Portal Setup
SSO - Portal Setup & Login
Configuring SSO in BlueFletch Enterprise
Upon setting up the IdP to use the BlueFletch Portal as a SAML SSO app, retrieve:
Federation Metadata XML (see example at the bottom of the page)
or all of the following:
Certificate in Base64
Login URL
Azure AD Identifier
In the BlueFletch Portal, select the Admin tab, which opens to the Organization sub-tab by default.
Select SSO Config and click + Add Configuration.
In Domain field, type the company email domain that all users' email addresses will use (for example, corporate.com). The fields Name and Provider Id will auto-populate their respective details. ACS URL (Callback URL) is auto-filled by BlueFletch for all configs.
Enter the value of
entityID
for IDP Entity Id,Location
for SSO URL, andX509Certificate
for Certificate. These values can be found in the metadata XML (example below). Note: when including the certificate contents, enclose within-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
tags.Enter SP Entity Id; it is the same as the auto-populated Provider Id (saml.domain_name).
Click Define IdP Group Mappings to associate an IdP user group with a role in the BlueFletch Portal; otherwise, all new SSO users will be assigned the "User" role by default.
Click Add New Row to add a new group-role mapping.
Enter an IdP group in the Group field (defining a group as "*" will apply a role to all users).
Select a Portal role from the Roles dropdown. For more information on Portal roles, see the Roles documentation).
Additional group-role mappings can be added by clicking Add New Row.
Click Update Groups to save group-role mappings.
Click Save to save changes to the SSO configuration
Logging into Portal with SSO
First Time User
On the login page, enter email address with company-owned domain. Press Continue.
Page will redirect to the associated IdP's login prompt (for example, Azure in the screenshot).
Enter login credentials and submit.
Page will redirect to the BlueFletch Portal's loading screen before opening the organization's main dashboard with the user logged in with their group-mapped permissions.
Common Login Problems & Solutions
Email address is not already associated with IdP credentials The user enters email address with a company domain. The page redirects to the IdP's login prompt, but the user has no credentials for this IdP.
This user has not been set up by the IdP administrator yet.
Contact IdP administrator to create an account associated with the user's company-domain email address.
If the company uses an SSO authentication through Google Workspace, the account must be currently logged in.
If no Google account is logged in, user will simply be prompted to indicate their account and login.
If user is not logged into the SSO account but is logged into another Google-linked account, the user will get a 403 error when logging into the BlueFletch Portal. The user must login to the account through Google.
Appendix: Sample Metadata XML
Apply the following values from the XML in the SSO settings within Portal:
entityID
-> IDP Entity IDe.g. http://www.idp.com/efgxxx1234xx5
X509Certificate
-> Certificatee.g. MIIDp...pa/teCrH is included as
-----BEGIN CERTIFICATE-----
MIIDp...pa/teCrH-----END CERTIFICATE-----
HTTP-POST
Location
-> SSO URLe.g. https://idp-123.com/app/idp-123_emsportal_1/efgxxx1234xx5/sso/saml
Last updated