SAML Overview

Security Assertion Markup Language (SAML)  is an authentication protocol that can be used to log into Bridge. SAML  services span a spectrum from "out-of-box" services that are very  user-friendly all the way to home-built solutions. This documentation  serves as a central point to provide baseline information to configure  for any service, but also to link to well-known SAML services. If your  service is not included in the documentation, notify your IC for help  and to include it here.

Overview

The Security Assertion Markup Language  (SAML) is a security protocol that is based on XML. The basic concept  involves the exchange of security assertions about a user that is  requesting access to a secure domain. An assertion is generated from the  SAML service, commonly referred to as the Identity Provider (IdP) and  passed to Bridge, commonly referred to as the Service Provider (SP).  Bridge consumes the assertion and identifies the user as passed in the  assertion and logs the user into the appropriate account.

Bridge  also allows for "just-in-time provisioning" or "auto-provisioning"  which can be toggled on or off. If toggled on, and a user has not been  created in Bridge but has been created in the IdP, Bridge will create a  new user, populated with the attributes passed in the assertion. For  more information check out How do I Create Users with SAML SSO?

Terminology

Term Description
X.509 Certificate A string of characters that is unique to the IdP that functions as a key to secure assertions. Bridge is configured with a fingerprint of this certificate so that it can consume the assertions.
Service Provider (SP) Metadata An XML file that contains the Login URL, the Bridge Account URL, Start URL and other important elements needed to complete the configuration of the IdP with Bridge.
Identity Provider (IdP) Metadata An XML file generated by the IdP that contains the Entity ID, the X.509 certificate of the IdP and other essential attributes to complete the SAML configuration. This can also appear as a hosted file that you can save to the desktop and provide to your IC.

Requirements

To successfully configure you will need:

  • A SAML service
  • The URL of your bridge metadata

For your Bridge IC to finish the configuration you will need to provide her/him:

  • An IdP Metadata file, or:
    • SAML IdP Entity ID
    • SAML Certificate Fingerprint or X.509 Certificate
    • SAML Single Sign On URL
    • SAML NameID Format
    • SAML Authentication Context (Optional)

Configuration

  1. Determine if your Identity  Provider is included in the table of the next section "Common SAML  Services and Documentation". If your Identity Provider is listed, follow  the directions linked in the IdP-specific documentation. If you are  unable to find the directions for your service, please contact your IC  or comment on this article with the service you'd like to configure.
  2. Export  the Metadata file for your configuration and send to your IC. The far  right column summarizes how to export metadata from popular SAML  services. OR Provide your implementation consultant with the following:
    • SAML IdP Entity ID
    • SAML X.509 Certificate
    • SAML Single Sign On URL
    • SAML Single Log Out URL or SAML Logout Redirect URL
    • SAML NameId Format

Common SAML Services and Documentation

Service Setup Documentation Notes
Azure Configure Azure AD SSO using SAML 2.0 Setup documentation includes export.
SAML authentication with Azure Active Directory
ADFS Using ADFS as an Identity Provider Setup documentation includes export.
Configure a SAML 2.0 provider for portals with AD FS - Power Apps
Bitium May require Bitium to add Bridge LMS as an app. Contact Bitium and your IC to begin adding Bridge as a Bitium app. No additional notes
Duo No Bridge Documentation - please contact your Implementation Consultant. Duo Single Sign-On
Google Integrating Google SAML with Bridge Set up your own custom SAML application - Google Workspace Admin Help
miniOrange No Bridge Documentation - please contact your Implementation Consultant. What is Single Sign-On (SSO) Solution | How does it work?
Okta Configuring Okta SSO with Bridge SAML app integrations | Okta
OneLogin Configuring OneLogin with Bridge  Overview of SAML
SalesForce Salesforce as an IdP Help and Training Community

*Italics means we do not have Bridge documentation for that provider but those services have been set up previously

General Testing

Ask five to ten users to access from both  the URL of the Bridge domain [client_domain].bridgeapp.com and from any  dashboards where Bridge is represented.


Quick-testing tips:

  1. If you’re receiving an error with a Bridge URL, it’s generally (not always) a Bridge configuration issue.
  2. If you’re receiving an error with a different URL, it’s generally (not always) a IdP configuration issue.

Troubleshooting

What you’re experiencing What’s Happening How to Resolve

When I navigate to my Bridge URL, I see two spinning black dots and then am forwarded to a white screen,

or

I get a 404 not found

Likely, the SAML Logon URL is incorrect. Confirm the Logon URL with your implementation consultant.
After a user logs into my SAML service and tries to navigate to Bridge, the user receives a 404, not found.

Either the application within your SAML service is unauthorized for the intended user,

or

the SAML settings are incorrect for the application,

or

the SAML settings have been inputted incorrectly on the Bridge side.

  • Confirm in your SAML service that the user has been authorized to access Bridge in the app configuration settings.
  • Confirm in your SAML service that the general configuration of the Bridge app is correct.

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request