Reason for the change
It's not often we rearrange things within KnowledgeOwl, but when we do, it's because we see a real need. Or, in this case, several real needs:
The Settings > Security page was getting quite lengthy. If you were setting up SAML SSO, it wasn't easy to figure out which fields were required, and several important steps were only accessible by clicking a hyperlink and viewing a pop-up.
We've also had many customersstruggle with the direct mapping setup we've always used for SAML SSO, often due to their SAML SSO not using groups, or not using the same groups they used in KnowledgeOwl. This made the setup process a lot more involved and sometimes required far more technical resources or infrastructure changes on their side or in their knowledge base setup.
So really, we had three issues:
- Clutter
- Unclear functionality/steps
- Missing useful functionality that would make customers' lives easier
We wanted to solve all these problems, and perhaps against our better judgment, we decided to do it all at once. Go big or go home, huh?
Change 1: New Settings > SSO menu
We moved the entire SAML SSO, remote authentication, and Salesforce SSO setup out of Settings > Security and created a new top-level Settings section dedicated to SSO:
We've added a tabbed layout here, so you can get at SAML Settings, the SAML Attribute Map (which was previously only accessible by clicking a link to open a pop-up), the Remote Authentication setup, and Salesforce SSO easily, without having to scroll past sections of the page that aren't relevant to you.
Change 2: Custom Rules for SSO Mappings
This isn't just a set of layout changes. Most importantly, we've added a brand-new feature: the ability to create Custom Attribute Map Rules (CAMR for short) for SAML SSO integration.
These rules greatly expand the capabilities with SAML SSO.
Previously, you could only do "Direct" reader attribute mappings--passing a field directly as it exists in your IdP into KnowledgeOwl.
The new custom rules allow you to define logic to match certain conditions and set fields in KnowledgeOwl as a result of those conditions.
We created them to handle some of the common questions/use cases we get from customers trying to set up SAML/SSO, including things like:
- We want to assign all readers coming from our SAML IdP to a single reader group or a set of reader groups.
- We want to "translate" multiple groups coming from our SAML IdP into one or two reader groups in KnowledgeOwl.
Direct mappings will always override CAMRs, so customers with existing SAML SSO setups should experiment with these with care--you may need to remove some existing direct reader attribute mappings to see the custom rules work.
See the Direct Reader Attribute Map and Custom Attribute Map Rules documentation for more information!
Change 3: Other layout changes
Moving SSO into its own Settings menu and adding the tabs wasn't the only layout change we made.
In the SAML SSO Settings section, we've added an explicit section for the IdP Certificate, which makes it easier to figure out where to upload/how to update that certificate, and will display some details about the certificate that's being used. This should make it easier to tell when a certificate has expired, too:
In the SAML Attribute Map tab, we directly show all of the direct reader attribute map options instead of hiding them behind a hyperlink. We also added some messaging at the top to better describe what happens with the mappings.
We've updated all of our SSO documentation to match these changes.
If you've struggled with your SAML SSO setup, or you've been considering it but couldn't use it due to some mapping challenges, please take a look through this new functionality. (And even if none of those situations apply to you, you're welcome to take a look at the new layout and tell us what you think!)