Overview
BGL allows users to sign in through enterprise identity providers such as Azure Active Directory via SAML.
What is SAML and why do you need it?
Security Assertion Markup Language 2.0 (SAML) is an open standard for exchanging identity and security information with applications and service providers. BGL's support for SAML enables you to sign in using your corporate directory credentials, such as your user name and password from Azure Active Directory. With SAML, you can use single sign-on (SSO) to sign in to all of your BGL applications by using a single set of credentials.
What will be the cost of using SAML?
BGL will charge your firm a one-time fee of $2,000.00 NZD (plus GST)
Which identity providers are supported?
BGL currently supports:
- Practice Protect
- Azure Active Directory
- Okta
- Auth0
- GSuite
What happens to User Management when I enable SAML?
BGL will enable SAML for a domain e.g "abc.com.au". Any user who uses that domain e.g "user@abc.com.au"will be forced to login via their enterprise identity provider.
You can also get users to bookmark the BGL Login Page with a parameter that will bypass the BGL Login page e.g https://sso.bgl360.com.au/login?provider=abc.com.au
For existing BGL users, their BGL360 password will be no longer used. For users invited after SAML is enabled no BGL360 password will be issued. Identity Providers cannot add users. Users will still need to be added via either Simple Fund 360 or CAS360.
Will I be prompted for MFA when using an identity provider?
Not by BGL. When you use a Federated Identity, BGL is trusting an external identity system such as Practice Protect to perform the authentication for the federated user. Likewise, BGL is also trusting that external identity system to perform any multi-factor authentication (MFA).
What if my business has multiple BGL licences?
As the SAML configuration is per domain, if you have multiple BGL licences this will apply for all licences. We cannot separate this per licence.
SAML (users have the domain registered) | Non-SAML (different domain) | |
Existing Users |
|
|
New Users |
|
|
How can I test the SSO configuration without affecting current users?
BGL will set you up on our Staging environment for testing. Once you are happy, we can schedule a date and time for Production.
BGL's Identifier and Reply URL
For Audience URI (SP Entity ID) |
urn:amazon:cognito:sp:ap- |
Reply URL (Assertion Consumer Service URL) (Single sign on URL) | https://bglcorp-staging- |
Production:
For Audience URI (SP Entity ID) |
urn:amazon:cognito:sp:ap- |
Reply URL (Assertion Consumer Service URL) (Single sign on URL) | https://bglcorp-production- |
Instructions for your configuration:
Instructions - Practice Protect
Please contact Practice Protect directly who can set this up for you. If you are not a current Practice Protect Client request a Cyber Security Consultation here
Instructions - Azure AD
1. In Azure, create an Azure AD Enterprise Application, (requires Azure AD Premium) from your Azure AD blade -> Enterprise Applications -> New Application.
2. Pick “Non-gallery application” as the app type. Then Type name e.g "BGL360" and press “Add”.
3. In your Azure AD enterprise application choose section “Single sign-on”, in dropdown list choose “SAML-based Sign-on”:
4. The following information will be provided to you by BGL:
- Identifier: Please enter one of the following depending on the environment:
Staging |
urn:amazon:cognito:sp:ap- |
Production | urn:amazon:cognito:sp:ap- |
- Reply URL: Please enter one of the following depending on the environment:
Staging |
https://bglcorp-staging- |
Production | https://bglcorp-production- |
5. After the application is created, add Users and groups
6. Finally, download the SAML Metadata XML. You should now be set up on the Azure side. Send the XML file to BGL.
Instructions - Okta
-
On the Okta website, choose Dashboard to go to the Admin dashboard.
-
On the Admin dashboard, under Shortcuts, choose Add Applications.
-
On the Add Application page, choose Create New App.
-
In the Create a New Application Integration dialog, for Platform, choose Web
-
For Sign on method, choose SAML 2.0.
-
Choose Create.
-
On the Create SAML Integration page, under General Settings, enter a name for your application.
-
Choose Next.
-
Under SAML Settings, for Single sign-on URL, enter URL provided by BGL. Please see the section named 'BGL's Identifier and Reply URL' above
-
For Audience URI (SP Entity ID), enter value provided by BGL. Please see the section named 'BGL's Identifier and Reply URL' above
-
Leave Default RelayState blank.
-
Under Attribute Statements, add a statement with the following information:
For Name, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
For Value, enter user.email.
-
For all other SAML settings on the page, leave them as their default value or set them according to your preferences.
-
Choose Next then choose Finish
-
On the Assignments tab for your Okta application, for Assign, choose Assign to People.
-
Next to the user you want to assign, choose Assign.
-
Choose Save and Go Back. Your user is assigned.
-
Choose Done.
-
On the Sign On tab for your Okta application, find the Identity Provider metadata hyperlink. Right-click the hyperlink and then copy the URL. Send to BGL
Instructions - Auth0
1. On the Auth0 website dashboard, choose + New Application.
2. In the Create Application dialog, enter a name for your application. For example, My App.
3. Under Choose an application type, choose Single Page Web Applications.
4. Choose Create
5. On the left navigation bar, choose Applications.
6. Choose the name of the application you created.
7. On the Addons tab, turn on SAML2 Web App.
8. In the Addon: SAML2 Web App dialog, on the Settings tab, for Application Callback URL enter the URL provided by BGL. Please see the section named 'BGL's Identifier and Reply URL' above
9. Under Settings, do the following:
- For audience, delete the comment delimiter (//) and replace the default value (urn:foo) with the value provided by BGL. Please see the section named 'BGL's Identifier and Reply URL' above
- For mappings and email, delete the comment delimiters (//).
- For nameIdentifierFormat, delete the comment delimiters (//). Replace the default value (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
10. Choose Save.
11. In the Addon: SAML2 Web App dialogue, on the Usage tab, find Identity Provider Metadata. Then do either of the following:
- Right-click download, and then copy the URL.
- Choose download to download the .xml metadata file.
- Send the XML file to BGL.
Instructions - GSuite
In the Google Admin console, you will need to set up your own custom SAML app.
- From the Admin console Home page, go to Apps SAML Apps.
- To see Apps on the Home page, you might have to click More controls at the bottom.
- Click Add at bottom right.
- Click Set up my own custom app.
- The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate.
- Download the IDP metadata.
7. Enter the Service Provider details provided by BGL.
- ACS URL: This will be provided by BGL. Please see the section named 'BGL's Identifier and Reply URL' above.
- Entity ID: This will be provided by BGL. Please see the section named 'BGL's Identifier and Reply URL' above.