Configure the SSO Integration on BlueCat Edge - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x
Once you have configured the SAML assertion attributes on the Identity Provider (IdP), you must configure BlueCat Edge to leverage the existing IdP to authenticate users within your organization.
Note: You must be a System Administrator to configure the SSO integration.

Configuring an SSO Integration on BlueCat Edge:

  1. In the top navigation bar, click and select SSO.
  2. Click Download to retrieve the metadata information and upload it to your IdP. If your IdP doesn't support uploading the metadata file, enter the information found within the metadata file into your IdP.
    If you are entering the metadata file into your IdP, the IdP might require the following service provider settings:
    • Audience—the entityId of the EntityDescriptor. For example, urn:auth0:<Tenant Name>:<Tenant ID>-SamlConnection
    • Customer URL—the field in the IdP that designates where to send the SAML assertions once it has authenticated a user. This must be configured with the Location value in the AssertionConsumerService of the metadata file. For example, https://<Edge Cloud URL>/login/callback?connection=<Tenant ID>-SamlConnection
      Note: Some IdPs refer to this field as the Assertion Consumer Service URL, Application Callback URL, or SignIn/SSO Endpoint.
    • Login URL—the login URL of the instance. For example, https://<Edge Cloud URL>/login
    Attention: If you are manually entering the information from the metadata file, ensure that all information is entered correctly as this can cause the SSO integration to fail.
  3. Return to the BlueCat Edge UI and complete the following information:
    • Enter a name and description of the SSO integration.
    • Sign In URL: Enter the SAML SSO URL that you obtained from your IdP.
    • Request Protocol Binding: The protocol used by BlueCat Edge to send the SAML authentication request to your IdP. You can select HTTP-Redirect or HTTP-POST. The default binding value is HTTP-Redirect.
    • User ID Attribute (optional): The attribute in the SAML token that uniquely identifies a user. If this value isn't set, the user_id will be retrieved from the following in the order listed:
      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier or nameidentifier
      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn or upn
      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name or name
      Note: BlueCat Edge accepts the URL or friendly name of the unique identifier.
    • Signing Certificate: Upload the IdP public key. This must be encoded in PEM or CER format.
  4. Click Test to test the new connection. A new tab opens where you will be asked to sign in to your IdP to test the authentication and connection.
    Note: If you are editing an active SSO integration, click Apply & Test to test the updated connection. Clicking the Apply & Test button immediately applies all modified settings to the active SSO integration.
  5. If the SSO test is successful, click the Active toggle to activate the SSO integration. If the test was unsuccessful, you can't activate the connection. If you are editing an active SSO integration, you can toggle to deactivate the SSO integration.
    Attention: Any API access key set created before activating or deactivating the SSO integration won't be valid in the new SSO state. You must create a new API access key set in the new SSO state to continue to use the BlueCat Edge API. If you deactivate or activate the SSO integration again, you can use the API access key set that was previously created.
  6. Click Save to apply the settings.
The SSO integration is enabled immediately and you won't be able to connect to BlueCat Edge using locally created credentials.
Attention: BlueCat strongly recommends that the corporate system administrator users create a new API access key set after enabling the SSO integration.