Back to top
Home / Knox Manage / Configure / Identity & Directory /

Add a custom SAML connection

Last updated January 15th, 2025

You can add a custom SAML (Security Assertion Markup Language) connection for user authentication as follows:

  1. Go to Setting > Identity & Directory > Connection in the Knox Manage console.

  2. On the Connection page, click Add.

  3. On the Add Connection page, enter basic information about a connection.

    • Connection Type — Select Custom SAML.

    • Connection Name — Enter a connection name, with a maximum length of 25 characters and consisting of letters, numbers, and special characters ("-" or “_” only). The connection name is used to distinguish each connection, and is also used when selecting connections elsewhere in the console.

  4. On the Server tab, do the following:

    • Knox Manage Entity ID (read-only) — Shows the auto-generated unique identifier for your Knox Manage entity.

    • Assertion Consumer Service URL (read-only) — Shows the URL where the SAML assertion will be sent after authentication.

    • Signed Request — Specify whether to use signed requests. Signed requests add an extra layer of security by verifying the authenticity of the request. Options are Use (default) and Do Not Use.

    • Signing Algorithm — Select the algorithm to be used for signing requests. Options are SHA-1 and SHA-256 (default).

    • Signing Certificate — Lets you download the signing certificate.

    • Metadata File — Lets you download the metadata file, which contains information about your IdP and its configuration.

    • Sign-In Hint Attribute — Lets you specify an attribute that provides a hint for sign-in. Choices are:

      • Distinguished Name (DN)

      • Department

      • Display Name

      • Email

      • Email Domain

      • Email User Name

      • Employee No.

      • First Name

      • Globally Unique Identifier (GUID)

      • Group Name

      • User Tags

      • Last Name

      • Administrator DN

      • Middle Name

      • Mobile No.

      • Organization Name

      • Organization Code

      • Phone No.

      • Position

      • Position Code

      • User-Defined 1

      • User-Defined 2

      • User-Defined 3

      • Security Level Name

      • Security Level Code

      • Work Location

      • Work Location Code

      • Tenant ID

      • User Principal Name (UPN)

      • User Certification (Base64)

      • User ID

      • User Name

    • Metadata URL — Lets you add a URL for the metadata file. You can verify the URL using the Verify button.

    • Verified Metadata URL (read only) — Shows the verified metadata URL.

    • IdP Entity ID (required) — Provide the entity ID of your Identity Provider (IdP).

    • IdP Single Sign-On URL (required) — Provide the URL where the user will be redirected for SSO. You can test the URL using the Test button.

    • Additional SSO Parameters — Lets you specify one or more login parameters that you can additionally use to customize the SAML request, such as Email, Tenant ID, or User Name. You can enter values manually, or click Lookup and select from a list of valid entries.

    • SSO Binding (required) — Specify the binding method that will be used for SSO. Options are HTTP POST (default) and HTTP REDIRECT.

    • External Certificate — Specify whether to use an external certificate for SSO. Options are Use (default) and Do Not Use.

    • IdP Signature Certificate (required) — Indicates if there is a valid signature certificate from the IdP, along with when it’s going to expire. If the field says “There is no valid certificate”, you will need to upload or configure one.

    • Response Signature Verification (required) — Specify which parts of the SAML request should be verified. Options are:

      • Response — Verifies only the SAML response.

      • Assertion — Verifies only the SAML assertion within the response.

      • Response and Assertion (default) — Verifies both the SAML response and the assertion.

    • Response Signature Algorithm (required) — Select the algorithm for verifying the signature of the SAML response. Options are SHA-1 and SHA-256 (default).

    • IdP User Name (required) — Specify the SAML claim that will be used to map the user name from the IdP to Knox Manage. You can use the claim that is pre-filled for you, or select a different one using the Claim button.

    • Knox Manage User Attribute (required) — Select a Knox Manage user attribute to map the IdP user name. The list of available options is identical to Sign-in Hint Attribute. Defaults to Email.

    • Assign to Users or Groups — Specifies whether the connection can be used for user or group assignments. Options are Use (default) and Do Not Use.

  5. Click Save to save the connection, or Save & Assign to save and assign the connection to users or groups.

Is this page helpful?