Single Sign-On and OAuth - Platform - BlueCat Gateway - 24.2

Gateway Administration Guide

ft:locale
en-US
Product name
BlueCat Gateway
Version
24.2

BlueCat Gateway can be integrated with nearly any single sign-on (SSO) system that uses SAML 2.0. When you enable SSO in BlueCat Gateway, users access Gateway through your centralized company SSO authentication system instead of BlueCat Gateway account credentials.

Gateway supports web-based SSO integration using SAML and OAuth 2.0 for API authorization.

  • Web-based SSO integration (with SAML) lets Gateway be part of your organization's SSO environment. This lets users sign in to the Gateway UI using an external Identity Provider (IdP). Within the SSO environment, Gateway acts as a Service Provider (SP), with user authentication and management relegated to that IdP. Gateway supports both SP-initiated SSO and IdP-inititated SSO.

    For more information on how SAML works with BlueCat Gateway, see How the Gateway Single Sign-On process works.

  • OAuth 2.0 is an industry standard authorization solution. Gateway uses OAuth to secure access to the Gateway API. Gateway users access Address Manager's API endpoints with the Authorization Code Grant in the OAuth 2.0 specification.

    For more information on how OAuth works with BlueCat Gateway, see How OAuth API authorization works.

Note: SSO for BlueCat DNS Edge is not related to SSO for BlueCat Gateway. DNS Edge must be configured as a separate service provider on your IdP.

Logging in to BlueCat Gateway with Single Sign-On

After your SSO service provider, identity provider, and OAuth settings are configured (and SSO has been enabled), users will be presented with a Log in with SSO option at the Gateway Login page. Clicking that otpion will take users to the identity provider's login page, where they can enter their SSO credentials.

Supported IdPs

SSO on BlueCat Gateway has been tested on the following IdPs:
  • ADFS
  • OneLogin

If your organization uses a different IdP than those supported by BlueCat Gateway and Address Manager, you can still use it as long as it adheres to the SAML 2.0 specification. For more information, see your IdP's documentation on how to configure a service provider.

Note:

Currently, Gateway only supports a single IdP. Multiple IdPs are not supported.

SSO with Okta identity providers is supported only through SAML 2.0. Okta OAuth 2.0 (with OpenID Connect) is not supported at this time.