User Settings, Access, Permissions & Security

Knowi provides a variety of powerful options on user rights, access management and external authentication methods for both internal usage and embedded usage modes.

Please contact your account manager for any questions on mapping out the permissions model to your own enterprise level permissions model.

User Settings

Navigate to the User Settings in Knowi to view, manage, or update their preferences for Account Settings, Plan Details, Usage, Team, Roles, and External Authentication from one central place.

Navigating to the User Settings

Click on the user profile icon from the bottom-left corner of the interface, select User Settings, and you will be navigated to the User Settings menu

Managing Account Settings

Manage your account settings to view and manage the following:

  1. EMAIL/LOGIN: This is the email address linked to this account. While logging in to Knowi, this email address will work as the username. Please note that this field is not editable.

  2. NAME: Edit the name of the customer.

  3. PASSWORD: This is the password associated with this account. Click the Change Password button to add a new password.

  4. TIME ZONE: Select the time zone that will be used when this customer will run the Query.

  5. DATE FORMAT: Change the default date format displayed to the user. There are three date formats available(MM/dd/yyyy, dd/MM/yyyy, yyyy/MM/dd). By default, the date formats are displayed in the US month-first format.

  6. LOCALE: This translates the user-interface language and model to the selected locale for the customer. Currently, supported locales include- en (English), de (German), and fr (French).

  7. API KEY: View the API key.

  8. ALWAYS SHARE TO GROUP: This automatically shares all assets including any datasources, queries, widgets, and dashboard to the selected groups. Click on the edit to add, remove, or change the group

  9. DEFAULT DASHBOARD: Click on the edit to select the default dashboard that will appear upon login.

  10. MANAGEMENT API: Enable Management API to generate the client ID and client secret. This will allow the external services and apps to manage users and groups, datasources, queries, dashboards, and widgets programmatically.

  11. TWO FACTOR AUTHENTICATION: Enable Two Factor Authentication (2FA). This adds an extra security layer and the customer will be prompted to enter the verification code received via text message while logging in to the Knowi account.

Note: While the admin will have the access to view and manage all the aforesaid settings, the user will have access to view and manage only 1, 2, 3, 4, 5, 6, and 10 above. The viewer will have access to only view the set configurations for 1, 2, 3, 4, 5, and 10 above.

To learn more about different user roles in Knowi i.e. - Viewer, User, and Admin, please refer to the documentation on User Roles.

On scrolling down further, the admin will be able to view and manage the following customer settings.

  1. GLOBAL HEADER: Define HTML snippet to globally apply a custom Header across all dashboards. Headers can also be set at a specific dashboard via the Dashboards settings.

  2. GLOBAL FOOTER: Define HTML snippet to globally apply a custom footer across all dashboards. Footers can also be set at a specific dashboard via the Dashboards settings.

  3. PASSWORD EXPIRY: Set the password expiry in days. Set 0 for the password to never expire.

  4. DEFAULT TIME ZONE: Change the default time zone. If no default time zone is set, Knowi will default it to America/Los_Angeles.

  5. DEFAULT DATE FORMAT: Change the default account date format displayed to the user. By default, the date formats are displayed in the US month-first format.

  6. NLP SETTING: Provides different NLP settings across Knowi. The different settings available are:

    NLP Across Datasets - Enables NLP interface across datasets NLP Bot Integration -Enables NLP interface for slack/teams NLP Favorites - Configure a list of NLP queries per category type displayed when a user types in /knowi. Typically, this would be the most commonly used questions. NLP Synonyms - Configure a list of NLP synonyms. In the format: FieldName1=Synonym1,Synonym2,Synonym3 NLP Visualization first tab - On the dashboard, NLP search defaults to show the visualization first rather than the analyze grid.

  7. Instantsights: Provides automated text-based insights on widgets upon user clicks when turned on.

  8. Instantsights Icon Default: The default setting for Widget InstantSights Icon on each dashboard. Can be editable and overridden in dashboard settings.

  9. SSO Token: To generate a SSO token

  10. TUNNEL INFORMATION: Enables the Tunnel key to be used with your datasources. Tunnel information can be used to connect to datasources that are inside your internal network. See the Datasource Tunneling for more details.

  11. SESSION TIMEOUT: Set the Session timeout in minutes. Blank implies default which will set the session timeout to 30 mins.

  12. CUSTOM LOGO: Set a link to your own logo image instead of the Knowi logo. The recommended size of the custom logo is 35px width and 36px height, transparent.

  13. CHART COLOR PALETTE: This will overwrite the default color palette for charts. Add upto 10 colors to the palette. These will be the default colors for chart legends unless you override them at the chart level.

  14. CUSTOM SMTP SERVER SETTINGS: Enable this to set up your custom mail SMTP server to send email reports, alerts, etc. from your mailbox.

  15. OpenAI Integration: OpenAI integration to generate queries with using natural language

  16. Force 2FA: Force Two-Factor Authentication for all users. A pop up is displayed every time they login

Managing Current Plan

Navigate to the Plan Details tab to view the current plan and the features available within the same. Click on the Upgrade Plan button to send the Plan Upgrade request.

Account Usage Details

Navigate to the Usage tab to view the total number of widgets and rows running under the current account.

Managing Users & Groups

Navigate to the Team tab to perform actions like: Adding the users, Editing the users, Adding Groups, Removing the users, etc.

Custom Roles & Permissions

If the built-in roles don't meet the specific needs of your organization, you can add your own custom roles by navigating to the ROLES tab. Just like built-in roles, you can assign custom roles to users. See Custom Roles & Permissions for more information.

External Authentication Options

By default, the Knowi completes the user authentication through an email address and password, however, you can also configure external authentication via SAML (including Okta) and LDAP. For an extra security layer, two-factor authentication can also be used.

To know more about LDAP configuration, please refer to the documentation- External Authentication from LDAP.

To know more about SAML configuration, please refer to the documentation- External Authentication from SAML.

User Roles

We offer three types of roles by default: viewer, user and admin.

In case of specific access management requirements you can create your own custom role anytime

Viewers

As a View only user, you are limited to consuming dashboards only. While you can download data associated with the widgets and run your own ad-hoc analysis on the data contained within the dashboards that you have access to, you will not be able to save or create any dashboards of your own. This role also cannot create any data assets, including datasources or queries. In addition, you will not be able to invite or manage other users or groups.

Notice the menu structure on the left is limited.

Dashboards

Upon logging into your account, you will be taken directly to your default dashboard. (Details on how to change your default dashboard can be found here).

Clicking on the Dashboard icon in the left sidebar will then reveal a dropdown list of all dashboards currently shared with you. Clicking on a Dashboard name will refresh the main page with the contents of the selected dashboard. You also have the ability to search for a specific dashboard by using the Search function within the Dashboard selector.

Dashboard PDF Export 

In the top right corner of the Dashboard, you will find an option to export the currently displayed dashboard as a PDF. If the dashboard contains one or more data grids, then these will appear as Appendices to the main Report.

Dashboard Filtering 

All data contained within the Dashboard can be filtered by various key fields present in the underlying data. The Filter icon can be found in the top right corner of the Dashboard.

Clicking on the filter icon will present you with a sliding Filter Window. Click here on Add button and select the Filter option to edit the filter.

All fields that have been made available to you for selection by the dashboard creator will appear in the Field to filter box. You simply select a field to filter on, followed by the condition (equals, not equals, etc) and then the required value.

You can create as many filters as you wish by clicking on the +Add button. To remove a filter, click on the delete icon.

For more information, please refer to the Filters section of our documentation.

Widgets

Each Dashboard will contain one or more Widgets. A Widget is simply another term for a visualization of the underlying data.

Widget Options

In the top right corner of each Widget, you will find a selection of icons that allow you to search, analyze, filter, and do more settings.

Statistical Information

Clicking on this icon will present you with a statistical overview of all the columns within the Widget, along with a pairwise scatterplot to visualize any data interaction.

Search

If the Widget type is a Data Grid, then the Search Icon will be available. Clicking on this icon will allow you to enter search criteria to find specific rows of interest.

Filters

Basic filtering can be used to set filtering on the data with help of filter icon. For more information, please refer Widget Filters section of our documentation.

Widget Settings

Clicking on the Settings icon will open up access to 4 further Widget functions. These are: Analyze, Data, Refresh & Maximize.

Analyze

Clicking on the Analyze option will take you to the Analyze Grid. From here you will be able to perform ad-hoc analysis of the data. 

The user can elect to drag and drop metrics from the left-hand side, into the metrics, grouping, sort, and filter areas to slice and dice the data.

On Analyze Grid, you can perform specific function by using different buttons and icons as given below:

Add Function
Add Function button allows you to create new derived fields and manipulate data that is already on the grid. Add Function leverages the power of Cloud9QL. More details can be found here.

Add Step
Add Step button leverages the power of being able to perform sequential Cloud9QL operations upon the grid. For example, transforming data and then aggregating would be a 2 step process. 

Statistic
This icon will display statistical information for the grid and a whole, along with the option to display a pairwise scatterplot of data interactions.

Download
You can download all of your data to a CSV by clicking on the download icon.

Refresh
This icon resets to the original dataset and removes the current analysis.

Help
This help icon gives information about how to create your own analysis using the data of this section.

This analyze section is divided into two heads: Data Transformation and Visualization

Data Transformation: This section represents the widget data in a grid form.

Visualization: This section allows you to see the widget data as a visual

Please refer to the Visualization section of our documentation for more information.

Data

The Data option will allow you to view the data for the selected widget, view the corresponding data types, and also to download the data if required.

Refresh

Refresh resets any widget filtering back to its default state.

Maximize

This will maximize the widget to fill the whole page.

User Settings

User settings can be found in the bottom left corner of the screen. From here, a user can change their password and their default timezone.

Users

User roles can:

  • Invite other users

  • Create and share dashboards, widgets, queries, datasources, agents

  • Create Email Reports

  • Create and manage Trigger Notifications

  • Create their own groups

  • Set Filters (dashboard or user level)

The example below illustrate the User Settings options available to a User.

Admin Users

Admin have all the rights to that of the user, plus the ability to edit/modify other users and their associated rights.

Team management for an Admin viewer:

Custom Roles & Permissions

If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users. Custom roles can be shared across all users within the customer. Custom roles can be created using Roles tab on user settings dialog.

Custom Role Example

The following shows what a custom role looks like on the UI. This custom role can be used to restrict delete operations among queries/widgets/datasource and many other things.

When you create a custom role, it appears in the roles list with system flag as false.

Steps to create a custom role

  1. Steps to create a custom role

    When you create a custom role, you need to know the provided operations that are available to define your permissions. To view the list of operations, you can use list that is available as soon as your press on Add Role button. Each permissions has a clarification message that explains what the role does, in case you still have questions you contact your product partner and we'll change the message to be more explicit on the matter. To specify permissions that you need simply check them from the list. Remove All & Select All buttons should help you to enable & disable all roles in the list.

  2. Create the custom role

    You can use Add Role dialog to create the custom role. Typically, you start with an existing built-in role, copy it and then modify it for your needs. Then you just simply save it and preview created role in the list.

  3. Test the custom role

    Once you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.

For a step-by-step tutorial on how to create a custom role, see

Datasource

  • clone a datasource (datasource:clone): Allows the users to clone a Datasource. When disabled, the user cannot clone a Datasource, which removes the option to clone a Datasource.

  • create a datasource (datasource:create): Allows the users to create a Datasource. When disabled, the users cannot create a Datasource.

  • delete a datasource (datasource:delete): Allows the users to delete a Datasource. When disabled, the user cannot delete a Datasource and removes the option to delete a Datasource.

  • edit a datasource (datasource:edit): Allows the users to edit a Datasource. When disabled,  the user cannot edit and save an existing Datasource.

  • see list of datasources (datasource:list): Allows the users to see the list of Datasources. When disabled, the user cannot see the Datasource list when the Datasources tab is selected.

  • share a datasource (datasource:share): Allows users to share a Datasource. When disabled, the users cannot see an option to share a Datasource.

Widget

  • clone a widget (widget:clone): Allows users to clone a widget. When disabled, the user cannot see an option to clone the widget.

  • create a widget (widget:create): Allows the users to create a new widget. When disabled, the user cannot see an option to create a new widget, which is not the same as cloning a widget.

  • delete a widget (widget:delete): Allows the users to delete a widget. When disabled, the users cannot see an option to delete a widget.

  • edit a widget (widget:edit): Allows the users to change widget settings (Visualization tab). When disabled, the user cannot make changes to the Visualization tab.

  • see list of widgets (widget:list): Allows the users to see the widgets list. When disabled, the users cannot see the widget button on the navigation pane, and the widgets list is empty.

  • manage widgets (widget:manage): Allows the users to select manage widgets from the widgets pane. When disabled, the manage widgets option is unavailable on the widgets pane.

  • share a widget (widget:share): Allows users to share widgets. When disabled, the users cannot share widgets.

  • manage widget secure share url (widget:share-secure-url): Allows users to share via secure URL. When disabled, the option to generate a secure share URL is unavailable.

  • manage widget share url (widget:share-url):  Allows users to share via secure URL. When disabled, the option to generate share URL is unavailable.

Users

  • create a user (user:create): Allows the users to create a user. When disabled, the users cannot create a user.

  • delete a user (user:delete): Allows the users to delete a user. When disabled, the option to delete a user is removed.

  • edit a user (user:edit): Allows the users to edit a user (user role, permissions, filters, etc). When disabled, the option to edit a user is removed.

  • invite new users (user:invite): Allows the users to invite new users. When disabled, the option to invite new users is removed.

  • see list of users (user:list): Allows the users to see a user list. When disabled, the user is unable to view the user list.

  • login as another user from user settings (user:login-as): Allows the users to login as another user. When disabled, the users cannot log in as another user through the team page.

  • allows user to see user-profile/logout section (user:profile): Allows the user to see the bottom left user icon. When disabled, the bottom left user icon is removed, and the user cannot log out or access user settings.

  • manage user account settings (user:settings:account): Allows the user to see the bottom left user icon - the ability to manage user account settings. When disabled, the user cannot see user settings but can log out.

  • manage 'always share to group' (user:settings:always-share-to-group): Allows the user to manage ?always share to group?. When disabled, the user cannot manage ?always share to group?.

  • manage API KEY (user:settings:api-key): Allows the users to manage the API key. When disabled, the user cannot manage the API key.

  • manage default dashboard (user:settings:default-dashboard): Allows the user to manage the default dashboard. When disabled, the user cannot view/select the default dashboard.

  • access 'ldap' tab on user settings page (user:settings:ldap): Allows the user to access ?LDAP? tab under user settings. When disabled, the user cannot view the 'LDAP' tab under user settings.

  • manage management api (user:settings:management-api): Allows users to edit management API settings. When disabled, the user cannot edit management API settings.

  • access 'plans' tab on user settings page (user:settings:plan): Allows users to access the plans tab. When disabled, the users cannot access the plans tab.

  • see custom plan details (user:settings:plan-details): Allows users to access the custom plan details. When disabled, the users cannot access custom plan details.

  • access 'role' tab on user settings page (user:settings:role): Allows users to access the role tab on user settings page. When disabled, the users cannot access the role tab on the user settings page.

  • access 'saml' tab on user settings page (user:settings:saml): Allows users to access the 'saml' tab on the user settings page. When disabled, the users cannot access the ?saml? tab on the user settings page.

  • access 'team' tab on user settings page (user:settings:team): Allows users to access the ?team? tab on the user settings page. When disabled, the users cannot access the ?team? tab on the user settings page.

  • see detailed invitation settings (user:settings:team-invite-details): Allows the users to see team invitation details. When disabled, the users cannot see the team invitation details.

  • access 'usage' tab on user settings page (user:settings:usage): Allows the users to access the ?usage? tab on the user settings page. When disabled, the users cannot access the ?usage? tab.

Categories

  • create a category (category:create): Allows the users to create a category. When disabled, the users cannot create a category.

  • delete a category (category:delete): Allows the users to delete a category. When disabled, the users cannot delete a category.

  • edit a category (category:edit): Allows users to edit a category. When disabled, the users cannot edit a category.

  • see list of categories (category:list): Allows users to see a category list. When disabled, the users cannot see the list of categories.

  • share a category (category:share): Allows users to share a category. When disabled, the users cannot share categories.

User Groups

User groups are logical groupings of users that data related assets (dashboards, queries, datasources, agents) can be shared to. A user can belong to one or more groups.

Groups can be created and modified from the Team Management menu. Example:

Adding Users

Users can be added to an existing team to share assets and collaborate seamlessly across users. To add users, go to the Teams page within User Settings:

On the team's page, you can specify the user properties such as email address, roles and permissions, and any user-level specific attributes.

  1. Specify the email address, Role and associated Groups to the new user.

  2. Add any optional user filters. User filters enable row level security to filter out data. Read more about User Level Filters.

  3. If Two factor authentication is required, you can set it during the invite (or you can enable it later).

  4. Invite the user. Once the user has accepted the invite, they'll see all their data assets (dashboards, datasources, queries, agents) shared to them or their group.

For further information on User Access & Permissions, please click here.

Editing Users

Each user can customize their timezone and change passwords.

Admin users have more privileges like editing user roles, groups, timezones, user filters, and more for any other user. Admins can:

  1. Edit user name

  2. Edit user Timezone

  3. Enable 2FA, verifying the user's identity by sending a unique code to their cell phone.

  4. Edit user roles. To know the various user roles at Knowi, click here.

  5. Edit user groups and share permissions for other users. There are two permissions you can grant: View or Edit. Set to view if you want the user NOT to be able to share assets (dashboards, queries, datasources, etc.) to the selected group, but can only consume assets shared to this group by other users. Set to edit to allow them to share assets with the selected group. For example, "User Puja has edit access to the default group".

  6. Limit sharing to the selected groups. When checked, the user will only see other users within the same groups to be able to share assets and not others. For example, User Puja can see users only from the default group.

  7. Edit the default dashboard. The default dashboard is to be shown whenever the user logs in.

  8. Edit Always share to: Automatically share all assets created by the user to the selected groups. This is useful within a team setting to collaborate on assets created by one user to be shared with others automatically, without sharing individual assets explicitly. Shared assets include any datasources, queries, widgets, and dashboards.

  9. Apply/Edit filters.

Password Requirements

Knowi provides admins with additional control over password requirements for users on their instance.

To manage password requirements, select User Settings from the Settings panel. Changing the Password Expiry field to a number of days other than zero (0), prompts the user to reset their password.

Create a strong password for your Knowi account

Whether you're creating a password for the first time or resetting your password, Knowi will evaluate the strength of your password to make sure that it is secure and not easily guessed.

Passwords must be at least 8 characters long, and we don't restrict the use of numbers or special characters. As you create a new password, the system will provide feedback on password strength.

If you're having trouble coming up with a password that meets our requirements, use a long, random, and unique string of characters. You can use a passphrase, but it shouldn't be a common phrase from a book, movie, TV show, etc. as those are commonly used.

To choose and store a secure password, use a secure password manager like LastPass or 1Password to generate and auto-fill unique passwords for each site you visit, including Knowi.

Help, I've been locked out of my account!

If you fail five password attempts, your account will be locked. To unlock your account, reset your password or reach out to Knowi to assist you with resetting your password.

Login as (For Admin Users)

This option allows Admin users to login into the application on behalf of any foreign user account that they have access to on the administration page. There is a number of restrictions that come along with that feature.

1. user must be authenticated 
2. user must possess a role of ADMIN
3. user can use the feature only providing active customer account
4. user can NOT use the feature on behalf of a foreign account (in a chain)

The 'Login as this user' icon is supposed to be visible on the right hand action bar of the user list.

As soon as authentication is passed the informational banner is attached to the top of the page including basic information of the user account selected.

At any point in time you can release the user account and get back the the original one by clicking on the 'Release user' button, in such a way you will be redirected back to the user administration page.

Two Factor Authentication (2FA)

For added security layer, admin can enable Two-factor Authentication, which will send a unique verification code via SMS or email whenever the user will login into Knowi.

SMS Verification

Upon enabling SMS verification, a one-time code will be sent to the provided phone number whenever the user will attempt a login.

Email Verification

Upon enabling email verification, a one-time code will be sent to the provided email address whenever the user will attempt a login.

Permissions

All data assets (dashboards, queries, datasources, agents) are private to the user by default, unless shared to other users or groups. Furthermore, each asset can be configured for granular read or edit access at a group or an individual user level.

Dashboard Sharing

Dashboards can be shared to an specific user, or a group. In addition, you can specify if the user has View access or Edit. View access restricts the user to a view mode where they can consume the dashboard, analyze the data, apply temporary filters (for their session), download the data behind the visualizations but cannot make any changes to the dashboard.

Datasource Sharing

A datasource, for example, a database connection can be shared to another user or group, with edit or consumption rights. With Edit, the user (or the group) will have access to modify the datasource (not common). With consumption only rights, the user can create new queries from the datasource, but will not be able to see or edit, or clone the datasource details.

You can add a query against source.

Setting permissions :

Consume vs Edit: The first datasource in the following screenshot is consume only (note the actions that can be performed on the right) vs. full edit privileges on the other datasource.

Query Sharing

Queries can be shared with Edit or View only rights to groups and/or users. Edit rights enable collaboration on the same query by multiple users and includes edit, clone and delete rights for that query. A query shared with view only rights can be executed and cloned to create a user's own version of the query.

Enabling:

Consume vs. Edit rights: The first query in the screenshot below is consume only, the second has edit rights.

User Group Publish/Consume Permissions

A user can belong to one or more groups, and marked with either consumption or publish rights for the specific group. In consumption mode, the user has read access to assets shared, but cannot publish into the same group. This allows publishing of assets from one user into a group, but does not allow the consumer to publish it back into the parent group.

Example: Let's say an "engineering" group writes and publishes baseline queries to an analyst and wants to maintain the original queries and does not want that user to publish queries back to the engineering group. This can be done by setting the rights during the user invite. The analyst can publish it to their own groups, but cannot post back to the parent group.

Assigning user-group consume/edit rights:

Automatic Sharing

There may be cases when any asset that the user creates needs be automatically shared to other groups, instead of sharing a specific asset explicitly (query etc.). In such cases, you can apply an 'Automatic Share to Group' setting that will automatically publish any assets created by the user to those groups that can be used by other users. This is available during user creation as well as within the edit menu.

User Level Filters & Security

User filters can be set that limits the data returned to the user across all their dashboards. There are two modes:

Query Parameters: Helps you define query parameters that can be passed in all the way into direct queries against your datasource. These parameters can be set at the user level and replaced during query execution.

Filter on Query Results: This post processes the data returned any any query to filter by the parameters set.

For an in-depth look at content filters, see section on Filters & Query Parameters.

External Authentication using LDAP

Overview

You can set up a connection with an LDAP server to allow your users to login to knowi using LDAP credentials. Please Contact us to enable this feature. The LDAP server used only as read-only information to login and get information about logged-in user objects to map directly to Knowi fields contained within their user account.

LDAP configuration

Knowi supports transport/encryption via LDAP in the clear and LDAP over TLS. LDAP over TLS is strongly recommended. The LDAP tab can be found within User settings.

It is possible to create multiple different LDAP configurations. Click "Add" to add a new configuration. If you wish to edit an existing configuration, please select it from the drop-down list. After selecting the configuration, you can then edit or view the existing configuration or delete it by pressing the "Delete" button.

LDAP Configuration details

Connection

Type an configuration name (any), your LDAP server host and port, and select TLS checkbox if your LDAP server supports TLS encryption.

Lookup Authorization

This section used to enter an "master" LDAP account which have access to get info about LDAP user objects which you or users want to login with. After entering credentials you can click small "Test" button to check if credentials and Connection details valid. This will run connection with LDAP server, "bind" with entered master DN and then unbind and disconnect from server.

User mappings

Fill fields to search user through LDAP:

Base search DN: this is the top root path to start the search of the user.

Login attributes: list comma-separated attribute names of user objects which will be used as login field to login into Knowi. E.g. this could be "uid", "cn" and etc. System will choose first match via any of the provided attributes (OR filter will be used to search users with this attributes).

Email attribute: this field will be used to read email attribute and assign to email field of Knowi User.

User Name Attributes: this field is list of attributes to set to Knowi User Name, commonly this is First Name and User Name.

ID attribute: important field as this should uniquely identify your user in LDAP server.

Filter (optional): this is optional filter field used to filter search through user objects for login. E.g. can filter by groups, organizations and etc. Please refer LDAP server documentation on filter syntax.

Roles and Groups management

Please choose which Knowi role will be mapped to the LDAP user when logging into Knowi. Optionally, you may select Default Groups which will then be sent to the user. If you change any of these settings, it will be applied to LDAP users upon their next login into Knowi.

After saving the newly created LDAP configuration, you will get LDAP login URL. This is the URL that your LDAP users should then use to login to Knowi.

LDAP login test

At the bottom of the LDAP configuration, you will find a "Test login" button. Selecting this will present a login dialog box. Enter the login attribute values to login with an LDAP account and press Test. This will mimic all login sequences by searching for the user via the set attributes and binding it if possible. If the password is not entered (it is optional), the user will be just found using a master LDAP account and not bound with a password.

This section useful if you wish to test if all LDAP configuration fields valid. After pressing the Test button you will see log output showing the exact steps made by the system to connect to LDAP.

Login with LDAP

First, you will need to provide the LDAP login link to your users. This link is obtained above. This link is associated with your customer account and your exact LDAP configuration. When the user uses this link, they will be presented with special login window. In the "ID" field user should enter a login attribute value (corresponding to login attribute in your LDAP server). In the password field, the user should type their user LDAP password. After login the user will be granted access to Knowi.

If this is a first-time user with such an ID (the ID is set up in the LDAP configuration page) then this user will be automatically created as a new user in Knowi. If this is an existing user login, then they will be directed to their Knowi user account. In this case, all changed fields, roles, and groups will be updated from the LDAP server into the Knowi user account. E.g. if user name in the LDAP server was changed, this will be updated in Knowi upon login.

External Authentication using SAML

SAML-based single sign-on (SSO) gives members of your organization access to Knowi through an identity provider (IdP) of your choice.

To use SAML, you must have a cloud identity provider (IDP) or federation service in place that supports authentication via SAML 2.0. For more information about SAML 2.0, see http://en.m.wikipedia.org/wiki/SAML_2.0

You must have an "Admin" default security role or a custom role with "user:settings:saml" enabled to set up SAML. For more information about default roles and custom roles, see User Roles.

Getting Started

SAML authentication needs to first be enabled by Knowi. To update your license for this feature, contact your account manager or open a support request in Knowi's Help Center by clicking Contact Us.

Once your license is updated, navigate to the SAML tab in the Settings section of Knowi, then click the Add button to see the following configuration options. Note that any changes to configuration options do not take effect until you click the Save button at the bottom of the page.

SAML Auth Settings

Knowi requires the IdP URL, IdP Issuer, and IdP Certificate to authenticate your IdP.

Note: Dynamic configuration with IdP Metadata is not supported at this time.

IdP URL: The URL where Knowi will go to authenticate users.

IdP Issuer: The unique identifier of the IdP.

IdP Certificate: The public key to let Knowi verify the signature of IdP responses.

Additional SAML attributes supported by Knowi

contentFilter: The contentFilter attribute lets you set content filters for your users. Like all other attributes, it can be on groups or directly on a user within your IDP and they stack up like the 'group' attribute. Please note that it might be necessary to enable attribute aggregation on your IDP for stackable attributes. If no contentFilter attribute is present, content filters for that user will be unset, meaning the user has access to the full data.

dashboardUrl: sets the dashboard that a user sees after logging in. You can either paste the entire URL or just the dashboard ID part from a URL, both should work. If this attribute is not present, the most recently opened dashboard will be displayed for return logins and the playground will be launched for new users.

role: sets the user role, only one role per user is supported at this time. If no role is provided from an attribute, the default role from the SAML configuration will be used.

groups: The groups that the user will be part of in Knowi. Users can be put into multiple groups in Knowi by adding more than one 'group' attribute. If no groups attribute is present, the default groups from your SAML config will be used.

logoutUrl: this attribute, a full URL, for example, https://www.knowi.com will cause the user to be redirected to that URL upon logout. If this attribute is not set, the knowi home page will be opened upon logout.

Default Groups and Roles

You can set a default role and groups for new SAML users. In the User Roles and Groups section, enter the names of any Knowi roles or groups to which you want to assign new Knowi users when they first log in to Knowi.

These groups and roles are applied to new users at their initial login. The groups and roles are not applied to pre-existing users, and they are not reapplied if they are removed from users after the users' initial login.

User Attributes Setting

In the following fields, specify the attribute name in your IdP's SAML configuration that contains the corresponding information for each field. The SAML attribute names tells Knowi how to map those fields and extract their information at login time. Knowi isn't particular about how this information is constructed, it's just important that the way you input it into Knowi matches the way that the attributes are defined in your IdP.

NAME VALUE
userId user.id
userEmail user.email
userLogin user.login

Signing out of Knowi when using Single Sign-On

To completely sign out, you must sign out of Knowi and close the browser.

  1. Click the Logout button on the bottom-left menu of the navigation bar
  2. Close the Web browser

Using Knowi with Single Sign-On

When using Knowi with Single Sign-On, you cannot

  • be sent a forgotten password email

  • change your password in your profile

FAQ

Q: Can I use an alternate login with SAML?

Knowi email/password logins are available for Admin users. This option is useful as a fallback during SAML Auth setup should SAML config problems occur later, or if you need to support some users who do not have accounts in your SAML directory.

Q: Can I merge an existing Knowi user to SAML or vice versa?

You can merge or transfer a user between authentication types (Knowi email/password, LDAP, SAML, SSO). This can be done using the Management API or from the UI.

How to self-configure SAML SSO with Okta

Knowi uses single sign-on (SSO) for Enterprise users to simplify the sign-in process and allow access to Knowi using several authentication sources, including Okta. Your Workspace must be subscribed to the Enterprise plan if you wish to set up SSO.

If you're the Admin of your company's Enterprise account, you can configure SSO using the following steps:

  1. Go to your SAML tab by clicking on Settings in the left navigation bar then User settings. Click on SAML then Add. Keep this tab open, as you'll be returning to your Knowi Workspace later.

  2. Open up your Okta admin portal and set up a new application using the Applications tab. Select SAML 2.0 as your sign-on method. Configure your new integration by naming it Knowi and adding a logo if you want.

  3. You'll now see Knowi's SAML Settings. Start with the General section below. You'll need to grab some information from Knowi and input it into Okta:

    • Paste the SSO URL from Knowi into the Single sign on URL field on Okta.

    • Paste the Audience URI from Knowi into the Audience URI (SP Entity ID) field on Okta.

    • For Name ID format, choose Unspecified.

    • For Application username, choose Okta username.

  4. Scroll down to Attribute Statements in Okta. You'll need to map your fields:

    • For userId, map to the value within your organization's Okta setup.

    • For userEmail, map to the value within your organization in Okta. Note: It's important to follow the same capitalization format in your organization when you add this name.

    • For userLogin, map to your organization's Okta value as well. Capitalization matters here, too.

    Knowi doesn't yet support group attribute statements, so you can leave that portion blank.

  5. Hit next and fill out the final Okta form according to your own preferences. This won't impact anything in your Knowi Workspace.

  6. Your application is ready! You'll now need to take some information from Okta and bring it back to your Knowi portal. Start by clicking View Setup Instructions in your Sign-on Methods settings.

    • Paste your IdP SSO URL under Identity Provider Single Sign-ON URL in your Knowi SAML settings where it says IdP URL.

    • Paste your IdP Issuer under Identity Provider Issuer in your Knowi SAML settings where it says IdP Issuer.

    • Copy and paste your X.509 Certificate from your setup instructions in Okta to your Knowi SAML settings.

  7. You can Test configuration and Save the Knowi SAML settings

Additional SAML attributes supported by Knowi

  • contentFilter: The contentFilter attribute lets you set content filters for your users. Like all other attributes, it can be on groups or directly on a user within your IDP and they stack up like the 'group' attribute. Please note that it might be necessary to enable attribute aggregation on your IDP for stackable attributes. If no contentFilter attribute is present, content filters for that user will be unset, meaning the user has access to the full data.

  • dashboardUrl: sets the dashboard that a user sees after logging in. You can either paste the entire URL or just the dashboard ID part from a URL, both should work. If this attribute is not present, the most recently opened dashboard will be displayed for return logins and the playground will be launched for new users.

  • role: sets the user role, only one role per user is supported at this time. If no role is provided from an attribute, the default role from the SAML configuration will be used.

  • groups: The groups that the user will be part of in Knowi. Users can be put into multiple groups in Knowi by adding more than one 'group' attribute. If no groups attribute is present, the default groups from your SAML config will be used.

  • logoutUrl: this attribute, a full URL, for example, https://www.knowi.com will cause the user to be redirected to that URL upon logout. If this attribute is not set, the knowi home page will be opened upon logout.