SAML 2.0 Setup Guide

Updated August 14, 2025 18:24

Overview

Bigtincan supports SAML 2.0 authentication and is able to act as a Service Provider, allowing companies to leverage their own authentication systems.

Bigtincan has one endpoint, used for all Bigtincan interfaces.

When users attempt to log onto the Bigtincan instance, they will be automatically redirected to the specified Identity Provider (IdP) and will return to where they left off.

Bigtincan is a Just-in-Time (JIT) Provisioning platform. If user has access to the application on the IdP and is sent to Bigtincan and does not exist yet, the user account will be created.

Sections

Setting up the DNS Alias
Setting up the Identity Provider
Endpoint Settings
General Settings
Required Attribute Statement Settings
Optional Attribute Statement Settings
Setting up the Service Provider (Bigtincan Hub)
Terminology

Setting up the DNS Alias

Your company must have a DNS alias configured to allow the authentication pages to access the application to properly authenticate using SAML.

Navigate to Platform Configuration > Security

Screenshot 2025-08-14 at 2.18.29 PM.png

Choose DNS tab and click "Add DNS Alias" to create a new alias

Screenshot 2025-08-14 at 2.18.03 PM.png

Enter the name of the DNS (lower-case) and click save

Screenshot 2025-08-14 at 2.19.03 PM.png

This will create four entries with the DNS alias defined

Screenshot 2025-08-14 at 2.19.32 PM.png

NOTES:

[dns_alias] is used in this guide when the newly defined DNS alias is to be used
For companies in the EU cloud, you will have .co.uk instead of .com.
For companies in the APAC cloud, you will have .com.au instead of .com.

Setting up the Identity Provider

The IdP setup process varies depending on the vendor software being used. An IdP will generally require the following details:

Endpoint Settings

Entity ID	<bigtincan domain>/saml/metadata
SSO URL	<bigtincan domain>/www/index.php?url=/saml/acs

The domain / DNS name that the Bigtincan instance is reachable on.

e.g.

https://[dns_alias].push.bigtincan.com (for a company on the Bigtincan USA cloud systems)

https://[dns_alias].push.bigtincan.com.au (for a company on the Bigtincan APAC cloud systems)

https://[dns_alias].push.bigtincan.co.uk (for a company on the Bigtincan EU cloud systems)

General Settings

Name ID Format	EmailAddress
Responses	Signed
Assertions	Signed
Authentication Context Class	X.509 Certificate
Service Provider Public Certificate	This can be retrieved from the Bigtincan hub instance while logged in as a Superuser via: SAML Config > Download SP Public Certificate link.

Required Attribute Statement Settings

Please note that all field key names support the following formats:

snake_case
PascalCase
camelCase

Field	Claim/Attribute names	Name format	Value
First name	first_name firstname FirstName firstName	Unspecified	User’s first name
Last Name	last_name lastname LastName lastName	Unspecified	User’s last name
Email Address	email Email	Unspecified	User’s email address

Optional Attribute Statement Settings

Field	Claim/Attribute names	Name format	Value
Configuration bundle	configuration_bundle ConfigurationBundle configurationBundle	Unspecified	Configuration bundle ID retrieved from the Bigtincan instance via: Company Details > Configuration Bundles list Configuration Bundles are processed when a user logs in via SSO. It is not just an initial creation.
Groups	groups Groups	Unspecified	Formats supported: An array of group names. A semicolon separated list of group names These groups must be created on Bigtincan before they can be assigned to a user. Group assignments are only processed when a user is first created via their initial login. Once their user has been created, this attribute will not have an effect.
Metadata	metadata Metadata	Unspecified	JSON metadata string; used to link SAML users to metadata in Bigtincan. Example input: '{"Brand":["ABCMart","ON"],"Region":["North","Inner West"],"Suburb":["Cronulla","Parramatta"]}'

Setting up the Service Provider

Once the IdP has been set up it’s metadata will be available which will provide the details for setting up the Bigtincan instance
Navigate to Platform Configuration > Security > Authentication > SAML
Select the DNS Alias created in Setting up the DNS Alias section of this guide

Screenshot 2025-08-14 at 2.21.47 PM.png

You will need to complete the configuration as defined below.

Enable SAML	Tick this to enable SAML as a login option. Note that valid IdP details must be made available before this option will function correctly.
SP Base URL	The URI for the bigtincan API server. For cloud tenants this will be in the format: https://[dns_alias].push.bigtincan.com or https://[dns_alias].push.bigtincan.co.uk or https://[dns_alias].push.bigtincan.com.au
SP Public Certificate	This will be required by your IdP when entering SP details.
SP Metadata	This provides details regarding the bigtincan SP instance.
Single sign-on binding	Usually provided as an XML attribute: Binding on the XML element <SingleSignOnService>.
Single log-off binding	Usually provided as an XML attribute: Binding on the XML element <SingleLogoutService>.
Metadata file	Import your IdP’s XML metadata file to automatically fill in the fields: Entity ID, Single sign-on URL, single log-off URL (if applicable) and X.509 public certificate.
Entity ID	Usually provided as an XML attribute: entityID on the XML element <EntityDescriptor>.
Single sign-on URL	Usually provided as an XML attribute: Location on the XML element <SingleSignOnService>.
Single log-off URL	Usually provided as an XML attribute: Location on the XML element <SingleLogoutService>.
X.509 Public Certificate	Usually provided as the value of XML element: <X509Certificate>
Sign Messages	If set to yes then responses received by Bigtincan must be signed by the IdP.
Sign Assertions	If set to yes then assertions received by Bigtincan must be signed by the IdP.
Encrypt NameID	If set to yes then the nameID provided to Bigtincan must be signed by the IdP.

The Download Links on the SAML tab will not work unless the Entity ID, Single sign-on URL and X.509 Public Certificate have values and saved.

If the IdP setup requires the details from the SP before IdP details can be provided to the SP, placeholder URLs and certificate can be entered and Saved on the SAML page before downloading the metadata. Once the IdP is setup then user can go back and update the IdP details on the SP.

Terminology

Term	Meaning
IdP	Identity Provider
SP	Service Provider (the bigtincan API server)
<hub domain>	The domain / DNS name that the bigtincan instance is reachable on. e.g. https://[dns_alias].push.bigtincan.com (for a company on the bigtincan USA cloud systems) https://[dns_alias].push.bigtincan.com.au (for a company on the bigtincan APAC cloud systems) https://[dns_alias].push.bigtincan.co.uk(for a company on the bigtincan EU cloud systems) Note: this must be exactly the same as the servers configured _APP_URL (set up at server configuration time. Should be a fully qualified domain name)
SSO	Single sign on
SLO	Single log out
ACS	Assertion Consumer Service