SAML Single Sign On is supported in BC7.3.0 and above. However it cannot be enabled by default. Some configuration is required to connect the BC Server to the appropriate SAML authentication system. The connection is normally made to a Microsoft Azure application which manages the email addresses of the users belonging to the company. This configuration would normally be organised by the System Administrators through the BC Account Manager, and is usually chargeable work.
This page lists the technical information that we would need about the SAML application in order to be able to configure it on your BC Server.
- Two SAML applications need to be created, one for beta/test and one for live, with the following details:
BC Support or your account manager will be able to supply the appropriate server URLs for the live and beta servers.
- We need the following information about each of the two applications:
- entityId - The SAML application ID (provided by the client)
- singleSignOnService url - The IDP URL for the SAML SSO requests (provided by the client)
- singleLogoutServer url - The IDP URL for the SAML SLO requests (provided by the client)
- x509cert - the base64 encoded certificate string for the SAML application
- email key - The key in the authentication response that holds the email address. For a standard Azure application this is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", but you may have it configured differently. If so, we need to update the email key in our configuration so that we are correctly able to identify the email address in the response from the IDP.
- Please set up a test user account in Active Directory, that can be used by BC for testing on both live and beta. In most cases it should be possible to use the same account and add it to both the live and beta applications. We will need the email address of this account and a password that will work for it. This is so we can verify that everything is working on the test and live servers before releasing to you.
- Users who will be using SAML Single Sign On will need to have BC user accounts - the user account must have associated with it the same email address as the address the user is using to authenticate, as this is how the BC user account is matched with the SAML user account. The process of setting up these accounts should be carried out by a BC System Administrator. It is not something that we would undertake as part of the set up of SAML SSO on the server.