Overview
As an account Administrator, you can configure single sign-on (SSO) as a login method for your organization's Blumira account users. You can simplify how your users access Blumira while leveraging the security and standardization of the Security Assertion Markup Language (SAML) already used by many identity providers (IdP) for application authentication.
Blumira supports connections with all SAML IdPs that conform to the SAML 1.1 or SAML 2.0 protocol, including the following:
After implementing SSO, the configured IdP's domain will be used to recognize related users attempting to log in. Users who are not managed by your IdP and associated with your domain are not included in the SSO option configured for your account, so they will continue to use their existing Blumira login credentials (email and password).
Before you begin
Before enabling SSO for your Blumira account, verify that you are an administrator in your Blumira account and in the IdP with permission required to access SSO configurations.
From the IdP, you must gather the following to use in Blumira's configuration:
- Domain of the email accounts used for login
- Signing Certificate file
- Sign-in Endpoint
- Sign-out Endpoint
In Blumira, you can gather the following to use in the IdP's SSO configuration:
- ACS URL (may also be referred to as Single Sign-On URL)
- Logout URL
- Entity ID (may also be referred to as the Audience)
- Downloadable XML metadata file
- Signing certificate for the account
Important: The signing certificate is unique to the Blumira organization it is created for and cannot be used to connect other Blumira organizations to the same SSO application. Users who have access to multiple organizations, such as MSPs, will be associated with one primary organization.
Configuring SSO for SAML-enabled identity providers
To configure SSO with Blumira, do the following:
- Log in to your IdP application and navigate to the SAML SSO configuration section, which varies per vendor.
Reference: See these vendor-specific instructions:
- Download the IdP's SAML metadata file and signing certificate file.
- In Blumira, navigate to Settings > Single sign-on.
- Click the slider next to Disabled to enable form editing.
- Under Identity Provider, type or paste the values you previously gathered from the IdP for the following:
- Email domain
- Signing Certificate
- Sign-in Endpoint URL
- Sign-out Endpoint URL
- Click Save.
- Under Blumira, download the XML file and signing certificate from the Blumira app.
- In your identity provider's app, configure SAML SSO using the provided metadata and certificate.
Note: Some IdP's require only the metadata file and will parse the required information. Other providers require you to copy and paste the entity ID, endpoint URLs, and certificate values into their app's UI.
Using SSO
After completing the SSO configuration, users can now log in to Blumira using SAML SSO, however they must create a new MFA token when they first attempt SSO.
Note: MFA is required in Blumira even if the identity provider also enforces MFA separately.