Configuring a self-service SAML authenticator
You can configure a SAML authenticator with any identity provider running an SSO server that supports X.509 certificates.
As a best practice, ensure users have email addresses as their usernames. You can then configure different authenticators for different email domains. For example, logins from users with an email address in the brightspot.com
domain are routed to the Google Cloud Service authenticator, and logins from users with an email address in any domain outside of brightspot.com
are routed to an Okta authenticator.
To configure a self-service SAML authenticator:
- Obtain the following from the identity provider the following:
- Metadata file that Brightspot uses to verify a SAML response originated from the intended identity provider. This is an XML file starting with an
EntityDescriptor
element. - Identity provider's URL to which Brightspot sends SAML requests.
- Identity provider's entity ID from the
EntityDescriptor/entityID
attribute.
- Metadata file that Brightspot uses to verify a SAML response originated from the intended identity provider. This is an XML file starting with an
- Click > Admin > Sites & Settings > Sites > Global.
- Click , located to the left of , and type
Authenticators
. - Under Authenticators, click and select Self Service SAML Tool Authenticator.
- Configure the identity provider to accept requests from Brightspot by doing the following:
- Click View Service Provider Metadata.
- Use the displayed metadata to configure the identity provider as required.
- Click View Service Provider Metadata.
- Using the following table as a reference, complete the fields as needed.
- Click Save.
Field | Description |
Valid Domains | Enter login email domains that are routed to this authenticator. For example, if you enter brightspot.com , login requests from emails in the brightspot.com domain (such as hello@brightspot.com ) are routed to this authenticator.Users attempting to log in using an email domain that is not specified in this or any other SAML authenticator are routed to the default authenticator (a standard username/password challenge). |
Configuration | Select SAML X509. |
Name | Enter a name for this SSO configuration. Brightspot uses this name in various widgets and in the _saml query parameter. See the Hidden field, below. |
Auth Link Name | Enter text for the SSO label in the Brightspot login widget. If you enter Single Sign On , the label is Log Into Single Sign On . |
Identity Provider URL | Enter the identify provider's URL you obtained in step 1. |
Entity ID | Enter the identity provider’s entity ID you obtained in step 1. |
Idp Meta Data | Upload the identity provider’s entity metadata XML file you obtained in step 1. |
Issuer URL | Enter the value Brightspot assigns to the element <saml:issuerurl> in a SAML authorization request. |
Email Attribute Field | Enter the name of the field into which the identity provider returns a user's email. For example, if you enter
After receiving the assertion from the identity provider, Brightspot uses the value of the email attribute field as the editor’s username. For example, if the SAML element |
Groups Attribute Field | Enter the name of the field into which the identity provider returns a user's associated groups. Brightspot uses the value in the this field as the editor's role. (If more than one group is returned, Brightspot uses the first one returned.) Therefore, in an SSO environment, ensure the roles on the SSO server match the roles in Brightspot. (For information about configuring roles, see Roles.) |
Hidden | If toggled on, this SAML authenticator appears in the login widget only if the query string _saml=PROVIDER_NAME appears in the login URL. For example, editors typically log in to Brightspot at the URL https://brightspot.com/cms . If this field is toggled on, editors must log in at the URL https://brightspot.com/cms?_saml=PROVIDER_NAME . The value of PROVIDER_NAME is the value you configure for the Name field described above. If the Name field is set to bspsso , then editors must log in at https://brightspot.com/cms?_saml=bspsso . |
Disable Newly Provisioned Tool Users | When a new editor successfully logs in through this SAML configuration, Brightspot creates a new account for that editor. If this field is toggled on, that new editor cannot log in to Brightspot, and an admin must manually activate the account. If this field is toggled off, the editor can log in to the new account. (This field has no impact when the editor is already provisioned on the identity provider’s server.) |
Key Info Required | If this field is toggled on, Brightspot requires the identity provider to return data in a <ds:KeyInfo> element. If field is toggled off, the identity provider does not need to return data in a <ds:KeyInfo> element. |
Merge Non-SAML User | This toggle determines what happens when an existing user migrates from username/password authentication to SAML authentication.
|
The following illustration shows the relationship between Brightspot as a service provider and Simple SAML PHP as an identity provider.
See also: