Content Hub to Duo SAML 2.0 Configuration

Overview

The Bigtincan hub appliance supports SAML 2.0 authentication and is able to act as a Service Provider, allowing companies to leverage their own authentication systems.

Bigtincan hub has one endpoint, used for all hub interfaces.

When users attempt to log onto the Bigtincan hub instance they will be automatically redirected to the specified Identity Provider (IdP) and will return to where they left off.

Setting up the DNS Alias (Bigtincan Content Hub)

  1. First the company must have a DNS alias configured to allow the authentication pages to access the application to properly authenticate using SAML
  2. Navigate to Platform Configuration > Security
  3. Choose DNS tab and click Add DNS Alias to create a new alias
  4. Enter the name of the DNS and click save
  5. This will create four entries with the DNS alias defined

[dns_alias] is used in this guide when the newly defined DNS alias is to be used

For companies in the EU cloud, you will have .co.uk instead of .com.

For companies in the APAC cloud, you will have .com.au instead of .com.



Endpoint settings


Entity ID

<hub domain>/saml/metadata

SSO URL

<hub domain>/www/index.php?url=/saml/acs


<hub domain>

The domain / DNS name that the Bigtincan hub instance is reachable on.

e.g. 

https://[dns_alias].push.bigtincan.com (for a company on the Bigtincan USA cloud systems)

https://[dns_alias].push.bigtincan.com.au (for a company on the Bigtincan APAC cloud systems)

https://[dns_alias].push.bigtincan.co.uk (for a company on the Bigtincan EU cloud systems)

Creating an App in Duo with SAML 2.0

This is a detailed walkthrough of how to create an SSO integration between Duo and your Content Hub organisation. There is a similar tutorial created by Duo at Duo Single Sign-On . This walk through helps to provide additional information about what settings need to be configured in Content Hub.

  1. Log into your Okta account. If you don’t have an account, signup at Start Your Free Duo Trial 
  2. Navigate to Applications.
  3. Click the 'Protect An Application' button on the top-right.
  4. Scroll-down the list until you find the application ‘Generic SAML Service Provider’ and click the ‘Protect’ button.
  5. Under the Service Provider section, you will find the two required fields for SP URLs.
  6. Add the Entity ID URL for Content Hub. This can be updated using the SSO Url from the Endpoint Settings section earlier in this guide or from the metadata provided by the Content Hub.
  7. Add the Assertion Consumer Service (ACS) URL.  This can be updated using the SSO Url from the Endpoint Settings section earlier in this guide or from the metadata provided by the Content Hub.

Required attribute statement settings

Please note that all field key names support the following formats:

  1. snake_case

  2. PascalCase

  3. camelCase

Field 

Claim/Attribute names

Name format

Value

First name

first_name 

firstname

FirstName 

firstName

Unspecified

User’s first name

Last Name

last_name

lastname

LastName

lastName

Unspecified

User’s last name

Email Address

email

Email

Unspecified

User’s email address

 

  1. Under the SAML Response section, you will add the required attributes for the Content Hub.  Add username for the NameID if not set (NameID section will not be necessary)


Optional attribute statement settings

Field

Claim/Attribute names

Name format

Value

Configuration bundle

configuration_bundle

ConfigurationBundle

configurationBundle



Unspecified

Configuration bundle ID retrieved from the Bigtincan hub instance via:

Company Details > Configuration Bundles list

Configuration Bundles are processed when a user logs in via SSO.  It is not just an initial creation.

Groups

groups

Groups

Unspecified

Formats supported:

  1. An array of group names. 

  2. A semicolon separated list of group names



These groups must be created on Bigtincan hub before they can be assigned to a user.



Group assignments are only processed when a user is first created via their initial login. Once their user has been created, this attribute will not have an effect.

Metadata

metadata

Metadata

Unspecified

JSON metadata string; used to link SAML users to metadata in Bigtincan hub.



Example input:



'{"Brand":["ABCMart","ON"],"Region":["North","Inner West"],"Suburb":["Cronulla","Parramatta"]}'



 

  • You should be able to proceed with providing your Duo SSO with a name under Settings before saving.

Setting up the Service Provider (Bigtincan Content Hub)

Once the IdP has been set up it’s metadata will be available which will provide the details for setting up the Bigtincan Content Hub instance

  1. Navigate to Platform Configuration > Security > Authentication > SAML

  2. Select the DNS Alias created in Setting up the DNS Alias section of this guide

  3. You will need to complete the configuration as defined below

    Enable SAML

    Tick this to enable SAML as a login option.

    Note that valid IdP details must be made available before this option will function correctly.

    SP Base URL

    The URI for the bigtincan API server. 

    For cloud tenants this will be in the format:

    https://[dns_alias].push.bigtincan.com

    or

    https://[dns_alias].push.bigtincan.co.uk

    or

    https://[dns_alias].push.bigtincan.com.au



    SP Public Certificate


    This will be required by your IdP when entering SP details.

    SP Metadata

    This provides details regarding the bigtincan SP instance.

    Single sign-on binding

    Usually provided as an XML attribute: Binding on the XML element <SingleSignOnService>.

    Single log-off binding

    Usually provided as an XML attribute: Binding on the XML element <SingleLogoutService>.

    Metadata file

    Import your IdP’s XML metadata file to automatically fill in the fields: Entity ID, Single sign-on URL, single log-off URL (if applicable) and X.509 public certificate.

    Entity ID

    Usually provided as an XML attribute: entityID on the XML element <EntityDescriptor>.

    Single sign-on URL

    Usually provided as an XML attribute: Location on the XML element <SingleSignOnService>.

    Single log-off URL

    Usually provided as an XML attribute: Location on the XML element <SingleLogoutService>.

    X.509 Public Certificate

    Usually provided as the value of XML element: <X509Certificate>

    Sign Messages

    If set to yes then responses received by the hub must be signed by the IdP.

    Sign Assertions

    If set to yes then assertions received by the hub must be signed by the IdP.

    Encrypt NameID

    If set to yes then the nameID provided to the hub must be signed by the IdP.


4. Back on the Duo side, go to the Metadata section

5. Copy the Identity Provider Entity ID URL from Duo to the Entity ID field in Content Hub.

6. Copy the Identity Provider Single Sign-On URL from Okta to the Single sign-on URL in Content Hub.

7. Download the X.509 Certificate from Duo and import it to the X.509 public certificate field in Content Hub
8. Ensure the SSO Provider in enabled and click save.

9. You should now be able to test out the SSO provider when you log into either the Admin Portal or the Content Hub Client Apps.

Configure SAML 2.0 SSO provider from a metadata XML file

Often only a metadata document is shared when setting up an SSO provider. This document will look something like this:

<md:EntityDescriptor entityID="http://exampleURL.com/exk1qmrea">

<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

MIIDpDCCAoygAwIBAgIGAW+rgEQdMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xMzQ5NzAxHDAaBgkqhkiG9w0BCQEW DWluZm9Ab2t0YS5jb20wHhcNMjAwMTE1MjMxNzI3WhcNMzAwMTE1MjMxODI3WjCBkjELMAkGA1UE BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTM0OTcwMRwwGgYJ KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA yt71xVT8fJptqOtyZTb+g+82U3IBxrCDAKvEnGTA2jZ6ZfI1JPLQX9Sf9rULQ2kZCt3mX4qy1Cw+ OlphSF1UBKy7Fchn38Anya5twj8jCZPk2XDKUvuKv28MXqbTzc4WO/k9t4zkhHch118MuhmsbVP0 H9Pb6p32N+oRRDOGAsUSXsnjAC1H2ziUcX+7pvIImSTQudazc/Uch8UBS2HQJxuhrv2gUNi6w+XV bugjkRHp9GWAh+RxwBex14yrdpIw/TDhcsjYtzugVpiljhnHhpHvurGJ5cEK82Owm7/4RbW4VrNe 6H/fU1mHXQ96P+EpgJZv39LyPy4zATTRQ4i3YwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAhwhFH N5HgTwgmLKj9fx8WWR/RHyZB6SnMLDFNu7+3sAHl5TKGUi2yhZx5bkTlOQppo3sjEeUVZ4jnpQUb oeyGeryTYmLf1QPhtg3kaaWWQ5fAjJdTh7U4/RRf+56MemKMJcHL9Tn5Y0GMDqukow9nVQ48XwnF M0SU+ynSxevIZl4o8kZAHQmJIqwrfOFYpNuJq5ACvS8MtXxK8H6m0CxbZcO4aNrfCQN1rfn4pHm2 nv+qQaP2TSvGr8EH5MOdj64murtzn5ld9T0xy1Ka7eoXdGb/IM +fgpkgxN8WX01tR1PgDcVZVhN9nNzNsG

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</md:KeyDescriptor>

<md:NameIDFormat>

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

</md:NameIDFormat>

<md:NameIDFormat>

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

</md:NameIDFormat>

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://exampleURL.com/app/dev-13_samplesaml20app_1/exk1qmreaaEc/sso/saml"/>

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://exampleURL.com/app/dev-13_samplesaml20app_1/exk1qmre/sso/saml"/>

</md:IDPSSODescriptor>

</md:EntityDescriptor>

Note : Hub does provide a function to import the metadata from the IdP.

  1. Select the Import Metadata File
  2. The data will be imported into the fields automatically.


The Download Links on the SAML tab will not work unless the Entity ID, Single sign-on URL and X.509 Public Certificate have values and saved.

If the IdP setup requires the details from the SP before IdP details can be provided to the SP, placeholder URLs and certificate can be entered and Saved on the SAML page before downloading the metadata.  Once the IdP is setup then user can go back and update the IdP details on the SP.