SAML Overview

Document created by Ike Bennion Administrator on May 25, 2016Last modified by Bo Harris on Jul 26, 2016
Version 5Show Document
  • View in full screen mode

 

Security Assertion Markup Language (SAML) is an authentication protocol that can be used to log into Bridge. SAML services span a spectrum from "out-of-box" services that are very user friendly all the way to home-built solutions. This documentation serves as a central point to provide baseline information to configure for any service, but also to link to well known SAML services. If your service is not included in the documentation, notify your IC for help and to include it here.

 

Overview

 

The Security Assertion Markup Language (SAML) is a security protocol that is based on XML. The basic concept involves the exchange of security assertions about a user that is requesting access to a secure domain. An assertion is generated from the SAML service, commonly referred to as the Identity Provider (IdP) and passed to Bridge, commonly referred to as the Service Provider (SP). Bridge consumes the assertion and identifies the user as passed in the assertion and logs the user into the appropriate account.

 

Bridge also allows for "just-in-time provisioning" or "auto-provisioning" which can be toggled on or off. If toggled on, and a user has not been created in Bridge but has been created in the IdP, Bridge will create a new user, populated with the attributes passed in the assertion.

 

Bridge can also leverage a Single Log Out or a Log Out Redirect. Single Log Out, if configured, logs the user out of the IdP, which logs the user out of all other services configured with the IdP. Log Out Redirect logs the user out of Bridge only.

 

 

Terminology

 

 

TermDefinition
X.509 CertificateA string of characters that is unique to the IdP that functions as a key to secure assertions. Bridge is configured with a fingerprint of this certificate so that it can consume the assertions.
Identity Provider (IdP) MetadataAn XML file generated by the IdP that contains the Entity ID, the X.509 certificate of the IdP and other essential attributes to complete the SAML configuration. This can also appear as a hosted file that you can save to the desktop and provide to your IC.
Service Provider MetadataAn XML file that contains the Login URL, the Bridge Account URL, Start URL and other important elements needed to complete the configuration of the IdP with Bridge.

 

 

Requirements

 

To successfully configure you will need:

    • A SAML service
    • The URL of your bridge account, <domain>.bridgeapp.com. This is also referred to in configuration as App URL,
    • Bridge's Assertion Consumer Service URL, <domain>.bridgeapp.com/auth/saml/callback. This is also referred to in configuration as ACS URL,
    • And a start URL (https://{client_domain}.bridgeapp.com).
    • Bridge SP Entity Id: http://bridgeapp.com

 

For your Bridge IC to finish the configuration you will need to provide her/him:

    • An IdP Metadata file, or:
      • SAML IdP Entity ID

      • SAML Certificate Fingerprint

      • SAML Single Sign On URL

      • SAML Logout Redirect URL

      • SAML NameId Format

 

Configuration

 

    1. Determine if your Identity Provider is included in the table of the next section "Common SAML Services and Documentation". If your Identity Provider is listed, follow the directions linked in the IdP-specific documentation. If you are unable to find the directions for your service, please contact your IC or comment on this article with the service you'd like to configure.
    2. Export the Metadata file for your configuration and send to your IC. The far right column summarizes how to export metadata from popular SAML services. OR Provide your implementation consultant with the following:
      • SAML IdP Entity ID
      • SAML X.509 Certificate
      • SAML Single Sign On URL
      • SAML Single Log Out URL or SAML Logout Redirect URL
      • SAML NameId Format

 

Common SAML Services and Documentation

 

Service

Setup Documentation

Exporting Metadata File
AzureDELETESetup documentation includes export.
ADFS
Configuring ADFS 2.0 with Bridge Using SAML
Setup documentation includes export.

Bitium

May require Bitium to add Bridge LMS as an app. Contact Bitium and your IC to begin adding Bridge as a Bitium app.

CA Technologies

Setting Up SAML 2.0

Centrify

SAML Application Management

Certivox

Configuring a SAML 2.0 Service Provider (This documentation may only be for encrypted assertions.)

Clearlogin

SAML App Connection

Google

Integrating Google SAML with BridgeIntegrating Google SAML with Bridge

Setup documentation includes export.

Identacor

Requires Identacor to add Bridge LMS as an app. Contact Identacore and your IC to begin adding Bridge as an Identacore app.

miniOrange

SAML Configuration

Okta

OneLogin

Configuring Apps

 

 

Testing

Ask five to ten users to access from both the URL of the Bridge domain [client_domain].bridgeapp.com and from any dashboards where Bridge is represented.

 

Troubleshooting

 

What You're ExperiencingWhat's HappeningHow to Resolve

When I navigate to my Bridge URL, I see two spinning black dots and then am forwarded to a white screen,

or

I get a 404 not found.

Likely, the SAML Logon URL is incorrect.Confirm the Logon URL with your implementation consultant.
After a user logs into my SAML service and tries to navigate to Bridge, the user receives a 404, not found.

Either the application within your SAML service is unauthorized for the intended user,

or

the SAML settings are incorrect for the application,

or

the SAML settings have been inputted incorrectly on the Bridge side.

  • Confirm in your SAML service that the user has been authorized to access Bridge in the app configuration settings.
  • Confirm in your SAML service that the general configuration of the Bridge app is correct.

 

 

Additional Reading

 

Configuring ADFS 2.0 with Bridge Using SAML

DELETE

Configuring Okta SSO with Bridge

Google SAML Guide

Implementation Overview

What is Single Sign On?

 


Attachments

    Outcomes