Portal Setup

Configuring SSO in BlueFletch Enterprise

1. Upon setting up the IdP to use the BlueFletch Portal as a SAML SSO app, retrieve:

   • Federation Metadata XML (see example at the bottom of the page)

   or all of the following:

   • Certificate in Base64

   • Login URL

   • Azure AD Identifier

2. In the BlueFletch Portal, select the Admin tab, which opens to the Organization sub-tab by default.

3. Select SSO Config and click + Add Configuration.
4. In Domain field, type the company email domain that all users' email addresses will use (for example, corporate.com). The fields Name and Provider Id will auto-populate their respective details. ACS URL (Callback URL) is auto-filled by BlueFletch for all configs.

5. Enter the value of entityID for IDP Entity Id, Location for SSO URL, and X509Certificate for Certificate. These values can be found in the metadata XML (example below). Note: when including the certificate contents, enclose within -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.

6. Enter SP Entity Id; it is the same as the auto-populated Provider Id (saml.domain_name).

7. Click Save to save changes to the SSO configuration.

IdP Group Mappings

Optional setting that dynamically assigns BlueFletch Portal roles to users on first login based on their IdP groups.

1. Click Define IdP Group Mappings to associate an IdP user group with a role in the BlueFletch Portal; otherwise, all new SSO users will be assigned the "User" role by default.

   • Click Add New Row to add a new group-role mapping.

   • Enter an IdP group in the Group field (defining a group as "*" will apply a role to all users).

   • Select a Portal role from the Roles dropdown. For more information on Portal roles, see the Roles documentation).

   • Additional group-role mappings can be added by clicking Add New Row.

   • Click Update Groups to save group-role mappings.
2. Click Save to save changes to the SSO configuration.

Logging into Portal with SSO

First Time User

1. On the login page, enter email address with company-owned domain. Press Continue.
2. Page will redirect to the associated IdP's login prompt (for example, Azure in the screenshot).

3. Enter login credentials and submit.
4. Page will redirect to the BlueFletch Portal's loading screen before opening the organization's main dashboard with the user logged in with their group-mapped permissions.

Common Login Problems & Solutions

1. User cannot login with SSO because they do not have groups assigned Upon redirecting from the IdP to the BlueFletch Portal, the user receives the error message, "You do not have proper privileges for this organization."

   • Check that the IdP has groups assigned, and that the variable in the IdP is named "Groups" (with a capital "G" - the Portal only recognizes the variable if correctly capitalized).

   • Check that all IdP groups referenced in the Portal SSO Configuration match the user's groups and are spelled correctly in the Portal.

2. Email address is not already associated with IdP credentials The user enters email address with a company domain. The page redirects to the IdP's login prompt, but the user has no credentials for this IdP.

   • This user has not been set up by the IdP administrator yet.

   • Contact IdP administrator to create an account associated with the user's company-domain email address.

3. SSO account is linked to Google Workspace and user is currently logged into a different Google account The user receives a 403 error, "Error: app_not_configured_for_user," while attempting to login to the BlueFletch Portal.

   • If the company uses an SSO authentication through Google Workspace, the account must be currently logged in.

   • If no Google account is logged in, user will simply be prompted to indicate their account and login.

   • If user is not logged into the SSO account but is logged into another Google-linked account, the user will get a 403 error when logging into the BlueFletch Portal. The user must login to the account through Google.

Appendix: Sample Metadata XML

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.idp.com/efgxxx1234xx5">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.example.com/2000/09/xml#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAYJL6BGHMA0GCSqGSIb3DQEBXXXXXXXXXXXXxxXXXxGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xOTk5OTcxHDAaBgkqhkiG9w0BCQEW DWluZm9Ab2t0YS5jb20wHhcNMjIwNzI5MjE0MDE2WhcNMzIwNzI5MjE0MTE2WjCBkjELMAkGA1UE BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTk5OTk3MRwwGgYJ KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA 3+1WLQ5h4iHN1iWL02g4ddhcry3mNRsoyLTA/Ku7toJD1oaFEr557mAbDS9M85810RQHxsVqErNd JapFM5EemqDSYi34ucIX/qX4uxohjC1NEhQX8iTLX0FzVo16hh82KIPTX5F1yzFIrp1UBdLeEtVO KZs0NlBbjwR8DJ71111111111111111111ZWXwJpIuzw9DywRUrm//ai7pjZifVZ+xAZHl8qp/qY JpK+Hs/hlt8JXcRnjhgODsjo42dIuT6QzwA0iJnfnQqu227dPrDSgQPIXSA+fHjBSv1TfyqWR5Hk 8eGjSC+L1J4mQzK0AiJc2DQnT6YtA+deq7t0wwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDK1Avh DUsTBJrP80ocnI/0Zz6jRteYRtFrhFEQ7mPMO8hysx/Q55Z2Hq4a7voLX6FTPItbBQvT22RQrF5E hj80RiEuIffoD5Su+aRL3nZLEF6A0JIZBOAAgDX7XDAp6LnJcEkkxwtfsj+vkHgy8yDnXB51Yxko DRSL6OLH2Ch1bQ1v5cc2LgdY3387iMKLuUeCCYEH7rJvqIYI0ZNDlCuFY27u4GlTrsbdVTtjE1EL TT2KxotQSGQ/p7jGQN3V6YgdhBmBup10/FAd7B95QYBYOBDbQXfUCYsu+Bbb7MrT5OimzS+n+z6/ q1+AKolYFDP29E+daGYbdOahpa/teCrH</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp-123.com/app/idp-123_emsportal_1/efgxxx1234xx5/sso/saml"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp-123.com/app/idp-123_emsportal_1/efgxxx1234xx5/sso/saml"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Apply the following values from the XML in the SSO settings within Portal:

• entityID -> IDP Entity ID

  • e.g. http://www.idp.com/efgxxx1234xx5

• X509Certificate -> Certificate

  • e.g. MIIDp...pa/teCrH is included as

  -----BEGIN CERTIFICATE-----MIIDp...pa/teCrH-----END CERTIFICATE-----

• HTTP-POST Location -> SSO URL

  • e.g. https://idp-123.com/app/idp-123_emsportal_1/efgxxx1234xx5/sso/saml