How to set up SAML 2.0 Single Sign-On via an Identity Provider
Bold360 provides Single Sign-On support based on SAML 2.0 protocol. It accepts SAML Assertions using the SAMLResponse parameter where the NameID of the authenticated user is a mandatory claim.
- Protocol type: SAML 2.0
- Service type: AssertionConsumerService
- Binding type: HTTP-POST
- WantAssertionsSigned: True
Alternatively, you can set up the connection using the Bold360 metadata XML below that contains the required parameters.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><EntityDescriptor entityID="https://yyyyyyyyyy/aid/xxxxxxxxxx/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yyyyyyyyyy/aid/xxxxxxxxxx/"/> </SPSSODescriptor></EntityDescriptor>
- At admin.bold360.com, go to Global Settings > Login Controls and click Single Sign On Settings in the top-right corner.
- Remember: You must configure SSO on the Identity Provider side first.
Click Test to check the authentication process. You are redirected to the Identity Provider's URL in a pop-up window. If you get back SAMLResponse from the ID Provider then its response will be presented on this setting form. If no SAMLResponse parameter returns or you simply misconfigured your URL, the pop-up window may stay open.
Important: The Identity Provider URL must be a common link that authenticates and redirects the user to the Bold360 SSO URL with SAMLResponse token, if the user have the necessary rights.
Result Description SAMLResponse is returned The response is presented in the form.
Note: Copy the public key for later use.
SAMLResponse is not returned The pop-up window may stay open.
It is likely that you have simply misconfigured your URL.
- Check that NameID is a mandatory claim in the SAMLResponse token. You must add this claim on the Identity Provider side to be a unique attribute of the authenticated user, for example their e-mail address. When you map an authenticated user later on, the NameID field must be the SSO Name ID on the operator field.
- In the Public Key field, paste the public key of your signed SAMLResponse token that you received in Step 2.
- Save the public key. To access Agent Workspace by SSO, use the following URL format:
- https://agent.bold360.com/sso/account-id/ACCOUNTID (Replace ACCOUNTID with your account ID)
- https://agent.bold360.com/sso/username/USERNAME (Replace USERNAME with your username)
- Check that parsing was successful to ensure that Bold360 servers understand the response as a SAML 2.0 Assertion Token. Remember: First you must make sure that the SAMLResponse token is returned correctly.
Once parsing has completed successfully, you can check the following:
- Issuer found: A required attribute in the SAML 2.0 protocol
- IssueInstant: A required attribute that contains the issuer timestamp. It must be in UTC format by default. Bold360 accepts tokens within a valid time frame.
- NameID: Required for mapping a Bold360 agent record with the authenticated user.
- Public key: Required and must be stored in Bold360 settings as well for signature validation.