Overview
The bigtincan hub appliance supports SAML 2.0 authentication and is able to act as a Service Provider, allowing customers to leverage their own authentication systems.
Bigtincan hub has one endpoint, used for all hub interfaces.
When users attempt to log onto the bigtincan hub instance they will be automatically redirected to the specified Identity Provider (IdP) and will return to where they left off.
Terminology
Term |
Meaning |
IdP |
Identity Provider |
SP |
Service Provider (the bigtincan hub API server) |
<hub domain> |
The domain / DNS name that the bigtincan hub instance is reachable on. e.g. https://[dns_alias].push.bigtincan.com (for a company on the bigtincan USA cloud systems) https://[dns_alias].push.bigtincan.com.au (for a company on the bigtincan APAC cloud systems) https://[dns_alias].push.bigtincan.co.uk(for a company on the bigtincan EU cloud systems) Note: this must be exactly the same as the servers configured _APP_URL (set up at server configuration time. Should be a fully qualified domain name) |
SSO |
Single sign on |
SLO |
Single log out |
ACS |
Assertion Consumer Service |
Setting up the Identity Provider
The IdP setup process varies depending on the vendor software being used. An Idp will generally require the following details:
Endpoint settings
Entity ID |
<hub domain>/saml/metadata |
SSO URL |
<hub domain>/www/index.php?url=/saml/acs |
General settings
Name ID Format |
EmailAddress |
Responses |
Signed |
Assertions |
Signed |
Authentication Context Class |
X.509 Certificate |
Service Provider Public Certificate |
This can be retrieved from the bigtincan hub instance while logged in as a Superuser via: SAML Config > Download public certificate link. If “Certificate Status” is not set then generate a certificate using the “Generate Certificate” button, or upload your own set. |
Required attribute statement settings
Please note that all field key names support the following formats:
- snake_case
- PascalCase
- camelCase
Field |
Example field names |
Name format |
Value |
First name |
first_name FirstName firstName |
Unspecified |
User’s first name |
Last Name |
last_name LastName lastName |
Unspecified |
User’s last name |
Email Address |
|
Unspecified |
User’s email address |
Optional attribute statement settings
Field |
Example field names |
Name format |
Value |
Configuration bundle |
configuration_bundle ConfigurationBundle configurationBundle |
Unspecified |
Configuration bundle ID retrieved from the bigtincan hub instance via: Company Details > Configuration Bundles list |
Groups |
groups Groups |
Unspecified |
Formats supported:
These groups must be created on bigtincan hub before they can be assigned to a user. Group assignments are only processed when a user is first created via their initial login. Once their user has been created, this attribute will not have an effect. |
Metadata |
metadata Metadata |
Unspecified |
JSON metadata string; used to link SAML users to metadata in bigtincan hub. Example input: '{"Brand":["ABCMart","ON"],"Region":["North","Inner West"],"Suburb":["Cronulla","Parramatta"]}' |
Setting up the Service Provider
Once the IdP has been set up it’s metadata will be available which will provide the details for setting up the bigtincan hub instance via:
Navigate to Platform Configuration > Security
First the company must have two DNS alias entries configured to allow the authentication pages to allow the application to properly authenticate using the new SAML IDP
Navigate to Platform configuration > security > DNS
and enter a DNS alias in the form of;
<company>.app.bigtincan.com
<company>.push.bigtincan.com
Once the DNS Alias entries are created, you will need to configure the SP settings located here:
Platform Configuration > Security > Authentication > SAML
You will need to complete the configuration as defined below.
Enable SAML |
Tick this to enable SAML as a login option. Note that valid IdP details must be made available before this option will function correctly. |
SP Base URL |
The URI for the bigtincan API server. For cloud tenants this will be in the format: https://[dns_alias].push.bigtincan.com For private server tenants this will be in the format: https://[domain] |
SP Public Certificate |
This will be required by your IdP when entering SP details. |
SP Metadata |
This provides details regarding the bigtincan SP instance. |
Single sign-on binding |
Usually provided as an XML attribute: Binding on the XML element <SingleSignOnService>. |
Single log-off binding |
Usually provided as an XML attribute: Binding on the XML element <SingleLogoutService>. |
Metadata file |
Import your IdP’s XML metadata file to automatically fill in the fields: Entity ID, Single sign-on URL, single log-off URL (if applicable) and X.509 public certificate. |
Entity ID |
Usually provided as an XML attribute: entityID on the XML element <EntityDescriptor>. |
Single sign-on URL |
Usually provided as an XML attribute: Location on the XML element <SingleSignOnService>. |
Single log-off URL |
Usually provided as an XML attribute: Location on the XML element <SingleLogoutService>. |
X.509 Public Certificate |
Usually provided as the value of XML element: <X509Certificate> |
Sign Messages |
If set to yes then responses received by the hub must be signed by the IdP. |
Sign Assertions |
If set to yes then assertions received by the hub must be signed by the IdP. |
Encrypt NameID |
If set to yes then the nameID provided to the hub must be signed by the IdP. |