Knogin
[Developers]

Enterprise Authentication and SSO

Managing separate credentials for every application creates real risk. Users choose weak passwords, reuse them across systems, and forget to revoke access when roles change. Enterprise SSO eliminates that problem by cent

Back to All Modules
Category: ManagementLast Updated: Feb 23, 2026
managementreal-timegeospatial

Overview#

Managing separate credentials for every application creates real risk. Users choose weak passwords, reuse them across systems, and forget to revoke access when roles change. Enterprise SSO eliminates that problem by centralising authentication through your existing identity infrastructure, so access policy changes propagate everywhere simultaneously and users authenticate once to reach all their applications.

The module supports SAML 2.0, OAuth 2.0, OIDC, Zitadel IAM, and Keycloak, covering the full range of identity stacks found in enterprise and government environments.

Key Features#

  • SAML 2.0 Federation: Full support for Service Provider and Identity Provider modes with metadata management, automatic certificate rotation, and attribute mapping. Compatible with Okta, Azure AD, Google Workspace, OneLogin, PingFederate, Auth0, JumpCloud, Zitadel, Keycloak, and custom SAML providers.

  • OAuth 2.0 and OpenID Connect: Modern authentication flows including Authorization Code with PKCE, Client Credentials, Device Authorization, and Refresh Token flows. Supports standard and custom scopes, claims, and dynamic client registration.

  • Directory Synchronisation: Real-time bidirectional sync with LDAP, Active Directory, Azure AD, Google Workspace, and SCIM-compatible systems. Automatic user provisioning, attribute updates, and deprovisioning based on directory changes keep access current without manual intervention.

  • Just-in-Time Provisioning: User accounts are created automatically on first SSO login with configurable attribute mapping, default role assignment, and welcome workflows, removing the need to pre-provision every user.

  • Multi-IdP Support: Connect multiple identity providers simultaneously with routing by domain or user group. Automatic failover to backup identity providers ensures continuous access during outages.

  • Adaptive Authentication: Risk-based step-up authentication for sensitive operations, with configurable policies based on user context, device trust, and access patterns.

  • Secure Session Management: Configurable session policies including duration limits, concurrent session controls, cross-domain synchronisation, and federated single logout.

  • Certificate Management: Automated certificate lifecycle management with expiration monitoring, rotation without downtime, and support for multiple signing certificates during transition periods.

  • FIDO2 / Passkey Support: Phishing-resistant authentication with hardware security keys and platform passkeys, satisfying the highest assurance level requirements for government and defence deployments.

Supported Identity Providers#

  • Okta (SAML, OIDC, SCIM)
  • Azure AD / Entra ID (SAML, OIDC, Graph API)
  • Google Workspace (SAML, OIDC, Directory API)
  • OneLogin (SAML, OIDC, SCIM)
  • Auth0 (OIDC, SCIM)
  • PingFederate (SAML, OIDC)
  • JumpCloud (LDAP, SAML, SCIM)
  • Zitadel IAM (OIDC, SCIM)
  • Keycloak (SAML, OIDC, SCIM)
  • Custom SAML and OIDC providers

Directory Integration#

  • Active Directory: LDAP and Kerberos support for on-premises directories
  • Azure AD: Microsoft Graph API integration with delta sync for near-real-time updates
  • Google Workspace: Directory API with organisational unit mapping
  • SCIM 2.0: Standard provisioning protocol for any compatible system
  • Bidirectional Sync: Configurable sync direction per attribute with conflict resolution

Use Cases#

  • Government departments centralising authentication across dozens of internal systems while maintaining audit trails that satisfy national security requirements.
  • Law enforcement agencies eliminating password sprawl across case management, evidence, and communications platforms with a single federated identity.
  • Financial institutions meeting PSD2 strong authentication requirements while keeping the user experience manageable for staff working under time pressure.
  • Healthcare providers automating user lifecycle management so that when a clinician changes role, access updates across all systems within minutes, not days.
  • Critical infrastructure operators supporting hybrid on-premises and cloud environments by bridging legacy LDAP directories with modern cloud identity providers.

Open Standards#

  • SAML 2.0 (OASIS Security Assertion Markup Language): Service Provider and Identity Provider federation is implemented using the OASIS SAML 2.0 specification, including Web Browser SSO, Single Logout, and metadata exchange profiles. Attribute assertions and name identifier formats conform to the SAML 2.0 core and binding specifications.
  • OAuth 2.0 (RFC 6749) and Bearer Token (RFC 6750): Token-based authorisation uses the OAuth 2.0 framework, supporting Authorization Code with PKCE, Client Credentials, Device Authorization, and Refresh Token grant types as defined in RFC 6749, with Bearer token transmission per RFC 6750.
  • OpenID Connect 1.0 (OIDC): Identity layer built on OAuth 2.0 per the OpenID Foundation Core 1.0 specification, including ID token validation, UserInfo endpoint, and dynamic client registration (RFC 7591), providing interoperable authentication across all connected identity providers.
  • SCIM 2.0 (RFC 7643 / RFC 7644): User and group lifecycle management, including provisioning, attribute updates, and deprovisioning across Azure AD, Google Workspace, Okta, and Keycloak, uses the System for Cross-domain Identity Management protocol as defined in RFC 7643 (schema) and RFC 7644 (protocol).
  • FIDO2 / WebAuthn (W3C and FIDO Alliance): Phishing-resistant authentication with hardware security keys and platform passkeys is implemented against the W3C Web Authentication (WebAuthn) Level 2 specification and the FIDO2 CTAP2 protocol, satisfying authenticator assurance level AAL3 requirements for government and defence deployments.
  • LDAP v3 (RFC 4511) and Kerberos v5 (RFC 4120): On-premises Active Directory integration uses LDAP v3 for directory queries and Kerberos v5 for integrated Windows Authentication, allowing legacy directory infrastructure to participate in federated identity without protocol migration.
  • X.509 PKI (RFC 5280): SAML signing certificates, TLS mutual authentication, and identity provider metadata are managed using X.509 v3 certificates conforming to RFC 5280, with automated lifecycle management covering issuance, rotation, and revocation without service interruption.
  • JSON Web Token (RFC 7519): Session claims, group memberships, and role assignments are embedded as structured JWT claims exchanged across service boundaries, with signature validation enforcing issuer, audience, and expiry as defined in the RFC 7519 specification.

Getting Started#

  1. Configure your Identity Provider: Create a SAML application or OAuth client in your IdP and configure redirect URIs and attribute mappings.
  2. Set up SSO: Import your IdP metadata, map attributes to local user fields, configure session settings, and test the authentication flow.
  3. Enable Directory Sync: Connect your directory, set up the sync schedule, map groups to roles, and trigger the initial synchronisation.
  4. Validate and Go Live: Test with a pilot group, verify attribute mappings, confirm MFA enforcement, and roll out to all users.

Availability#

  • Enterprise Plan: Included (all protocols, multi-IdP, directory sync)
  • Professional Plan: SAML and OIDC SSO included; directory sync and advanced features available as add-on

Last Reviewed: 2026-02-23 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.