Knogin
[Management]

Enterprise Authentication and SSO

Managing separate credentials for every application creates real risk.

Module metadata

Managing separate credentials for every application creates real risk.

Back to All Modules

Source reference

content/modules/admin-authentication-sso.md

Last Updated

Feb 23, 2026

Category

Management

Content checksum

d83e39f67c9d74d0

Tags

managementreal-timegeospatial

Overview#

Managing separate credentials for every application creates real risk. Users choose weak passwords, reuse them across systems, and forget to revoke access when roles change. Enterprise SSO eliminates that problem by centralising authentication through your existing identity infrastructure, so access policy changes propagate everywhere simultaneously and users authenticate once to reach all their applications.

The module supports SAML 2.0, OAuth 2.0, OIDC, Zitadel IAM, and Keycloak, covering the full range of identity stacks found in enterprise and government environments.

Diagram

flowchart LR
    A[User] --> B[SSO Login]
    B --> C{Identity Provider}
    C -->|SAML 2.0| D[Attribute Assertion]
    C -->|OIDC / OAuth 2.0| D
    D --> E[Platform Session]
    E --> F[Directory Sync]
    F --> G[User Provisioned / Updated]
    F --> H[Group to Role Mapping]
    H --> E

Key Features#

  • SAML 2.0 Federation: Full support for Service Provider and Identity Provider modes with metadata management, automatic certificate rotation, and attribute mapping. Compatible with Okta, Azure AD, Google Workspace, OneLogin, PingFederate, Auth0, JumpCloud, Zitadel, Keycloak, and custom SAML providers.

  • OAuth 2.0 and OpenID Connect: Modern authentication flows including Authorization Code with PKCE, Client Credentials, Device Authorization, and Refresh Token flows. Supports standard and custom scopes, claims, and dynamic client registration.

  • Directory Synchronisation: Real-time bidirectional sync with LDAP, Active Directory, Azure AD, Google Workspace, and SCIM-compatible systems. Automatic user provisioning, attribute updates, and deprovisioning based on directory changes keep access current without manual intervention.

  • Just-in-Time Provisioning: User accounts are created automatically on first SSO login with configurable attribute mapping, default role assignment, and welcome workflows, removing the need to pre-provision every user.

  • Multi-IdP Support: Connect multiple identity providers simultaneously with routing by domain or user group. Automatic failover to backup identity providers ensures continuous access during outages.

  • Adaptive Authentication: Risk-based step-up authentication for sensitive operations, with configurable policies based on user context, device trust, and access patterns.

  • Secure Session Management: Configurable session policies including duration limits, concurrent session controls, cross-domain synchronisation, and federated single logout.

  • Certificate Management: Automated certificate lifecycle management with expiration monitoring, rotation without downtime, and support for multiple signing certificates during transition periods.

  • FIDO2 / Passkey Support: Phishing-resistant authentication with hardware security keys and platform passkeys, satisfying the highest assurance level requirements for government and defence deployments.

Supported Identity Providers#

  • Okta (SAML, OIDC, SCIM)
  • Azure AD / Entra ID (SAML, OIDC, Graph API)
  • Google Workspace (SAML, OIDC, Directory API)
  • OneLogin (SAML, OIDC, SCIM)
  • Auth0 (OIDC, SCIM)
  • PingFederate (SAML, OIDC)
  • JumpCloud (LDAP, SAML, SCIM)
  • Zitadel IAM (OIDC, SCIM)
  • Keycloak (SAML, OIDC, SCIM)
  • Custom SAML and OIDC providers

Directory Integration#

  • Active Directory: LDAP and Kerberos support for on-premises directories
  • Azure AD: Microsoft Graph API integration with delta sync for near-real-time updates
  • Google Workspace: Directory API with organisational unit mapping
  • SCIM 2.0: Standard provisioning protocol for any compatible system
  • Bidirectional Sync: Configurable sync direction per attribute with conflict resolution

Use Cases#

  • Government departments centralising authentication across dozens of internal systems while maintaining audit trails that satisfy national security requirements.
  • Law enforcement agencies eliminating password sprawl across case management, evidence, and communications platforms with a single federated identity.
  • Financial institutions meeting PSD2 strong authentication requirements while keeping the user experience manageable for staff working under time pressure.
  • Healthcare providers automating user lifecycle management so that when a clinician changes role, access updates across all systems within minutes, not days.
  • Critical infrastructure operators supporting hybrid on-premises and cloud environments by bridging legacy LDAP directories with modern cloud identity providers.

Getting Started#

  1. Configure your Identity Provider: Create a SAML application or OAuth client in your IdP and configure redirect URIs and attribute mappings.
  2. Set up SSO: Import your IdP metadata, map attributes to local user fields, configure session settings, and test the authentication flow.
  3. Enable Directory Sync: Connect your directory, set up the sync schedule, map groups to roles, and trigger the initial synchronisation.
  4. Validate and Go Live: Test with a pilot group, verify attribute mappings, confirm MFA enforcement, and roll out to all users.

Availability#

  • Enterprise Plan: Included (all protocols, multi-IdP, directory sync)
  • Professional Plan: SAML and OIDC SSO included; directory sync and advanced features available as add-on

Last Reviewed: 2026-02-23 Last Updated: 2026-04-14