Configuring SAML SSO for Azure Active Directory

This guide walks through how to configure your account to use Azure Active Directory as SAML identity provider (IdP)

Follow these instructions to allow users to authenticate and access the Blueshift dashboard with Azure AD credentials.

Create an Enterprise Application in Azure AD

  1. Sign in to Azure Portal

    • Go to the Azure Portal and sign in using your Azure AD administrator credentials.
  2. Create a New Enterprise Application

    • In the left navigation pane, select Azure Active Directory.
    • Under Manage, select Enterprise applications, and then click New application.
    • In the search box, type "Blueshift" (or any custom app name), and click Create your own application.
    • Select Integrate any other application you don't find in the gallery (non-gallery application) and give it a name, e.g., "Blueshift Dashboard".
    • Click Create.

Configure SAML-Based Single Sign-On in Azure

  1. Navigate to Single Sign-On Setup

    • After creating the enterprise app, select Single sign-on from the left menu.
    • In the Select a single sign-on method section, click on SAML.
  2. Basic SAML Configuration

    • Click Edit next to the Basic SAML Configuration section.
    • In Identifier (Entity ID), enter the Entity ID from the Blueshift SSO configuration page.
    • In Reply URL (Assertion Consumer Service URL), paste the ACS (Consumer) URL from the Blueshift SSO configuration page.
    • In Sign-on URL, leave this field blank.
    • In Relay State, leave this field blank.
    • Click Save.
  3. User Attributes & Claims

    • By default, Azure AD populates the necessary attributes and claims.
    • Ensure the Name identifier is set to user.email and that the Name ID format is set to EmailAddress.

Configuring Blueshift for SSO with Azure AD

  1. Retrieve Azure AD SAML Metadata

    • In the Set up [App Name] section of the SAML-based single sign-on page in Azure AD, copy the Login URL, Azure AD Identifier, and download the Certificate (Base64).
  2. Add SSO Settings in Blueshift

    • Open a new browser tab and navigate to the Blueshift SSO settings page: https://app.getblueshift.com/dashboard#/app/account/sso.
    • Paste the Login URL into the SSO Provider URL field.
    • Upload or paste the Certificate (Base64) from Azure AD into the X.509 Certificate field in Blueshift.
    • Enter the Azure AD Identifier into the Entity ID field in Blueshift.
    • Click Save.

Assign Users to the Application in Azure AD

  1. Assign Users and Groups
    • In the Azure AD Enterprise Application, go to the Users and groups section.
    • Click Add User/Group.
    • Select the users or groups that should have access to Blueshift.
    • Ensure that the user’s email in Azure AD matches their email in Blueshift.

Using Single Sign-On

Once the configuration is complete:

  1. Users can log in to the Blueshift dashboard by navigating to the standard login page and entering their email address.
  2. Users will be automatically redirected to Azure AD for authentication.
  3. After successful authentication, users will be redirected back to Blueshift.

Important Notes

  • The email address in Azure AD must exactly match the user's email address in Blueshift for SSO to work.
  • If you get locked out during the SAML configuration, you can still access the Blueshift login page using a password by navigating to: https://app.getblueshift.com/users/sign_in?pw=1.
  • After successfully signing in via SSO, it is recommended to disable password-based login by going to Account Settings > SSO Configuration and setting Disable Passwords to true.
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.