Configuring your Identity Provider for Blueprint Federated Authentication

Before you can use Blueprint federated authentication, your identity provider must be configured properly so the token submitted to Blueprint includes all of the required information in the proper format.

The configuration terminology may vary slightly depending on the identity provider you are using. For example, some identity providers may use the term Claims instead of Attributes.

To configure your identity provider for Blueprint federated authentication, ensure the following requirements are met:

  • The Entity ID must be set to:
<Blueprint_URL>/Login/SAMLHandler.ashx

where <Blueprint_URL> is your main Blueprint URL.

Example
For Blueprint cloud customers, the Entity ID will look something like this:
https://acme.blueprintcloud.com/Login/SAMLHandler.ashx
For Blueprint on-premise customers, the Entity ID will look something like this:
https://blueprint.acme.com/Login/SAMLHandler.ashx
  • The POST Endpoint must be set to:
<Blueprint_URL>/Login/SAMLHandler.ashx

where <Blueprint_URL> is your main Blueprint URL.

  • Username attribute must be included in the SAML response (that is, the token).

Blueprint reads the username from the Username attribute in the token (not the Subject). The name of this attribute must be Username. The username can be in the format you want, but must match the usernames as created in Blueprint. Valid options are regular usernames, Windows/AD account names (DOMAIN\user), e-mail addresses, Distinguished Names, or x509 Subjects.

  • The SAML response must contain the identity provider certificate (x509).