BlueConic enables site administrators to set up single sign-on (SSO) via Azure AD for BlueConic users at their site. This article describes how site admins can create and configure SSO using the BlueConic app in the Azure AD application gallery.
What is single sign-on (SSO)?
Single sign-on offers your BlueConic users the convenience of logging in to BlueConic via Azure AD. Once you enable SSO for BlueConic, BlueConic users at your site will no longer use the native BlueConic login page but will use your SSO provider to log in directly to BlueConic. When you add BlueConic to your SSO service, all BlueConic users for your tenant must log in via your SSO identity provider. You cannot enable SSO for only some BlueConic users.
Before you begin
Make sure you have appropriate authority and technical knowledge to complete this process. Once you set up SSO for BlueConic, all users at your site will have to log in to BlueConic via your SSO identity provider. They will no longer be able to access BlueConic using the BlueConic login screen.
Important: Open BlueConic twice
Before you begin, log in to your BlueConic account twice: once in a regular browser window and once in a different browser or incognito window. This way, you will still be logged in to BlueConic if you get locked out of your account in the other, original browser window.
Important: Once you turn on SSO in BlueConic and save your settings, you will no longer be able to use the standard BlueConic login process. So if you set up SSO in BlueConic, before closing the current session, make sure to test your setup to verify that users can log in using your identity provider. See instructions to test your SSO setup for BlueConic logins below.
How to set up SSO for Azure Active Directory
There are several dimensions to enabling SSO for BlueConic through Azure:
- Add the BlueConic app from the Azure AD gallery and gather information for the next step.
See the Microsoft Azure AD tutorial for BlueConic for details on creating the app.
- Open the BlueConic metadata URL for your tenant to find the SSO properties you can use in setting up SSO in BlueConic. You can find the metadata URL for your BlueConic tenant here: https://[your-tenant-name].blueconic.net/saml/metadata
- Create BlueConic user logins for your users. Also create a BlueConic user account specifically for testing your SSO setup.
- Configure SSO in your BlueConic tenant.
Download your BlueConic metadata URL
BlueConic provides a tenant-specific metadata URL containing SSO properties for your BlueConic SSO setup. When you set up the BlueConic app in Azure AD, you'll need information contained in the BlueConic metadata URL for your tenant.
- Open the metadata URL for your BlueConic tenant at this location:
- Download the metadata URL file and note the location. You'll need this file for the next procedure.
Add and configure a BlueConic app for Azure AD
- In Azure Active Directory admin center, open this page to add a new BlueConic application:
Follow the steps in the Azure AD tutorial for BlueConic to add and configure the app.
In the Azure portal's BlueConic app integration page, select Single sign-on in the Manage section.
On the Select a single sign-on method page, select SAML and edit the Basic SAML Configuration settings.
The BlueConic metadata URL for your tenant contains the SSO properties you can use in setting up SSO in BlueConic. You can find the metadata URL for your BlueConic tenant here: https://[your-tenant-name].blueconic.net/saml/metadata
- Download the BlueConic metadata URL file for your tenant. See instructions for downloading your metadata URL.
Upload the metadata file and the Basic SAML Configuration fields are automatically filled.
- Or, under Basic SAML Configuration, you can manually enter the following information for your environment:
Identifier (Entity ID): https://[your-tenant-name].blueconic.net/saml/metadata
Reply URL (ACS URL for Assertion Consumer Service):
- Save your changes and complete the Azure AD app setup process for Attributes & Claims and SAML Certificates, as outlined in Configure Azure AD SSO.
- In the Manage section, select Users and Groups, and then +Add user/group to the Azure AD BlueConic app. Add and assign a user to the app who has an account with Microsoft Azure AD and also a BlueConic user account, who can complete and test the single sign-on configuration in BlueConic.
Configure SSO in BlueConic
Make sure you've read the background information in the Before you begin section before completing the SSO setup process in BlueConic.
The information you enter here was gathered in the Azure AD app setup procedure above, How to set up SSO in Azure Active Directory for BlueConic
- In BlueConic, navigate to BlueConic Settings > Access Management and click the Single Sign-On (SSO) tab.
- Turn the Single Sign-On (SSO) feature On.
Note: Your BlueConic user role must have both “General” and “Users” permission in order to complete these steps.
- Enter the Service provider: Entity ID (the Azure AD Identifier) and the Service provider: ACS URL (the Login URL) by copying them from your Azure AD app setup.
- In the Azure AD SAML Certificates section, download your Certificate (Base64), open it in a Text Editor, and copy the Certificate itself.
- Enter the Identity provider X.509 Certificate in BlueConic by opening the certificate in a text editor and copying/pasting it into the field. Make sure you do not add trailing spaces or an empty line at the end.
- Select whether to use Force Authentication (on by default).
- Optional: Add an Email claim attribute for matching users between Azure AD and BlueConic instead of the NameID. An example of an email attribute name is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Save your settings, copy the login URL from the confirmation window, and close the confirmation window. Do not close the current browser session before testing your SSO setup. It is recommended that you open an incognito browser window for testing your SSO implementation.
Create new BlueConic user logins
Next you add user logins for all BlueConic users. Make sure you have logged in to BlueConic twice, in two browser sessions, to make sure you always stay logged in.
- Open the Users page via BlueConic Settings > Access management > Users.
- For each BlueConic user who needs to log in to BlueConic via your identity provider, create a user in BlueConic with the email from the identity provider as username. This is to ensure your users are provisioned in the identity provider.
- Save your settings but do not close the current browser session before testing your SSO setup.
Test SSO access in your identity provider for BlueConic logins
Make sure users can log in correctly via your SSO provider. If you encounter errors, you can turn the Single Sign-On setting Off via BlueConic Settings > Access management > Single Sign-On (SSO) and troubleshoot the setup without locking users out. Once you've turned on SSO, saved your settings, and closed the browser, all BlueConic users for your tenant must log in via your SSO identity provider.
Troubleshoot your SSO setup
If you need assistance with the Azure AD BlueConic app, contact Microsoft Azure AD support. For help with the BlueConic portion of this procedure, contact BlueConic Support.
Note: Existing BlueConic users who plan to migrate their SSO setup to use the Azure AD gallery app can contact BlueConic Support for assistance.