While specific individual steps vary based on your flavor of SAML Single Sign-On (SSO), at a high level, the overall process includes these steps:
- Add the KnowledgeOwl SP info to your SAML SSO provider. (SP entity ID, SP Login URL, and SP Logout URL, Settings > SSO.)
- Add your IdP info to KnowledgeOwl (IdP entity ID, IdP Login URL, and IdP Logout URL, Settings > SSO.)
- Upload the IdP certificate from your SAML SSO provider to KnowledgeOwl, Settings > SSO.
- Check the Enable SAML SSO box in KnowledgeOwl in Settings > SSO.
- Add the KnowledgeOwl x509 certificate (in View KnowledgeOwl SP Metadata in Settings > SSO) to your IdP.
- Map SAML Attributes to fields in KnowledgeOwl to properly create reader accounts (SSO ID is required--you'll see an error if you skip this step. See Missing SSO ID mapping warning for more details)
- For existing attributes that directly map to KnowledgeOwl fields, use Direct Reader Attribute Mappings.
- To transform attribute values coming from your SSO provider (such as setting all readers to automatically be a member of one group in KnowledgeOwl), use Custom Attribute Map Rules.
- To help with troubleshooting or to see the attribute values being passed, you can check the Enable debug mode option in Settings > SSO. Then try logging in with an account through your SAML SSO provider--instead of logging in to the knowledge base, it will display the information that's being passed over from SSO to KnowledgeOwl, so you can ensure a) Info is being passed over, and b) That you have chosen the correct attributes for your mappings.
- Optional: If you're using SAML SSO as your only or primary reader authentication mechanism, set the Default Login Page in Settings > Security to SAML Login URL.
- Optional: To make it so that SAML SSO is the only access method for your knowledge base, check the Restrict Access to SSO box in Settings > SSO.
For more detailed, step-by-step instructions, see:
