SSO - End User

Configuring SSO in EMS

  1. In EMS, select the Admin tab, which opens to the Organization sub-tab by default.
  2. Select SSO Config and click + Add Configuration.

    Add Config

  3. In Domain field, type the company email domain that all users' email addresses will use (for example, gmail.com in the screenshot). The fields Name and Provider Id will auto-populate their respective details. ACS URL (Callback URL) is auto-filled by BlueFletch for all configs.

  4. Enter IDP Entity Id, SSO URL, and Certificate. The IDP administrator can provide these details from the IDP's management site.
  5. Enter SP Entity Id; it is the same as the Provider Id (saml.[domain name]).

    Edit Config

  6. Click Save. Screen will return to Organization, which now displays the SSO configuration.

    Config

Logging into EMS with SSO

First Time User

  1. On the login page, enter email address with company-owned domain. Press Continue.

    EMS Login

  2. Page will redirect to the associated IDP's login prompt (for example, Okta in the screenshot).

  3. Enter login credentials and submit.

    SSO

  4. Page will redirect to EMS' loading screen before opening the EMS dashboard with the user logged in with user level permissions.

    Loading

    If the user needs admin level permissions, an existing admin will need to login to change to that user's role in Organization > Users.

Common Login Problems & Solutions

  1. Email address is not already associated with IDP credentials
    The user enters email address with a company domain. The page redirects to the IDP's login prompt, but the user has no credentials for this IDP.
    • This user has not been set up by the IDP administrator yet.
    • Contact IDP administrator to create an account associated with the user's company-domain email address.
  2. SSO account is linked to G Suite and user is currently logged into a different Google account
    The user receives a 403 error, "Error: app_not_configured_for_user," while attempting to login to EMS. 403 error
    • If the company uses an SSO authentication through Google's G Suite, the G Suite account must be currently logged in.
    • If no Google account is logged in, user will simply be prompted to indicate their account and login.
    • If user is not logged into the SSO account but is logged into another Google-linked account, the user will get a 403 error when logging into EMS. The user must login to the account through Google.