OK, I have managed to get SSO working using SAML (not oAuth2) against a MS365 tenancy, so here is what you need to do to achieve that. I suspect I am also close with oAuth2 but haven’t got time or energy to troubleshoot it further - if you do work it out please post here how you achieved that so other will benefit.
INSTRUCTIONS FOR ESTABLISHING SSO using SAML with a M365 tenancy
You will need at least a Knack PRO license WITH THE EXTRA SSO OPTION, or any higher Knack license such as Corporate or Enterprise.
First, you (or your Microsoft Administrator) need to set up the MICROSOFT side of the equation. You achieve this through the Azure portal (Microsoft Azure). On that page, go into the “Manage Microsoft Entra ID” section (Azure AD has been renamed to Entra ID).
You should see an overview of your tenancy.
Under MANAGE menu on left, go into APP REGISTRATIONS. Add a NEW REGISTRATION. Call it something that makes sense to you, such as the name of your Knack app. Under Supported Account Types, choose the option that makes sense for you. In my case, I’m trying to lock down SSO access to users in my organisation, so I chose “Accounts in this organizational directory only (Berrell Network only - Single tenant)”. You also need to provide a Redirect URI. Select WEB as the platform, and enter the short url to your app’s login page as the redirect URI - for example https://berrell.knack,com/TESTAPP. (Dont include the #home/ that normally follows this).
Now you should be directed to a page that shows an overview of that App Registration. At this stage you will capture all the information you need to fill out the Knack side. I suggest you open a Notepad or Word doc to save this info into, as in some cases you only get 1 chance to capture it.
At the top of the page you will see a globe icon labelled ENDPOINTS. Click this. Capture the following URL strings - use the copy to clipboard icons at the right of the strings.
SAML-P sign-on endpoint → this is used in Knack as the “Provider Entry Point”
SAML-P sign-out endpoint → this is used in Knack as the “Logout URL”
Close the endpoints popop.
On the overview page, copy and paste the long hex-string labelled “Application (client) ID”. This is used in Knack as the ISSUER.
Now you turn your attention to KNACK. In the builder, open the main LOGIN PAGE. Click on the Home Login Form, then choose SETTINGS on Left hand side menu. You should see Single Sign On on the Settings Menu. Click the + Add Provider button.
Call the Provider Name whatever makes sense to your users - it will show up on the login page in a button labelled “Sign in with XXXXX”. So make it meaningful, for example COMPANY_LOGIN. Note it cannot contain spaces.
Leave button colour and font colour as they are - play with them later. Same with icon - add later if you want.
Enter the PROVIDER ENTRY POINT url that you captured earlier.
Enter the ISSUER hex string that you captured earlier.
Leave the 4 certificate fields BLANK.
Enter the LOGOUT URL that you captured earlier. Its the same as the provider entry point.
Set Authentication Context to NONE.
Now, the various properties fields have to be entered EXACTLY as below - they are actually URLs (weird I know).
First Name Property*
Last Name Property*
Email Address Property*
Now SAVE that setup, and you should see it as an entry under Single Sign On. Make sure its TICKED. (the entry has a checkbox).
Now go to the login page on live app, F5, and you should see the SSO button which should now be working.
You may see a Microsoft message asking you to confirm on behalf of your organisation the first time you use the button.
That should be it - SAML should be working for you now.
You will likely see a Microsoft error message come up when trying to log in saying something like:
AADSTS50011: The reply URL ‘https://ap-southeast-2-api.knack.com/v1/applications/(long hex string)/auth/Company_Login/return’ specified in the request does not match the reply URLs configured for the application blah blah blah
If/when you see this, copy the whole URL from https:// to /return. Then go back into the Azure admin screen, go back into the App Registration, and click on the “Redirect URIs” link, and then ADD URI and paste in that whole URL string. You will now have 2 URL strings in there - your app home url and this knack api url. The error message will then no longer appear and you are back in action. Unfortunately, I dont know how to preempt this error message - you need to wait till it happens to grab the URL …