Page History

...

Single sign-on simplifies the login process, enhances security and improves the overall user experience. This page introduces the single sign-on feature available in the Blancco Management Portal. Also set of instructions is available to configure and enable SSO for Microsoft Entra ID (Azure AD).

In Blancco Management Portal Single sign-on settings are available for manager users or user with a custom role granting "Configure SSO" authority. SSO settings are available under user's "Settings" which can be accessed by clicking your username from the top right corner of the screen.

...

• Single Sign-On URL - This URL is used as the reply/redirect URL when configuring the SSO settings on the identity provider side.
• Client ID - Application/Client ID of the identity provider.
• Client secret - A string based key used as the authentication technique.
• Issuer URL - Similar to https://login.microsoftonline.com/GUID/v2.0 where GUID corresponds to Entra/Azure tenant ID.

Microsoft Entra ID/Azure AD - SSO with SAML 2.0

1. Create a new enterprise application by navigating to "All applications" → "New application".
   
   Then select "Create your own application" and fill in the name of the application. Also make sure to select the "Non-gallery" option under the "What are you looking to do with your application?" section.
   
2. Assign corresponding users/groups to the newly created application (this defines the list of users who are allowed to sign in using SSO). Alternatively you can disable the Properties option "Assigment required?" to allow any user to login using SSO.
3. Configure required settings under the "Single sign-on" tab (make sure to select "SAML" as the sign-on method)
   1. Under the "Basic SAML Configuration" define "Identifier (Entity ID)", "Reply URL (Assertion Consumer Service URL)" and "Sign on URL". 
      1. "Identifier (Entity ID)" corresponds to "Service Provider ID" available in the BMP SSO settings
      2. "Reply URL (Assertion Consumer Service URL)" and "Sign on URL" both correspond to Single Sign-On URL available in the BMP SSO settings.
   2. Under "Attributes & Claims" the "name" attribute should be set to "user.displayname" (by default this is set to "user.userprincipalname").
   3. Acquire "App Federation Metadata Url" which is available under "SAML Certificates" section and copy the URL to BMP SSO settings to the "SAML metadata URL" field.

Microsoft Entra ID/Azure AD - SSO with OpenID Connect

1. Register a new application in by navigating to "App registrations" and then selecting "New registration".
   
   Fill in the name and select appropriate account type, in this example we will use single tenant option. Set the "Redirect URI", use the Single Sign-On URL available in BMP SSO settings as the redirect URI.
   
2. After registering the app copy "Application (client) ID" from the app to the BMP SSO settings "Client ID" field.
3. Navigate to "Certificates & secrets" to generate new client secret by selecting "New client secret" under the "Client secrets" -tab.
   1. Define description and expiration for the secret and click "Add".
   2. After creating a new secret copy secret's value and enter it as the "Client secret" in BMP SSO settings.
4. Navigate to "API permissions" and grant admin consent for the "User.Read" API/Permission. This enables the system to check required user attributes need for the SSO authentication.
5. Navigate to "Authentication" and make sure "Redirect URIs" is configured. If this was already configured when creating new app registration, this step can be ignored.
   
   1. Use the Single Sign-On URL available in BMP SSO settings as the redirect URI.
6. Acquire "Issuer URL" from the "OpenID Connect metadata document".
   1. Open the document and locate "issuer" field from the document and copy the value to "Issuer URL" field in BMP SSO settings.

...