Overview
The Bigtincan hub appliance supports SAML 2.0 authentication and is able to act as a Service Provider, allowing companies to leverage their own authentication systems.
Bigtincan hub has one endpoint, used for all hub interfaces.
When users attempt to log onto the Bigtincan hub instance they will be automatically redirected to the specified Identity Provider (IdP) and will return to where they left off.
Setting up the DNS Alias (Bigtincan Content Hub)
- First the company must have a DNS alias configured to allow the authentication pages to access the application to properly authenticate using SAML
- Navigate to Platform Configuration > Security
- Choose DNS tab and click Add DNS Alias to create a new alias
- Enter the name of the DNS and click save
- This will create four entries with the DNS alias defined
[dns_alias] is used in this guide when the newly defined DNS alias is to be used |
For companies in the EU cloud, you will have .co.uk instead of .com.
For companies in the APAC cloud, you will have .com.au instead of .com. |
Endpoint settings
Entity ID |
<hub domain>/saml/metadata |
SSO URL |
<hub domain>/www/index.php?url=/saml/acs |
The domain / DNS name that the Bigtincan hub instance is reachable on.
e.g.
https://[dns_alias].push.bigtincan.com (for a company on the Bigtincan USA cloud systems)
https://[dns_alias].push.bigtincan.com.au (for a company on the Bigtincan APAC cloud systems)
https://[dns_alias].push.bigtincan.co.uk (for a company on the Bigtincan EU cloud systems)
Creating an App in Duo with SAML 2.0
This is a detailed walkthrough of how to create an SSO integration between Duo and your Content Hub organisation. There is a similar tutorial created by Duo at Duo Single Sign-On . This walk through helps to provide additional information about what settings need to be configured in Content Hub.
- Log into your Okta account. If you don’t have an account, signup at Start Your Free Duo Trial
- Navigate to Applications.
- Click the 'Protect An Application' button on the top-right.
- Scroll-down the list until you find the application ‘Generic SAML Service Provider’ and click the ‘Protect’ button.
- Under the Service Provider section, you will find the two required fields for SP URLs.
- Add the Entity ID URL for Content Hub. This can be updated using the SSO Url from the Endpoint Settings section earlier in this guide or from the metadata provided by the Content Hub.
- Add the Assertion Consumer Service (ACS) URL. This can be updated using the SSO Url from the Endpoint Settings section earlier in this guide or from the metadata provided by the Content Hub.
Required attribute statement settings
Please note that all field key names support the following formats:
-
snake_case
-
PascalCase
-
camelCase
Field |
Claim/Attribute names |
Name format |
Value |
First name |
first_name firstname FirstName firstName |
Unspecified |
User’s first name |
Last Name |
last_name lastname LastName lastName |
Unspecified |
User’s last name |
Email Address |
|
Unspecified |
User’s email address |
-
Under the SAML Response section, you will add the required attributes for the Content Hub. Add username for the NameID if not set (NameID section will not be necessary)
Optional attribute statement settings
Field |
Claim/Attribute names |
Name format |
Value |
Configuration bundle |
configuration_bundle ConfigurationBundle configurationBundle |
Unspecified |
Configuration bundle ID retrieved from the Bigtincan hub instance via: Company Details > Configuration Bundles list Configuration Bundles are processed when a user logs in via SSO. It is not just an initial creation. |
Groups |
groups Groups |
Unspecified |
Formats supported:
These groups must be created on Bigtincan hub before they can be assigned to a user. Group assignments are only processed when a user is first created via their initial login. Once their user has been created, this attribute will not have an effect. |
Metadata |
metadata Metadata |
Unspecified |
JSON metadata string; used to link SAML users to metadata in Bigtincan hub. Example input: '{"Brand":["ABCMart","ON"],"Region":["North","Inner West"],"Suburb":["Cronulla","Parramatta"]}' |
-
You should be able to proceed with providing your Duo SSO with a name under Settings before saving.
Setting up the Service Provider (Bigtincan Content Hub)
Once the IdP has been set up it’s metadata will be available which will provide the details for setting up the Bigtincan Content Hub instance
-
Navigate to Platform Configuration > Security > Authentication > SAML
-
Select the DNS Alias created in Setting up the DNS Alias section of this guide
-
You will need to complete the configuration as defined below
Enable SAML
Tick this to enable SAML as a login option.
Note that valid IdP details must be made available before this option will function correctly.
SP Base URL
The URI for the bigtincan API server.
For cloud tenants this will be in the format:
https://[dns_alias].push.bigtincan.com
or
https://[dns_alias].push.bigtincan.co.uk
or
https://[dns_alias].push.bigtincan.com.au
SP Public Certificate
This will be required by your IdP when entering SP details.
SP Metadata
This provides details regarding the bigtincan SP instance.
Single sign-on binding
Usually provided as an XML attribute: Binding on the XML element <SingleSignOnService>.
Single log-off binding
Usually provided as an XML attribute: Binding on the XML element <SingleLogoutService>.
Metadata file
Import your IdP’s XML metadata file to automatically fill in the fields: Entity ID, Single sign-on URL, single log-off URL (if applicable) and X.509 public certificate.
Entity ID
Usually provided as an XML attribute: entityID on the XML element <EntityDescriptor>.
Single sign-on URL
Usually provided as an XML attribute: Location on the XML element <SingleSignOnService>.
Single log-off URL
Usually provided as an XML attribute: Location on the XML element <SingleLogoutService>.
X.509 Public Certificate
Usually provided as the value of XML element: <X509Certificate>
Sign Messages
If set to yes then responses received by the hub must be signed by the IdP.
Sign Assertions
If set to yes then assertions received by the hub must be signed by the IdP.
Encrypt NameID
If set to yes then the nameID provided to the hub must be signed by the IdP.
4. Back on the Duo side, go to the Metadata section
5. Copy the Identity Provider Entity ID URL from Duo to the Entity ID field in Content Hub.
6. Copy the Identity Provider Single Sign-On URL from Okta to the Single sign-on URL in Content Hub.
9. You should now be able to test out the SSO provider when you log into either the Admin Portal or the Content Hub Client Apps.
Configure SAML 2.0 SSO provider from a metadata XML file
Often only a metadata document is shared when setting up an SSO provider. This document will look something like this:
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDpDCCAoygAwIBAgIGAW+rgEQdMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xMzQ5NzAxHDAaBgkqhkiG9w0BCQEW DWluZm9Ab2t0YS5jb20wHhcNMjAwMTE1MjMxNzI3WhcNMzAwMTE1MjMxODI3WjCBkjELMAkGA1UE BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTM0OTcwMRwwGgYJ KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA yt71xVT8fJptqOtyZTb+g+82U3IBxrCDAKvEnGTA2jZ6ZfI1JPLQX9Sf9rULQ2kZCt3mX4qy1Cw+ OlphSF1UBKy7Fchn38Anya5twj8jCZPk2XDKUvuKv28MXqbTzc4WO/k9t4zkhHch118MuhmsbVP0 H9Pb6p32N+oRRDOGAsUSXsnjAC1H2ziUcX+7pvIImSTQudazc/Uch8UBS2HQJxuhrv2gUNi6w+XV bugjkRHp9GWAh+RxwBex14yrdpIw/TDhcsjYtzugVpiljhnHhpHvurGJ5cEK82Owm7/4RbW4VrNe 6H/fU1mHXQ96P+EpgJZv39LyPy4zATTRQ4i3YwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAhwhFH N5HgTwgmLKj9fx8WWR/RHyZB6SnMLDFNu7+3sAHl5TKGUi2yhZx5bkTlOQppo3sjEeUVZ4jnpQUb oeyGeryTYmLf1QPhtg3kaaWWQ5fAjJdTh7U4/RRf+56MemKMJcHL9Tn5Y0GMDqukow9nVQ48XwnF M0SU+ynSxevIZl4o8kZAHQmJIqwrfOFYpNuJq5ACvS8MtXxK8H6m0CxbZcO4aNrfCQN1rfn4pHm2 nv+qQaP2TSvGr8EH5MOdj64murtzn5ld9T0xy1Ka7eoXdGb/IM +fgpkgxN8WX01tR1PgDcVZVhN9nNzNsG
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://exampleURL.com/app/dev-13_samplesaml20app_1/exk1qmreaaEc/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://exampleURL.com/app/dev-13_samplesaml20app_1/exk1qmre/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Note : Hub does provide a function to import the metadata from the IdP.
- Select the Import Metadata File
- The data will be imported into the fields automatically.
If the IdP setup requires the details from the SP before IdP details can be provided to the SP, placeholder URLs and certificate can be entered and Saved on the SAML page before downloading the metadata. Once the IdP is setup then user can go back and update the IdP details on the SP.