Using Advanced SSO to authenticate from Azure AD

Hi all

Has anyone successfully used the Knack Advanced SSO to use Azure Active Directory as the authentication for their Knack App?

I've been piecing together the requirements at each end but so far haven't been able to get it to work. I get the following error on the Microsoft login page:

Sorry, but we’re having trouble with signing you in.

AADSTS900144: The request body must contain the following parameter: 'scope'.

If anyone can help, I'd be extremely appreciative.

Kind regards

 

Chris

 

After some additional experimenting I noticed that prior to showing the message above (Invalid signature) the URL string shows the following:

I also checked the AzureAD logs and see that my SSO request for login is being granted, and is successful.  I assume I am missing something on the Knack side as far as value for this "signature" situation but cannot seem to find anything in the SSO documentation about signatures.

The invalid signature message URL string it redirects AFTER the above string is:

https://customer.knack.com/app-name#home/?klem=Invalid%20signature

I am attempting to set up SSO using SAML 2.0 and have done much of the above (with some slight tweaks).  I think I am 90% there, but am getting an error from Knack now after seeing it start to authenticate:

3jgB2VZduW_s7RnVskVC7Q

This is after encountering a smattering of other errors where AzureAD was throwing up issues, but now I seem to be past all that and getting this from Knack.  Anyone have any idea what signature it is talking about? 

There is no entry in the configuration for a signature, or even a client secret (from Azure).  I did generate and enter an initial Identity Provider Certificate that was also uploaded to Azure properly.  

Glad it’s been helpful so far. Here’s some stuff you can try:

Email or password incorrect is an error returned by Knack, not Azure. Make sure you have the login page set to open or approval if you don’t have users manually provisioned in Knack. If set to closed, you will have to manually add the users under accounts in the data tab with the correct email. The password can be whatever since users will never use it. I personally use a 256 character hex string (I think this is what your issue is).
uogAWRt8cPq40iA_iTo2aw

You should be able to see this login attempt in your Azure sign-in logs either org-wide or in the enterprise application entry. You’ll get way more details on what went wrong in that entry compared to what Knack gives back if the issue was on the Azure side.

Make sure you have the right Graph permissions under your app registration > API Permissions and admin consent is granted

Hi Chandler
Thanks loads for your insights, you and another community member has been super helpful.
I have got to the point of authenticating which I think has been successful because I got this security email from Microsoft:

However, the app page I was attempting to access via the SSO wouldn’t login and I got this message.

Do you have any clue as to where I am going wrong?

Hi Dan,

Unfortunately you aren't going to find any straightforward docs from Microsoft on integrating with Knack. I personally did not use SAML, so I can't speak much to that exact setup. I used OAuth 2.0. I figure the process is probably relatively similar just different endpoint URLs and certs instead of secrets. This is how I did it for OAuth.

In the Azure AD Portal:

Create a new app registration. Under Authentication, set the redirect URI to the base URL of your application. I have two, one without the closing slash and one with, to handle however the user types it.

Also enable implicit grant:

Go to Certificates and Secrets. Generate a new client secret. This is the one you will use in Knack.

Go to API Permissions and add https://graph.microsoft.com/User.Read as a delegated permission. Go ahead and grant admin consent for your organization as well.

You can also go ahead and modify the enterprise application entry as well if you want to restrict the login to certain users in your org.

Hope this helps!

Hi Chandler,

Can you share any more details on how you setup the Azure side to work with Knack.

I've come across this Microsoft page, hoping to find knack listed with the setup. I'm looking at SAML setup and see "Bamboo" with some config settings in Azure AD.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bamboo-tutorial
 
Thanks
Dan

Thanks for the advice, Chandler. I'll see if Knack can turn Advanced SSO back on and try your suggestion.

Kind regards

 

Chris

My apps have working Azure AD Auth.
I had the same error : "AADSTS900144: The request body must contain the following parameter: ‘scope’. Resolved it by simply adding ?scope=openid to the end of the authorization URL.

So the Auth URL will be like: https://login.microsoftonline.com/<YOUR TENANT ID>/oauth2/v2.0/authorize?scope=openid

Token URL is the same. In case you also need the profile information:
INy38R-WxFQBs1paXp2MZQ

Hope this helps someone. I was stuck trying to figure this out for hours too. I wish there was a way to get Microsoft creds to also automatically apply when you embed into SharePoint.

Thanks Tony - we currently use Google SSO and already hide the Knack logon to avoid confusion for our internal Google App users.

I'm more interested in how we can get users to logon to Sharepoint with their Microsoft ID and then step into Knack up already authenticated against the MS user mapped to the Knack user.

Knack already has out-of-box SSO for facebook, twitter and Google. However, I'm not sure how we can achieve this with Microsoft. I'm looking to move to Microsoft, but it may mean our users that can currently get on to Knack with their Google User will now have an additional logon to knack each time which would be a bit of a pain.

Thanks for suggestion though. I'm sure there must be a solution for this somewhere - it's just not documented yet.

This recent SSO post might help with Azure. https://support.knack.com/hc/en-us/community/posts/360057818832-Here-are-some-learnings-on-Google-SSO-set-Up

Many thanks Chris

I'll let you know if we have any luck.

Regards

Adrian

Hi Adrian

No, not really. In effect, I was told that it was to do with a setting at the Microsoft side and was pointed to Microsoft documentation I had already reviewed. 

After five or six hours of investigation, I wasn't able to find a solution. In the end, my client cancelled their Advanced SSO add-on and I placed the Knack App login page as a tab within Teams. That way the App appears to be embedded (if using the desktop Teams App at least) but users still have to sign in with their separate credentials. Not ideal

It was a real shame that I couldn't get this to work, and I'd encourage Knack to consider if there is some way for them to write a "How To" guide for this as I think many people would like to integrate Knack and Azure. A bit like the guides Integromat writes for all the services they integrate with.

If you do have any luck, please let me know.

Kind regards

 

Chris

Hi Chris

Did you receive any pointers on this? I can't find anything in the help.

We are looking to move off Google Apps over to Microsoft 365 Business and am hope I embed our Knack Apps into sharepoint and have it sign on to the Knack App through Microsoft SSO.

Regards

Adrian