Help Center

Using single sign-on (SSO) with BlueConic

This article explains how to set up SAML-based single sign-on (SSO) for users of your BlueConic tenant. Depending on which SSO identity provider you use, the steps may vary, but the basic process remains the same.

Note: This article describes the SSO configuration process for OKTA, OneLogin, or Google Workspace. For customers using Microsoft Azure, see: Configuring Single Sign-On (SSO) for Azure Active Directory.

Contents

What is single sign-on (SSO)?

Single sign-on offers your BlueConic users the convenience of logging in to BlueConic via the identity provider that controls access to other apps at your site. SSO identity providers such as OKTA, OneLogin, or Google Workspace (formerly G Suite) let end users log in once and gain access to multiple applications.

Once you enable SSO for BlueConic, BlueConic users at your site will no longer use the native BlueConic login page but will use your SSO provider to log in directly to BlueConic. When you add BlueConic to your SSO service, all BlueConic users for your tenant must log in via your SSO identity provider. You cannot enable SSO for only some BlueConic users. 

Definitions: SSO identity providers

Identity providers: The SSO platform you use to manage identity and authentication at your site, for example OKTA, OneLogin, or Google Workspace (G Suite). Steps below use Google Workspace to illustrate the setup procedure, but you can substitute your identity provider's details. To use SSO for BlueConic with Microsoft Azure Active Directory, see Configuring SSO via the Microsoft Azure AD gallery application.

Service provider: BlueConic

Supported identity providers: Setting up SSO for BlueConic has been tested for OKTA, OneLogin, Google Workspace (G Suite), and Azure Active Directory. Setting up SSO with other SAML-based SSO identity providers is not tested or guaranteed; it depends on how the other system has implemented SAML. 

SAML: Security Assertion Markup Language for exchanging authentication and authorization credentials between identity providers and service providers. BlueConic's SSO implementation uses the authentication feature of SAML 2.0. Authorization for roles within BlueConic has not been changed and is still set up and managed inside BlueConic.

Before you begin

Make sure you have appropriate authority and technical knowledge to complete this process. Once you set up SSO for BlueConic, all users at your site will have to log in to BlueConic via your SSO identity provider. They will no longer be able to access BlueConic using the BlueConic login screen.

Important: Open BlueConic twice

Before you begin, log in to your BlueConic account twice: once in a regular browser window and once in a different browser or incognito window. This way, you will still be logged in to BlueConic if you get locked out of your account in the other browser window.

Important: Once you turn on SSO in BlueConic and save your settings, you will no longer be able to use the standard BlueConic login process. So if you set up SSO in BlueConic, before closing the current session, make sure to test your set up to verify that users can log in using your identity provider. See Testing your SSO setup for BlueConic logins below.

Set up SAML-based SSO for BlueConic users

BlueConic users who have access to the General Settings window, and the privileges to manage users in BlueConic, are able to update the SSO settings in BlueConic using the steps described below.

Setting up SSO for BlueConic users involves these procedures:

  • Turn on SSO in BlueConic settings and retrieve information needed in the next step.
  • In your identity provider, add BlueConic as an SSO app.
  • Gather information in your identity provider that BlueConic requires.
  • In BlueConic, create new BlueConic users with the identity provider email as username.
  • Enter the required identity provider information in BlueConic.
  • Test your setup.

Information you need to provide

Setting up SAML-based SSO for BlueConic essentially involves a handshake between BlueConic and your SSO identity provider.

Here is a list of the BlueConic information that you'll need to provide to your identity provider (#1 and 2), as well as information from your identity provider you will need to set up SSO for BlueConic (#3, 4, 5, and 6).

  BlueConic field  Identity providers
OKTA OneLogin Google Workspace
1. Entity ID
from BlueConic
Audience URL (Service provider entity ID) Audience Entity ID
2. ACS/ SSO URL
from BlueConic
Single sign-on URL ACS (Consumer) URL ACS URL
3. Issuer URL / Entity ID Identity provider issuer Issuer URL Entity ID
4. SSO Endpoint URL Identity provider single sign-on URL SAML 2.0 endpoint (HTTP) SSO URL
5. ForceAuthn Force Authentication Force Authentication *Not supported
6. X.509 certificate X.509 certificate X.508 certificate Certificate

See also: Configuring Single Sign-On via the Microsoft Azure AD gallery app.

Turn on SSO in BlueConic Settings

  1. In BlueConic, choose BlueConic Settings > Access Management and then click the Single Sign-On (SSO) tab. (Your BlueConic user role must have both “General” and “Users” permission.)
  2. Turn on Single Sign-On.
    SSO_toggle.jpg
  3. A set of fields and values appear. This is where you receive two pieces of information from BlueConic to provide to your identity provider. Copy the values for Entity ID and ACS URL. You will need to provide these URLs to your Single Sign-On provider.
    SSO-SAML-updated-2022.png
  4. The setting Force Authentication is optional and is enabled by default. When selected, the SSO provider forces the user to re-authenticate rather than relying on previous authentication settings. 
    Note: Google Workspace (formerly G Suite) does not support this setting and therefore does not force authentication for previously authenticated users.
  5. Next, you gather the URLs and X.509 certificate from your identity provider.
    Once you have configured your identity provider for SSO with BlueConic, you complete the set up in BlueConic, described below in Completing the SSO setup in BlueConic.

Configure your SSO identity provider for BlueConic

Each identity provider platform has a procedure for adding an application such as BlueConic to its list of application service providers.

Setting up your identity provider for SSO with BlueConic

The example below uses Google Workspace as the identity provider, but you can use any SSO provider that supports SAML 2.0 (for example, OKTA or OneLogin).

  1. Open https://workspace.google.com and click Sign in.
    Can I use SAML and 
Single Sign-On (SSO) to log in to the BlueConic customer data platform (CDP)?
  2. Log in using your admin credentials.
  3. Select Apps in the Google Workspace Admin console.
    How does SAML based SSO work with Google G Suite the BlueConic customer data platform (CDP)?
  4. Select SAML apps.
    How do I set up SAML and 
Single Sign-On (SSO) authentication for the BlueConic customer data platform (CDP)?
  5. Select Add a service/App to your domain or click the Plus icon "+" in the lower right-hand corner.
    How do I enable SAML apps for Single Sign-On (SSO) between G Suite, OKTA, OneLogin and BlueConic?
  6. Click Setup my own custom app at the bottom of Step 1.
    How do I add BlueConic as a SAML-based Single Sign-On (SSO) app for OKTA, OneLogin, or G Suite?
  7. Copy the values for SSO URL and Entity ID to a text file, and download the Certificate -- you will need this information to configure the BlueConic SSO settings.
    How do I use OKTA, OneLogin, or G Suite to enable Single Sign-On (SSO) for the BlueConic customer data platform (CDP)?
  8. Add information about the BlueConic app, including Application Name, an optional Description, and a logo.
    How do I use SAML-based 
Single Sign-On (SSO) with OKTA, OneLogin, or G Suite for the BlueConic logins
  9. In the Service Provider Details screen, enter the details for your BlueConic tenant.
    ACS URL: https://yourserver.blueconic.net/saml/acs
    Entity ID: https://yourserver.blueconic.net/saml/metadata
    Activate the Signed Response checkbox.
    Choose Email for the Name ID Format.
    How do I set up SAML and 
Single Sign-On (SSO) for BlueConic users to login via OKTA, OneLogin, or G Suite?
  10. Click Finish in the Attribute Mapping step.
  11. Click OK in the Setting up SSO for BlueConic window.
    How do I set up SAML and 
Single Sign-On (SSO) for BlueConic?
  12. Click Edit Service in the Settings for BlueConic page.
    How do I add the BlueConnic service as an app for SAML-based Single Sign-On (SSO) with BlueConic?
  13. In the Service Status settings, select On for everyone and then Save.
    How do I set up G Suite, OKTA, or OneLogin access via Single Sign-On (SSO) for the BlueConic customer data platform (CDP)?

View, change, or update SSO service provider settings

After you set up SSO for BlueConic, you can review or update the service provider settings in Google Workspace in the Google Admin window.

  1. Click Home, then Apps, then SAML apps, and then BlueConic.
    What is SAML-based 
Single Sign-On (SSO) and what are the steps to enable SSO for BlueConic?
  2. Click Service Provider Details to view or update your BlueConic service provider details.
    How do I set up SAML SSO for BlueConic logins via OneLogin, OKTA, and G Suite?

Gather your identity provider settings 

In the previous procedures, you added BlueConic service provider information to your identity provider. Next you collect several pieces of information from your identity provider to add to the BlueConic setup screen. The example shown below uses Google Workspace as identity provider. Steps for other identity providers are similar.

  1. To find information from the identity provider Google Workspace, which are needed in BlueConic, go to the identity provider homepage (Google Admin, in this case).
  2. Click Home, then Security in the Google Admin Console.
    How do I add BlueConic customer data platform (CDP) as an SSO service provider in G Suite, OKTA, or OneLogin or a SAML-based identity provider?
  3. Select Set up single sign-on (SSO), and you will see the SSO URL, Entity ID, and Certificate you need to enter in BlueConic.
    How do I add G Suite, OKTA, or OneLogin as SSO identity providers with Certificates for BlueConic?
    Here's an example showing the identity provider details you would need to set up SSO with BlueConic.
    How do I set up SAML and 
Single Sign-On (SSO) for BlueConic user authentication and authorization?
  4. Copy the SSO URL and Entity ID to a text file, and download the Certificate. (Alternatively, you can download the IDP metadata, which contains all the information you need to provide in BlueConic.)

Complete the SSO setup in BlueConic

The information you enter here was gathered in Step 4 above and in Step 7 of Setting up your identity provider for SSO with BlueConic.

  1. In BlueConic, open the BlueConic Settings > Access management page.
  2. Turn the Single Sign-On (SSO) feature On.
    SSO-SAML-updated-2022.png
  3. Enter the Issuer URL / Entity ID from your identity provider (for example, Google Workspace, OKTA, or OneLogin).
  4. Enter the SSO Endpoint URL from your identity provider.
  5. Select whether to enable Force Authentication (not supported in Google Workspace).
  6. Enter the X.509 Certificate by opening the certificate in a text editor and copying/pasting it into the field. Make sure you do not add trailing spaces or an empty line at the end.
    Single-Sign-On-BlueConic.png
  7. Save your settings and close the confirmation lightbox. Do not close the current browser session before testing your SSO setup.

Create new BlueConic user logins

Next you add user logins for all BlueConic users. Make sure you have logged in to BlueConic twice, in two browser sessions, to make sure you always stay logged in.

  1. Open the BlueConic Users window. 
  2. For each BlueConic user who needs to log in to BlueConic via your identity provider, create a user in BlueConic with the email from the identity provider as username. 
    This is to ensure your users are provisioned in the identity provider.
  3. Save your settings but do not close the current browser session before testing your SSO setup.

Test SSO access in your identity provider for BlueConic logins

In your SSO provider, open the app window. In Google Workspace Admin, for example, you open Apps and click Launch in the upper right-hand corner.

How do I set up SSO for identity providres and SSO service providers in BlueConic?

Make sure users can log in correctly via your SSO provider. If you encounter errors, you can turn the Single Sign-On setting Off in the BlueConic Settings > Access management > Single Sign-On page and troubleshoot the setup without locking users out. Once you've turned on SSO, saved your settings, and closed the browser, all BlueConic users for your tenant must log in via your SSO identity provider.

BlueConic SAML-based SSO implementation details

SAML details BlueConic implementation
SAML version supported SAML2.0
SAML profile supported Web Browser SSO Profile
Learn more about SAML metadata.
NameID field NameID must hold the username as email address.
HTTP standard Must be HTTPS

 

Turning off the SSO feature

To turn off SSO and have BlueConic users at your site return to the BlueConic login instead of logging in via your SSO identity provider, open the BlueConic Settings > Access management > Single Sign-On page and turn the SSO feature Off.

Troubleshooting your SSO setup

If you need assistance with the BlueConic portion of this procedure, contact BlueConic Support for assistance.

Learn more about SSO identity providers:

 

Was this article helpful?
0 out of 0 found this helpful