This guide walks through how to configure your account to use Azure Active Directory as SAML identity provider (IdP)
Create an Enterprise Application in Azure AD
-
Sign in to Azure Portal
- Go to the Azure Portal and sign in using your Azure AD administrator credentials.
-
Create a New Enterprise Application
- In the left navigation pane, select Azure Active Directory.
- Under Manage, select Enterprise applications, and then click New application.
- In the search box, type "Blueshift" (or any custom app name), and click Create your own application.
- Select Integrate any other application you don't find in the gallery (non-gallery application) and give it a name, e.g., "Blueshift Dashboard".
- Click Create.
Configure SAML-Based Single Sign-On in Azure
-
Navigate to Single Sign-On Setup
- After creating the enterprise app, select Single sign-on from the left menu.
- In the Select a single sign-on method section, click on SAML.
-
Basic SAML Configuration
- Click Edit next to the Basic SAML Configuration section.
- In Identifier (Entity ID), enter the Entity ID from the Blueshift SSO configuration page.
- In Reply URL (Assertion Consumer Service URL), paste the ACS (Consumer) URL from the Blueshift SSO configuration page.
- In Sign-on URL, leave this field blank.
- In Relay State, leave this field blank.
- Click Save.
-
User Attributes & Claims
- By default, Azure AD populates the necessary attributes and claims.
- Ensure the Name identifier is set to
user.email
and that the Name ID format is set toEmailAddress
.
Configuring Blueshift for SSO with Azure AD
-
Retrieve Azure AD SAML Metadata
- In the Set up [App Name] section of the SAML-based single sign-on page in Azure AD, copy the Login URL, Azure AD Identifier, and download the Certificate (Base64).
-
Add SSO Settings in Blueshift
- Open a new browser tab and navigate to the Blueshift SSO settings page: https://app.getblueshift.com/dashboard#/app/account/sso.
- Paste the Login URL into the SSO Provider URL field.
- Upload or paste the Certificate (Base64) from Azure AD into the X.509 Certificate field in Blueshift.
- Enter the Azure AD Identifier into the Entity ID field in Blueshift.
- Click Save.
Assign Users to the Application in Azure AD
-
Assign Users and Groups
- In the Azure AD Enterprise Application, go to the Users and groups section.
- Click Add User/Group.
- Select the users or groups that should have access to Blueshift.
- Ensure that the user’s email in Azure AD matches their email in Blueshift.
Using Single Sign-On
Once the configuration is complete:
- Users can log in to the Blueshift dashboard by navigating to the standard login page and entering their email address.
- Users will be automatically redirected to Azure AD for authentication.
- After successful authentication, users will be redirected back to Blueshift.
Important Notes
- The email address in Azure AD must exactly match the user's email address in Blueshift for SSO to work.
- If you get locked out during the SAML configuration, you can still access the Blueshift login page using a password by navigating to: https://app.getblueshift.com/users/sign_in?pw=1.
- After successfully signing in via SSO, it is recommended to disable password-based login by going to Account Settings > SSO Configuration and setting Disable Passwords to true.
Comments
0 comments