Help with Microsoft Azure SSO using oAuth2

Help Center Get Answers
1

Hi folks, I’ve searched through this forum and found lots of unanswered and incomplete posts about Microsoft Azure SSO, but nothing much in the past year or two, so thought I’d post here again to see if anyone out there actually knows how to make Microsoft oAuth2 SSO work with Knack?

By the way, Microsoft now calls Azure Ad → “Microsoft Entra ID”.

I’ve set up the appropriate Knack app registration in Entra the way I think it should be set up (after referencing about 20 different incomplete references on this forum and elsewhere). It seems to have been accepted by Microsoft. If, for example, I dont have the right redirect URI configured then Microsoft will throw up an error page when I try to login, so I know things are “working” to some extent.

I have configured SSO in the Builder and it shows up as an oauth2 provider which I called Msoft. I see the Msoft login button on the login page. Every time I click it after a few seconds I get the error message “An error occurred when looking up your Msoft account”. But I don’t know where to look for more detail of what Knack is complaining about.

If I look in the Azure sign-in logs I see a string of SUCCESSFUL user sign-ins from my Knack app using my account credentials (which do match those configured in Knack). So it seems Microsoft is seeing the login attempt as successful.

I’m therefore assuming Knack doesnt like something about the returned information from Microsoft, rather than Knack isnt passing the right info to Microsoft. I have no idea how to proceed with troubleshooting this further.

Is there anyone out there who can offer some advice that might get me to the next step?

2

Hi there,

Please don’t hesitate to reach out to our support team to have them troubleshoot this issue for you. If you choose to, they will ask for a screenshot of how you have your configuration properties set up under the Single Sign-On section.

Sorry to hear you’re having so much trouble with this; I hope you get the resolution you need!

Have a great rest of your week :slight_smile:

3

OK, I have managed to get SSO working using SAML (not oAuth2) against a MS365 tenancy, so here is what you need to do to achieve that. I suspect I am also close with oAuth2 but haven’t got time or energy to troubleshoot it further - if you do work it out please post here how you achieved that so other will benefit.

INSTRUCTIONS FOR ESTABLISHING SSO using SAML with a M365 tenancy

You will need at least a Knack PRO license WITH THE EXTRA SSO OPTION, or any higher Knack license such as Corporate or Enterprise.

First, you (or your Microsoft Administrator) need to set up the MICROSOFT side of the equation. You achieve this through the Azure portal (Microsoft Azure). On that page, go into the “Manage Microsoft Entra ID” section (Azure AD has been renamed to Entra ID).

You should see an overview of your tenancy.

Under MANAGE menu on left, go into APP REGISTRATIONS. Add a NEW REGISTRATION. Call it something that makes sense to you, such as the name of your Knack app. Under Supported Account Types, choose the option that makes sense for you. In my case, I’m trying to lock down SSO access to users in my organisation, so I chose “Accounts in this organizational directory only (Berrell Network only - Single tenant)”. You also need to provide a Redirect URI. Select WEB as the platform, and enter the short url to your app’s login page as the redirect URI - for example https://berrell.knack,com/TESTAPP. (Dont include the #home/ that normally follows this).

Now you should be directed to a page that shows an overview of that App Registration. At this stage you will capture all the information you need to fill out the Knack side. I suggest you open a Notepad or Word doc to save this info into, as in some cases you only get 1 chance to capture it.

At the top of the page you will see a globe icon labelled ENDPOINTS. Click this. Capture the following URL strings - use the copy to clipboard icons at the right of the strings.

SAML-P sign-on endpoint → this is used in Knack as the “Provider Entry Point”
SAML-P sign-out endpoint → this is used in Knack as the “Logout URL”

Close the endpoints popop.

On the overview page, copy and paste the long hex-string labelled “Application (client) ID”. This is used in Knack as the ISSUER.

Now you turn your attention to KNACK. In the builder, open the main LOGIN PAGE. Click on the Home Login Form, then choose SETTINGS on Left hand side menu. You should see Single Sign On on the Settings Menu. Click the + Add Provider button.

Call the Provider Name whatever makes sense to your users - it will show up on the login page in a button labelled “Sign in with XXXXX”. So make it meaningful, for example COMPANY_LOGIN. Note it cannot contain spaces.

Leave button colour and font colour as they are - play with them later. Same with icon - add later if you want.

Enter the PROVIDER ENTRY POINT url that you captured earlier.
Enter the ISSUER hex string that you captured earlier.
Leave the 4 certificate fields BLANK.
Enter the LOGOUT URL that you captured earlier. Its the same as the provider entry point.
Set Authentication Context to NONE.

Now, the various properties fields have to be entered EXACTLY as below - they are actually URLs (weird I know).

ID Property
http://schemas.microsoft.com/identity/claims/displayname

First Name Property*
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name Property*
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Email Address Property*
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Now SAVE that setup, and you should see it as an entry under Single Sign On. Make sure its TICKED. (the entry has a checkbox).

Now go to the login page on live app, F5, and you should see the SSO button which should now be working.

You may see a Microsoft message asking you to confirm on behalf of your organisation the first time you use the button.

That should be it - SAML should be working for you now.

ADDENDUM.
You will likely see a Microsoft error message come up when trying to log in saying something like:
AADSTS50011: The reply URL ‘https://ap-southeast-2-api.knack.com/v1/applications/(long hex string)/auth/Company_Login/return’ specified in the request does not match the reply URLs configured for the application blah blah blah

If/when you see this, copy the whole URL from https:// to /return. Then go back into the Azure admin screen, go back into the App Registration, and click on the “Redirect URIs” link, and then ADD URI and paste in that whole URL string. You will now have 2 URL strings in there - your app home url and this knack api url. The error message will then no longer appear and you are back in action. Unfortunately, I dont know how to preempt this error message - you need to wait till it happens to grab the URL …