SAML 2.0 Setup Guide

Overview

The bigtincan hub appliance supports SAML 2.0 authentication and is able to act as a Service Provider, allowing customers to leverage their own authentication systems. 

Bigtincan hub has one endpoint, used for all hub interfaces.

When users attempt to log onto the bigtincan hub instance they will be automatically redirected to the specified Identity Provider (IdP) and will return to where they left off.

Terminology

Term

Meaning

IdP

Identity Provider

SP

Service Provider (the bigtincan hub API server)

<hub domain>

The domain / DNS name that the bigtincan hub instance is reachable on.

e.g. 

https://[dns_alias].push.bigtincan.com (for a company on the bigtincan USA cloud systems)

https://[dns_alias].push.bigtincan.com.au (for a company on the bigtincan APAC cloud systems)

https://[dns_alias].push.bigtincan.co.uk(for a company on the bigtincan EU cloud systems)


Note: this must be exactly the same as the servers configured _APP_URL (set up at server configuration time. Should be a fully qualified domain name)

SSO

Single sign on

SLO

Single log out

ACS

Assertion Consumer Service

Setting up the Identity Provider

The IdP setup process varies depending on the vendor software being used. An Idp will generally require the following details:

Endpoint settings

Entity ID

<hub domain>/saml/metadata

SSO URL

<hub domain>/www/index.php?url=/saml/acs

General settings

Name ID Format

EmailAddress

Responses

Signed

Assertions

Signed

Authentication Context Class

X.509 Certificate

Service Provider Public Certificate

This can be retrieved from the bigtincan hub instance while logged in as a Superuser via:

SAML Config > Download public certificate link.


If “Certificate Status” is not set then generate a certificate using the “Generate Certificate” button, or upload your own set.

Required attribute statement settings

Please note that all field key names support the following formats:

  • snake_case
  • PascalCase
  • camelCase

Field 

Example field names

Name format

Value

First name

first_name 

FirstName 

firstName

Unspecified

User’s first name

Last Name

last_name

LastName

lastName

Unspecified

User’s last name

Email Address

email

Email

Unspecified

User’s email address

Optional attribute statement settings

Field

Example field names

Name format

Value

Configuration bundle

configuration_bundle

ConfigurationBundle

configurationBundle

Unspecified

Configuration bundle ID retrieved from the bigtincan hub instance via:

Company Details > Configuration Bundles list

Groups

groups

Groups

Unspecified

Formats supported:

  1. An array of group names. 
  2. A semicolon separated list of group names

These groups must be created on bigtincan hub before they can be assigned to a user.


Group assignments are only processed when a user is first created via their initial login. Once their user has been created, this attribute will not have an effect.

Metadata

metadata

Metadata

Unspecified

JSON metadata string; used to link SAML users to metadata in bigtincan hub.


Example input:


'{"Brand":["ABCMart","ON"],"Region":["North","Inner West"],"Suburb":["Cronulla","Parramatta"]}'

Setting up the Service Provider

Once the IdP has been set up it’s metadata will be available which will provide the details for setting up the bigtincan hub instance via:

Navigate to Platform Configuration > Security 

Screen Shot 2016-11-04 at 4.32.23 PM.png

First the company must have two DNS alias entries configured to allow the authentication pages to allow the application to properly authenticate using the new SAML IDP

Navigate to Platform configuration > security > DNS 

and enter a DNS alias in the form of;

<company>.app.bigtincan.com 

<company>.push.bigtincan.com

Screen Shot 2015-09-04 at 3.12.16 pm.png

Once the DNS Alias entries are created, you will need to configure the SP settings located here: 

Platform Configuration > Security > Authentication > SAML

Screen Shot 2016-11-04 at 4.30.29 PM.png

Screen Shot 2016-11-04 at 4.31.22 PM.png

You will need to complete the configuration as defined below.  

Enable SAML

Tick this to enable SAML as a login option.

Note that valid IdP details must be made available before this option will function correctly.

SP Base URL

The URI for the bigtincan API server. 

For cloud tenants this will be in the format:

https://[dns_alias].push.bigtincan.com


For private server tenants this will be in the format:

https://[domain]

SP Public Certificate

This will be required by your IdP when entering SP details.

SP Metadata

This provides details regarding the bigtincan SP instance.

Single sign-on binding

Usually provided as an XML attribute: Binding on the XML element <SingleSignOnService>.

Single log-off binding

Usually provided as an XML attribute: Binding on the XML element <SingleLogoutService>.

Metadata file

Import your IdP’s XML metadata file to automatically fill in the fields: Entity ID, Single sign-on URL, single log-off URL (if applicable) and X.509 public certificate.

Entity ID

Usually provided as an XML attribute: entityID on the XML element <EntityDescriptor>.

Single sign-on URL

Usually provided as an XML attribute: Location on the XML element <SingleSignOnService>.

Single log-off URL

Usually provided as an XML attribute: Location on the XML element <SingleLogoutService>.

X.509 Public Certificate

Usually provided as the value of XML element: <X509Certificate>

Sign Messages

If set to yes then responses received by the hub must be signed by the IdP.

Sign Assertions

If set to yes then assertions received by the hub must be signed by the IdP.

Encrypt NameID

If set to yes then the nameID provided to the hub must be signed by the IdP.

 

Was this article helpful?
0 out of 0 found this helpful