Microsoft Entra ID, a cloud version of an Active Directory Federation Service (ADFS), integrates with the Bitsight platform single sign-on (SSO) service. Refer to the following guide to integrate the Bitsight platform single sign-on (SSO) service with the Microsoft Entra ID cloud IDP service.
- Getting Started
- Basic SAML Configuration
- User Attributes & Claims
- Downloading and Uploading Metadata
- SAML
Getting Started
- Start the SAML Sign on method from the Azure dashboard.
- Go to Microsoft Entra ID from the left navigation menu.
- Create a new Non-gallery application.
Basic SAML Configuration
- Go to the SAML page in the Bitsight platform.
- Take note of your organization’s Entity ID [
entity_guid
] and Assertion Consumer Service URL [acs_guid
]. - Add the following information to the Basic SAML Configuration section in Microsoft Entra ID:
* Required.Field Value * Identifier (Entity ID) https://service.bitsighttech.com/saml/entity_guid
* Reply URL (Assertion Consumer Service URL) https://service.bitsighttech.com/saml/acs/acs_guid
Sign on URL https://service.bitsighttech.com/sso/vanity_name
User Attributes & Claims
Claim name | Value |
---|---|
Unique User Identifier (Name ID) | user.mail |
urn:oid:0.9.2342.19200300.100.1.3 | user.mail |
urn:oid:2.5.4.3 | user.givenname |
urn:oid:2.5.4.4 | user.surname |
Refer to the following conditions for the Manage claim page:
* Required.
Field | Value |
---|---|
* Name |
URI identifier.
Example:
|
Namespace | Leave blank. |
* Source | Attribute |
* Source attribute | user.mail |
Optional Attributes (Not Required)
See additional SAML 2.0 attributes that can be specified (full name, user role, and user group). They are optional and not required for this integration.
Downloading and Uploading Metadata
Once you have configured SAML and configured the user and attribute claims, you can now download the metadata from Microsoft Entra ID (.xml) and upload it to the Bitsight platform.
- Select the Download link by the Federation Metadata XML option in the SAML Signing Certificate section in Microsoft Entra ID.
- Navigate to the SAML page in the Bitsight platform.
- Select the Load from URL button within the SAML Metadata section.
- Select the XML file downloaded from Microsoft Entra ID (step 1).
SAML
After you’ve submitted your SAML metadata, you can enable SAML by activating the Enable Configuration toggle.
Once you’ve enabled SAML for your organization and a user has logged in successfully with SAML, all existing passwords will be disabled for non-administrator users. Users will have to log into the Bitsight platform using the single sign-on URL provided on the SAML page. Administrators’ passwords will be disabled once they have logged in successfully using SAML.
Your URL will appear in the Your SAML Identity Provider (IdP) Settings for Primary section once SAML is enabled, which will contain either the Service Provider-initiated URL or an Identity Provider-initiated URL if a custom one was configured.
Signing In
SAML users must use the sign-on URL to log in. Using past credentials on the Bitsight landing page will generate an error.
- Once SAML setup is complete, sign in to Microsoft Entra ID using SSO to verify user permissions.
- Visit the sign-on URL: https://service.bitsighttech.com/sso/vanity_name
Created Users
New users are automatically assigned the User role. If you would like to give them admin privileges, they will need to first log in to the Bitsight platform using SAML. You (the admin) can then use the Users tab in the Access Control page to change their permissions.
Default Access Control Group
When users are created using SAML, they will be placed in the default access control group. If a default group is not set, new users will have access to all companies in the portfolio.
The default group for your portfolio can be changed from the Groups tab in the Access Control page.
Managing Access Control Groups
If you’d like to move a user from their default access control group to a different group, use the Access Control page to modify a user’s group.
How to disable SAML
Disabling SAML
If you decide you no longer want to use single sign-on for accessing the Bitsight platform, you can deactivate it using the Enable Configuration toggle.
Disabling SAML will require all users, including administrators, to reset their passwords. They can reset their password using the Forgot your password? link in the login page.
Resource
- February 12, 2024: Azure AD renamed to Microsoft Entra ID.
- April 21, 2023: Lowercase “s” for “Bitsight.”
- February 27, 2023: Added the SAML sign-in process.
Feedback
1 comment
EDIT: Sign on URL is required
"Your Bitsight SP-initiated login URL: " does not work after configuring site
Please sign in to leave a comment.