This guide walks through how to configure your account to use a SAML based identity provider (IDP) to let your users sign in to the Blueshift dashboard. In this example, OneLogin is used, but SAML can be configured with any identity provider that supports SAML2.0, such as G Suite.
- Create an App in OneLogin
- Configuring the App in OneLogin
- Configuring Blueshift For Single Sign On
- Using Single Sign On
- Okta SAML App Setup Instructions
- Go to the Administration Section
- Go to Apps -> Add App
- Find and select the "SAML Test Connector (IdP)" App
- Give your app a display name (eg Blueshift Dashboard)
- Open a new browser tab and navigate to https://app.getblueshift.com/dashboard#/app/account/sso
- Copy the "Consumer Url"
- Go to the "Configuration" tab of the newly created OneLogin SAML app
- Paste the "ACS Consumer Url" from Blueshift into "ACS (Consumer) URL" input and the "Recipient" input of the OneLogin SAML app
- Copy the "Entity Id" from Blueshift and paste it into the "Audience" input of the OneLogin SAML app
- Enter https:\/\/app.getblueshift.com\/users\/auth\/saml\/callback into the "ACS (Consumer) URL Validator*" input of the OneLogin SAML app
- Click the "Save" button in OneLogin
- Go to the "SSO" tab of the OneLogin SAML app
- Click on "View Details" of the X.509 Certificate and copy the certificate
- Paste the certificate into the "X.509 Certificate" field in Blueshift
- Copy the "SAML 2.0 Endpoint (HTTP)" from OneLogin and paste it into the "
- Click the "Save" button in Blueshift
- Once the SAML configuration is successfully saved, sign out of Blueshift.
- Sign back in to Blueshift via SAML by entering your email only (no password).
- The authentication process will automatically redirect you to sign in via the OneLogin application.
Important Note: In order to sign in to Blueshift, a user needs to be authenticated via a matching email and authorized to use the app by the Identity Provider. For example, if your email in Blueshift is email@example.com, then the OneLogin app also needs to have a user with an email of firstname.lastname@example.org associated with the Blueshift SAML app.
If you get locked out of your account while attempting to configure SAML single sign on, you can access the password based login via https://app.getblueshift.com/users/sign_in?pw=1.
In the Applications Tab
- Goto the Applications tab
- Click "Add Application"
- Click "Create New App"
- Set Platform to "Web" and Sign on method to "SAML 2.0"
- Click "Create"
- Set App name to "Blueshift"
- Click "Next"
In the "Configure SAML" tab
- Copy the "ACS Consumer URL" from the blueshift SSO tab and set it as the value for the "Single sign on URL" in Okta
- Copy the "Entity Id" from the blueshift SSO tab and set it as the value for "Audience URI (SP Entity ID)" in Okta
- Set Name ID format to "EmailAddress"
- Set Application username to "Email"
- Click "Next"
In the "Feedback" tab
- Choose "I'm an Okta customer adding an internal app"
- Click "Finish"
In the "Sign On" tab (found in the newly created app)
- Click "View Setup Instructions"
- Copy the "Identity Provider Single Sign-On UR" from Okta and paste it into the
"SSO Provider URL" field in the Blueshift dashboard SSO tab
- Copy the "X.509 Certificate" from Okta and paste it into the "X.509 Certificate" field in the Blueshift dashboard
- Click "Save" in the SSO tab of the Blueshift dashboard
You're now setup. Be sure to assign your user in Okta to the newly created app via the "Assignments" tab in Okta (the users email must be an exact match of your user email in Blueshift).