Single Sign-On (SSO) Overview

Available SSO Methods

Knack supports three SSO methods. The right choice depends on your identity provider and your organization's authentication requirements.

📝
Version compatibility Google SSO is available in both Classic and Next-Gen. If you've already configured Google SSO in one version, it works in the other without any additional setup. SAML and OAuth must be configured separately in each version. A SAML or OAuth setup completed in Classic will not carry over to Next-Gen, and vice versa.

Method	Best for	Plan requirement
Google SSO	Apps where users sign in with Google accounts	All paid plans
SAML	Enterprise identity providers like Okta, Azure AD, or OneLogin	Corp and above, or Pro with SSO Add-on
OAuth	Custom or third-party OAuth 2.0 providers like GitHub	Corp and above, or Pro with SSO Add-on

How SSO Works in Knack

When SSO is enabled on a Knack app, users who attempt to log in are redirected to your identity provider to authenticate. Once authenticated, they are redirected back to your app. Knack matches the returning user to an existing record in your Users table based on email address.

A few things to keep in mind:

SSO is configured per app, not at the account level.
If users do not already exist in your Knack Users table, they will be added automatically (if page registration allows)
Multiple SSO methods can be configured and active at the same time

SSO Authentication Flow — Role Assignment Behavior

All SSO providers (Google, OAuth, and SAML) follow a unified authentication flow with one key distinction based on whether the user already exists in the system:

New users: The user is created first, then logged in. The appropriate role based on the page access setting is assigned at the time of account creation. Existing users: If an existing user attempts to sign up through a role-specific page for a role they haven't been granted, roles are not reassigned or granted — the user is simply logged in with their existing role intact.

Choosing the Right Method

Use Google SSO if your users sign in to other tools with Google and you want a fast, low-configuration setup. No identity provider account is required.

Use SAML if your organization uses a dedicated identity provider (IdP) like Okta, Microsoft Azure AD, or OneLogin. SAML gives IT and security teams centralized control over authentication, session policies, and user provisioning.

Use OAuth if you have a custom OAuth 2.0 provider or a provider not covered by the other methods. This option requires more technical configuration but offers flexibility for non-standard setups.

🚀 New: Single Sign-On (SSO) Authentication Options for Login Pages

When Advanced SSO is enabled, you can choose from three authentication modes for each Login page under the Access tab:

Email/Password or SSO - Users see both options and can choose how to log in
SSO Only - Users can only log in through your SSO provider. Email and password fields are hidden
Email/Password Only - The traditional login experience with no SSO option displayed

This setting is configured per Login page, so you can tailor the experience for different user groups across your app.

Authentication mode options are only available when Advanced SSO is enabled for your app
SSO configuration supports both SAML and OAuth protocols on the same log in page
Settings are applied at the Login page level under the Access tab

Setup Guides

Before You Begin

Regardless of which method you use, make sure you have:

A Next-Gen app with at least one User Role table configured
A page protected by a log in
The Live App URL
Builder Admin access to the app where you're configuring SSO
For SAML and OAuth: access to your organization's identity provider admin console
For SAML and OAuth: a Corporate plan or higher or a Pro Plan with the Advanced SSO add-on