Configuring new certificates for all Knack Apps - When certs expire!

How to setup SSO in Knack for Azure ADFS

This scenario happens every two years when our SSL certificates expire, we have an outlook calendar event notification to remind us when to do this. Summer season (June-July)

If you need to generate a new certificate (because the current cert has expired, for example), see our SSL Certificate Management article for instructions. Note that as a best practice we use the same certificate across all knack apps. So, if you do need to generate a new certificate, you should do this for every Knack application. Consult the application team before embarking on this.

  1. Generate new certificates according to our SSL Certificate Management

  2. Make sure to save those new certificates in One Password with proper formatting

  3. Schedule a meeting with CTM so they can update Azure Active Directory as you update app certificates (this limits or negates any downtime users will have signing into apps)

  4. During the meeting, navigate to a Knack login page with SSO enabled in the builder

  5. Replace the Decryption private certificate and the Decryption public certificates with the new certificates that we just created

  6. Save and test an SSO login page. If you get a Public Key error, CTM will need to recreate the app instance in Azure. Otherwise, update and test each app accordingly until complete

If Testing does result in a Public Key error, continue:

  1. As CTM is recreating the new app instance in Azure, remove the Identity Provider's certificate in Knack and then provide CTM the updated metadata file or link with only the Decryption private and public certificates filled in. All other Provider Settings should remain and stay the same

  2. CTM will add the metadata info to Azure, allowing them to provide you a new metadata file or link with the x509 certificate in it

  3. Verify with CTM that the x509 certificate in the file you received matches the Identity Provider certificate in Azure (by matching the last few characters of the cert)

  4. Copy that x509 certificate from the metadata file or link

  5. Use the X509 Formatter to format the x509 certificate with headers

  6. Add to the Knack Identity Provider's certificate box and save the updated credentials

  7. Test an SSO login page to ensure its working correctly

  8. Add the new unique IP Cert to One Password as your repeat these steps for each Knack app

Possible Errors

If you get the Public Key error in your browser, a new app instance must be created in Azure by CTM where the existing IP Cert must be removed and replaced with the new certificate CTM provides. Refer to the Configuring new certificates for all Knack apps above for the steps to take.

If you see an error similar to this: (AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'atd.knack.com/'), contact CTM and ask them to update the Azure Instance (ACS URL) with US included in the URL.

Last updated