Azure SAML
Overview
Bold Penguin supports a wide variety of SAML 2.0 and OAuth 2.0 identity providers for SSO into the Bold Penguin Terminal.
This is specific documentation for creating a SAML 2.0 SSO link between Microsoft Azure AD and the Terminal. Additional information regarding Microsoft Azure AD is available at the end of this document.
In this document you will:
- Create the Azure applications necessary for the connection
- Configure the required SSO (Single Sign On) link for authentication
- Configure user attributes
- Map roles to users to connect your environment to Bold Penguin
Create Applications
You will create two new applications in the Azure Portal for the Bold Penguin beta and production environments.
From the Azure Portal side navigation select Enterprise applications
Click the button for New application
Select Non-gallery application
Enter a name for the application and click the Add button
Select Single sign-on from the navigation side bar
Select SAML
In the upper right corner, select the pencil icon to edit the configuration for section 1, Basic SAML Configuration
Use the table below to set the appropriate values for Identifier and Reply URL for each environment
Production
Identifier
https://boldpenguin-auth.boldpenguin.comReply URL
https://boldpenguin-auth.boldpenguin.com/users/auth/saml/callback
Beta
Identifier
https://boldpenguin-auth-uat.beta.boldpenguin.comReply URL
https://boldpenguin-auth-uat.beta.boldpenguin.com/users/auth/saml/callback
In the upper right corner, select the pencil icon to edit the configuration for section 2, User Attributes & Claims
In section 2, User Attributes & Claims click on the row for Unique User Identifier (Name ID) to edit
- For Choose name identifier format select Default
- For Source attribute select user.objectid
- Click Save
Verify User Attributes & Claims matches the following:
In section 3, SAML Signing Certificate locate the App Federation Metadata Url and click the copy button on the far right
Email the metadata URL from step 13 to your Bold Penguin Project Manager
After completing the beta application, repeat these steps for production.
Create Roles
You will create one or more roles in Azure AD that will map to roles within the Bold Penguin Enterprise Terminal. Typically, the only predefined role in Azure AD is User. For testing in the beta application, you must make some modifications to the User role.
From the Azure Portal side navigation select App registrations
Under All applications locate and click the beta application
Select Manifest from the navigation side bar to display the JSON text of the mainfest file
In the appRoles section of the manifest locate the first role with
"displayName": "User"Locate the value property and change from
"value": nullto"value": "User"
- Note: This is for testing purposes. Your Project Manager will help define any additional roles.
Click Save
Assign Roles
You must assign our User role (or other predefined roles) to one or more Azure AD users.
From the Azure Portal side navigation select Enterprise applications
Locate and select your beta application
From the side navigation select Users and groups
Click Add user
Click Users and groups to bring up the search panel
From the search panel select an existing user or group
Click Select
Select Role should already be User. If not, select the User role and click Assign
Testing
Your Project Manager will confirm receipt of the certificate and login URL above. You should now be able to login to the Bold Penguin Enterprise Terminal using the dashboard URL for your domain:
https://[domain].boldpenguin.com/dashboard
NOTE: Replace [domain] with your unique domain provided during on-boarding.
When your users first authenticate into Azure, Bold Penguin receives the roles you mapped above in our authentication layer.
Next, you will work with your project manager to add the appropriate permissions for each role or group.