SSO with Federated Identities (SAML)

Print Friendly and PDF

Overview


BGL allows users to sign in through enterprise identity providers such as Azure Active Directory via SAML.

What is SAML and why do you need it?

 Security Assertion Markup Language 2.0 (SAML) is an open standard for exchanging identity and security information with applications and service providers. BGL's support for SAML enables you to sign in using your corporate directory credentials, such as your user name and password from Azure Active Directory. With SAML, you can use single sign-on (SSO) to sign in to all of your BGL applications by using a single set of credentials.

What will be the cost of using SAML?

BGL will charge your firm a fee of $2,500.00 (including GST), per annum.

Which identity providers are supported? 

BGL currently supports:

What happens to User Management when I enable SAML?

BGL will enable SAML for a domain. Any user who uses that domain will be forced to login via their enterprise identity provider. 

For existing BGL users, their BGL360 password will be no longer used. For users invited after SAML is enabled no BGL360 password will be issued. Identity Providers cannot add users. Users will still need to be added via either Simple Fund 360 or CAS360.  

Will I be prompted for MFA when using an identity provider? 

Not by BGL. When you use a Federated Identity, BGL is trusting an external identity system such as Practice Protect to perform the authentication for the federated user. Likewise, BGL is also trusting that external identity system to perform any multi-factor authentication (MFA).  

Instructions - Practice Protect

Please contact Practice Protect directly who can set this up for you. If you are not a current Practice Protect Client request a Cyber Security Consultation here

Instructions - Azure AD

1. In Azure, create an Azure AD Enterprise Application, (requires Azure AD Premium) from your Azure AD blade -> Enterprise Applications -> New Application.

2. Pick “Non-gallery application” as the app type. Then Type name e.g "BGL360" and press “Add”. 

3. In your Azure AD enterprise application choose section “Single sign-on”, in dropdown list choose “SAML-based Sign-on”:

4. The following information will be provided to you by BGL:

  • Identifier: This will be provided by BGL 
  • Reply URL:  This will be provided by BGL

5. After the application is created, add Users and groups 

6. Finally, download the SAML Metadata XML. You should now be set up on the Azure side. Send the XML file to BGL. 

Instructions - Okta

  1.  On the Okta website, choose Dashboard to go to the Admin dashboard.

  2. On the Admin dashboard, under Shortcuts, choose Add Applications.

  3. On the Add Application page, choose Create New App.

  4. In the Create a New Application Integration dialog, for Platform, choose Web

  5. For Sign on method, choose SAML 2.0.

  6. Choose Create.

  7. On the Create SAML Integration page, under General Settings, enter a name for your application.

  8. Choose Next.

  9.  Under SAML Settings, for Single sign-on URL, enter URL provided by BGL

  10. For Audience URI (SP Entity ID), enter value provided by BGL

  11. Leave Default RelayState blank.

  12. Under Attribute Statements, add a statement with the following information:

    For Name, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

    For Value, enter user.email.

  13. For all other SAML settings on the page, leave them as their default value or set them according to your preferences.

  14. Choose Next then choose Finish

  15. On the Assignments tab for your Okta application, for Assign, choose Assign to People.

  16. Next to the user you want to assign, choose Assign.

  17. Choose Save and Go Back. Your user is assigned.

  18. Choose Done.

  19. On the Sign On tab for your Okta application, find the Identity Provider metadata hyperlink. Right-click the hyperlink and then copy the URL. Send to BGL

 Instructions - Auth0

1.    On the Auth0 website dashboard, choose + New Application.

2.    In the Create Application dialog, enter a name for your application. For example, My App.

3.    Under Choose an application type, choose Single Page Web Applications.

4.    Choose Create

5. On the left navigation bar, choose Applications.

6.     Choose the name of the application you created.

7.    On the Addons tab, turn on SAML2 Web App.

8.    In the Addon: SAML2 Web App dialog, on the Settings tab, for Application Callback URL enter the URL provided by BGL. 

9.    Under Settings, do the following:

  • For audience, delete the comment delimiter (//) and replace the default value (urn:foo) with the value provided by BGL. 
    For mappings and email, delete the comment delimiters (//). 
  • For nameIdentifierFormat, delete the comment delimiters (//). Replace the default value (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

10.    Choose Save.

11. In the Addon: SAML2 Web App dialog, on the Usage tab, find Identity Provider Metadata. Then do either of the following:

  • Right-click download, and then copy the URL.
  • Choose download to download the .xml metadata file.
  • Send the XML file to BGL. 

 

Instructions - GSuite

In the Google Admin console, you will need to set up your own custom SAML app. 

  1. From the Admin console Home page, go to Apps and then SAML Apps.
  2. To see Apps on the Home page, you might have to click More controls at the bottom. 
  3. Click Add Add at bottom right.
  4. Click Set up my own custom app.
  5. The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate.
  6. Download the IDP metadata.

7.    Enter the Service Provider details provided by BGL. 

  • ACS URL: This will be provided by BGL
  • Entity ID: This will be provided by BGL using one of these methods:

 

 

 

 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.