Enabling SSO/SAML (Single Sign-On)

TABLE OF CONTENTS

• What is Blitzz SSO?
  • How SAML SSO for Blitzz works
  • Requirements for enabling SAML SSO
• SSO/SAML Integration Steps
  • Step 1: Exchanging the Metadata File
  • Step 2: Managing users in Blitzz after enabling SAML SSO
    • Optional Attributes
  • Step 3: Testing & Validation

What is Blitzz SSO?

SSO enables you to use any enterprise third party integrations for authenticating your users or subscribers with Blitzz. We offer a host of SSO integrations to make working with your existing infrastructure a breeze.

The purpose of this document is to describe the SSO capabilities Blitzz supports and steps necessary to integrate your Identity Provider (IdP) with Blitzz. The document is created for System Administrators or staff knowledgeable about SSO administration.

Blitzz supports Secure Assertion Markup Language (SAML), which lets you provide single sign-on (SSO) access to Blitzz accounts. With SSO, users can sign in once using their company sign-in form to gain access to multiple systems and service providers, including Blitzz products.

The IT team in a company is usually responsible for setting up and managing the company's SAML authentication system. 

How SAML SSO for Blitzz works

SAML for Blitzz works the way SAML does with all other service providers. A common use case is a company where all user authentication is managed by a corporate authentication system such as Active Directory or LDAP (generically referred to as an identity provider, or IdP). Blitzz establishes a trust relationship with the IdP and allows it to authenticate and sign in users to Blitzz accounts.

Common use case:

A user signs in to their corporate system at the beginning of their workday. Once signed in, they have access to other corporate applications and services (such as email or Blitzz Portal) without having to sign in separately to those services.

If a user attempts to sign in directly to a Blitzz account, they are redirected to your SAML server or service for authentication. Once authenticated, the user is redirected back to your Blitzz account and automatically signed in.

Another supported workflow is giving users access to Blitzz after they sign in to your company's website. When a user signs in to the website using their website credentials, the website sends a request to the identity provider to validate the user. The website then sends the provider's response to the SAML server, which forwards it to your Blitzz account, which grants a session to the user. 

Requirements for enabling SAML SSO

Meet with the team in your company responsible for the SAML authentication system (usually the IT team) to make sure your company meets the following requirements:

• The company has a SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory or LDAP. Options include using an in-house SAML server such as OpenAM, or a SAML service such as Okta, OneLogin, or PingIdentity.
• If using an Active Directory Federation Services (ADFS) server, forms-based authentication must be enabled.
• Blitzz-bound traffic is over HTTPS, not HTTP

SSO/SAML Integration Steps

Step 1: Exchanging the Metadata File

SAML metadata is an XML document that contains information necessary for interaction with SAML-enabled identity or service providers. The document contains e.g. URLs of endpoints, information about supported bindings, identifiers and public keys.

Customer Metadata file

Typically one metadata document will be generated by your IT team and sent to all identity providers you want to enable single sign-on with. Please email your metadata file to our support team (support@blitzz.co)

customer Metadata file generally contains information about your SAML service such as:

• EntityId
• digest
• signature
• x509 certificate
• customer single sign-on service
• NameId
• custom attributes
• Bindings
• …

Here is an example XML:

Blitzz Metadata file

Similarly, we will make Blitzz metadata file available for you to import into your SSO Server. This file contains information about the Blitzz SAML Service Provider such as:

• EntityId
• x509 certificate
• Blitzz single logout service
• NameId
• Blitzz assertion consumer service,
• …

Here is an example:

Step 2: Managing users in Blitzz after enabling SAML SSO

After enabling SAML single sign-on for Blitzz, changes made to users outside Blitzz sync to your Blitzz account. For example, if a user is added to your internal Active Directory or LDAP system, the user is automatically added (auto-provision) to your Blitzz account. If a user is deleted in your internal system, the user will no longer be able to sign in to Blitzz, however, their account will still exist in Blitzz. Blitzz does not store passwords.

Parameters for mapping user details in Blitzz

You may pass these optional fields to customize your SAML Authentication at the time of User creation. Please note that if changes are made to your LDAP after a user is created in Blitzz, those changes will not be updated automatically.

Parameter	Required?	Type	Max. Length	Sample	Comments
login	Yes	String	255 Characters	john@domain.com	User's email address
role	Yes	String	20 Characters	Internal	*Allowed roles listed below
type	Yes	String	50 Characters	sso-tokens
call_experience	Optional	String	56 Characters	Video Support	*This name must match one of the names from your "Collaboration Profiles" list.
department	Optional	String	40 Characters	Tech Support	*This name must match one of the names from your list of "Departments".
first_name	Optional	String	30 Characters	John	*First Name
last_name	Optional	String	30 Characters	Doe	*Last Name

*Roles: Here is a list of allowed Roles. Pass them as a variable to the Role attribute along with the spaces. Eg. "User Manager"). To learn more about Roles and Responsibilities click here. 

1. Super Admin
2. Administrator
3. User Manager
4. Developer
5. Billing
6. Data Analyst
7. Internal

*Call_Experience: If the call_experience name received in sso-token API does not match the Collaboration Profiles in your domain, we will create a new Collaboration profile and add the user during SSO user creation.

*Departments: If the department name received in sso-token API does not match the departments in your domain, we will create a new department and add the user during SSO user creation.

*First/Last Name: If the first_name and last_name parameters are blank, we will use “login” key value as a first_name during SSO user creation.

Step 3: Testing & Validation

In order to deploy the SSO integration, your staff and Blitzz Support must validate that Blitzz successfully integrates with your IdP, and that your users are able to log into Blitzz.

The integration testing involves the following steps:

1. Provide Blitzz with the requested information (Metadata File), so that Blitzz can configure its systems to recognize your IdP.
2. Configure your IdP with the information provided by Blitzz (Blitzz' Metadata File).
3. Nominate one or more users that you’d like to enable SSO login for (via the user’s login email addresses)
4. Blitzz will then enable SSO for these users, and you should ensure that your IdP is appropriately configured to allow users to log into Blitzz.

• For example, this may require you to configure a Blitzz application in your IdP and assign the specified users to it.
• Customer and Blitzz will then concurrently validate that the users are able to log in via the SSO. 

If you have any questions or feedback, please contact support@blitzz.co.