Portal Setup
SSO - Portal Setup & Login
Last updated
SSO - Portal Setup & Login
Last updated
Upon setting up the IdP to use the BlueFletch Portal as a SAML SSO app, retrieve:
Federation Metadata XML (see example at the of the page)
or all of the following:
Certificate in Base64
Login URL
Azure AD Identifier
In the BlueFletch Portal, select the Admin tab, which opens to the Organization sub-tab by default.
Select SSO Config and click + Add Configuration.
In Domain field, type the company email domain that all users' email addresses will use (for example, corporate.com). The fields Name and Provider Id will auto-populate their respective details. ACS URL (Callback URL) is auto-filled by BlueFletch for all configs.
Enter the value of entityID for IDP Entity Id, Location for SSO URL, and X509Certificate for Certificate. These values can be found in the metadata XML (example ). Note: when including the certificate contents, enclose within -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.
Enter SP Entity Id; it is the same as the auto-populated Provider Id (saml.domain_name).
Click Save to save changes to the SSO configuration.
Optional setting that dynamically assigns BlueFletch Portal roles to users on first login based on their IdP groups.
Click Define IdP Group Mappings to associate an IdP user group with a role in the BlueFletch Portal; otherwise, all new SSO users will be assigned the "User" role by default.
Click Add New Row to add a new group-role mapping.
Enter an IdP group in the Group field (defining a group as "*" will apply a role to all users).
Additional group-role mappings can be added by clicking Add New Row.
Click Update Groups to save group-role mappings.
Click Save to save changes to the SSO configuration.
The BlueFletch Portal has the capability to recognize a store/site location associated with a Portal user's session token. This, combined with the Portal's role-based dashboard assignment, opens up a lot of options for utilizing automatic site-assignment in the Portal.
For example:
Restricting user roles that do not have the Support Site Filter Manage permission (ability to edit site filters) to only see the site(s) assigned to them in the IdP or directory service and associated with their session token.
Automatically displaying for users with specific roles only their sites and only in the dashboards that have been allowed for their role.
Showing regional admin users that do have the Support Site Filter Manage permission their assigned sites automatically on login, but allowing them the flexibility to edit the filters to view other sites' devices.
The Portal is checking if there is an attribute "SiteId" (case-sensitive) coming in with the token when it receives from the IdP. All that is needed on the customer's side to integrate with this feature in the Portal is to add a "SiteId" attribute to their token that is associated with one or more numeric site IDs (i.e. IDs found in their sitelist.csv file) per user in their IdP or directory service.
On the login page, enter email address with company-owned domain. Press Continue.
Page will redirect to the associated IdP's login prompt (for example, Azure in the screenshot).
Enter login credentials and submit.
Page will redirect to the BlueFletch Portal's loading screen before opening the organization's main dashboard with the user logged in with their group-mapped permissions.
User cannot login with SSO because they do not have groups assigned Upon redirecting from the IdP to the BlueFletch Portal, the user receives the error message, "You do not have proper privileges for this organization."
Check that the IdP has groups assigned, and that the variable in the IdP is named "Groups" (with a capital "G" - the Portal only recognizes the variable if correctly capitalized).
Check that all IdP groups referenced in the Portal SSO Configuration match the user's groups and are spelled correctly in the Portal.
Email address is not already associated with IdP credentials The user enters email address with a company domain. The page redirects to the IdP's login prompt, but the user has no credentials for this IdP.
This user has not been set up by the IdP administrator yet.
Contact IdP administrator to create an account associated with the user's company-domain email address.
SSO account is linked to Google Workspace and user is currently logged into a different Google account The user receives a 403 error, "Error: app_not_configured_for_user," while attempting to login to the BlueFletch Portal.
If the company uses an SSO authentication through Google Workspace, the account must be currently logged in.
If no Google account is logged in, user will simply be prompted to indicate their account and login.
Apply the following values from the XML in the SSO settings within Portal:
entityID -> IDP Entity ID
e.g. http://www.idp.com/efgxxx1234xx5
X509Certificate -> Certificate
e.g. MIIDp...pa/teCrH is included as
-----BEGIN CERTIFICATE-----MIIDp...pa/teCrH-----END CERTIFICATE-----
HTTP-POST Location -> SSO URL
e.g. https://idp-123.com/app/idp-123_emsportal_1/efgxxx1234xx5/sso/saml
Select a Portal role from the Roles dropdown. For more information on Portal roles, see the documentation).
If user is not logged into the SSO account but is logged into another Google-linked account, the user will get a 403 error when logging into the BlueFletch Portal. The user must .
