be the same for all apps, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

As of 2024, the Authentication Context no longer applies, leave as None

ID Property and Email Property will be identical and the same for all apps since users use their email as their identity to sign into our Knack apps. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

First Name Property and Last Name Property will be left blank since they are not necessary.

Select Save to save all changes.

8️⃣

Now that we created and saved our Provider, we download the metadata file for the SSO by selecting the download button.

This will open in a browser tab. We will want to save this as an XML file so we can upload to Microsoft Entra. Follow the Microsoft Entra documentation in the Apps Team Wiki for further guidance on setting up an app in Entra.

9️⃣

When app configuration for an app in Entra is complete, download the Federation Metadata XML file. Microsoft Entra Admin Console

Microsoft Entra Admin Console

In Assignment Required?, set it to "No"

Make sure that "Assignment required" is set to "No", else it won't work!

If given link to admin console

Navigate back to the custom SSO provider setup form in the Knack builder.

In the MS Entra metadata file, find the Identity Provider certificate in the metadata under the Signature tag, then the KeyInfo tag, then the X509Certificate tag.

Copy and paste the contents of the X509Certificate tag into the X509 Formatter.

Click the "Format X.509 Certificate" button, then copy the contents of output box labeled "X.509 cert with header".

Go back to the login page Settings in the Knack builder application you're configuring. Paste the formatted certificate into the Identity Provider's certificate field in the Knack login config. (removing the asterisks) and additional spaces

Be sure to Save changes.

🔟

You are nearly finished! You must enable the SSO on each login page (point of entry) by selecting the checkbox

You may also want to confirm you have the JS & CSS necessary to render the SSO buttons properly. 1st Time App Setup with Login Buttons

11

The Final Step is to save the Identity Provider's Certificate (formatted X.509 with headers) in 1Password on the Knack ADFS X.509 Identity Provider Certificates record.

Locate the document in 1Password in the Knack Shared folder. Select Edit and Make a new entry for the new Knack app. Enter the app name, set the field as a password, paste the certificate, and add the IP Cert label. Lastly, Save.