SSO

the sso (single sign on) tab shows a list of associated identity providers (e g , microsoft entra id, okta, cloudflare) used to authorize your users to access bsn cloud combined with a verified domain, sso allows you to use your own identity provider to secure your users instead of the basic username and password authentication provided by bsn cloud ensure you have created and verified ownership of at least one domain in order to complete setting up sso for your organization setup sso to setup sso you will need to have administrative access to your identity provider (e g , microsoft entra id, okta, cloudflare) and you will need access to add a dns entry for your or upload a file to your web server important before you setup sso, create a " break glass " account you should do this because if you enable sso incorrectly you could lock yourself out of the system if you have locked yourself out of your account contact brightsign support for further assistance creating a " break glass " account involves using an email account that is not associated with your sso domain for example if your sso domain is "example com" you should setup an email address like "sso admin example com\@gmail com", any email address that you can access that is not part of "example com" when you have created an external email account to use for the " break glass " account, you must invite that account to manage the organization, as described above in the docid\ snuufrwm8qjxwqdyoab11 section adding an identity provider select setup sso to setup a new identity provider for sso you will be shown a list of identity providers to chose from or you can chose a generic saml, openid, or ldap protocol after selecting one of the above providers or protocols you will be guided through a set of steps relevant to that provider or protocol adding an identity provider (example) expand the example below to see the steps to add a microsoft entra identity provider (this page does not show every identity provider configuration, as the steps are similar across providers) example linking an identity provider to a domain after creating the identity provider, you will be returned to the sso tab where you will see the list of identity providers you will notice alongside the new identity provider there is a warning message stating " no domains are associated users may not be able to sign in until at least one domain is linked " this means you need to link one or more verified domains with the identity provider to do this select edit after selecting edit , you will be shown the edit identity provider form where you can enable or disable the identity provider, view the name, and select the domains to be associated with it if you disable the identity provider the system will revert to using the basic user name and password authentication methods provided by bsn cloud select one or more domains to be associated with the identity provider and select save changes you will be returned to the sso tab where you will now see the identity provider marked with one or more associated domains from here, you can delete the identity provider or show details of the identity provider to see the specific details in json format initial user login after enabling sso when you log in after sso has been enabled, you may see the following account already exists form this form indicates that the user logging in via the new identity provider has matched an existing account in bsn cloud (for example, if you have previously been using bsn cloud with a user name or password or used another identity provider such as microsoft entra id or google social logins) you will not see this screen if you are new to bsn cloud you can review the existing bsn cloud profile by clicking the review profile button, or confirm this is okay by selecting add to existing account review profile selecting review profile will display an update account information form with the your email, first name and last name you can make changes here if you need to select submit to continue and it will return you to the account already exists form add to existing account selecting add to existing account will show the link account form you will get an email confirming that it is your email account if the email is not confirmed within the time frame, you will need to start the login process again and re confirm you will receive an email similar to the image below click on the highlighted link to confirm your account and you will be redirected to the website where you will be prompted to select or create a network important sso info ensure you have created a "break glass" account for use in emergencies see docid\ kbtmd1rd rkbj9qlbn4ey always test sso before logging out; when you link a domain to an identity provider you should always test that the sso login process works with another user account first before you login out of the current session if the identity provider settings are incorrect and you logout, you may not be able to login again due to the forced redirection process unless you have created a "break glass" account if you make a mistake; identity provider settings cannot be edited at this time, so to correct a mistake you must delete the identity provider, go through the steps again, and then re link the domain if you cannot login after enabling sso, and you do not have a "break glass" account, you will need to contact brightsign support for assistance identity provider (idp) vs service provider (sp) flow currently, only the sp initiated authentication flow is supported idp initiated logins are not available, so users must start the login process through the keycloak user interface sign in with microsoft bsn cloud offers two distinct ways to use your microsoft identity to sign in the login with microsoft button on the sign in page sso via an identity provider configured through your organization’s settings while both can authenticate you through microsoft, they work very differently under the hood understanding the distinction is important, particularly for it administrators managing access for their organization the “login with microsoft” button the login with microsoft button is a social login feature powered by oauth 2 0 / openid connect when a user clicks it, they are redirected to microsoft to authenticate and then returned to bsn cloud this works independently of any sso configuration you may have set up in the bsn cloud organizations settings — it is available to any user, regardless of whether your organization has configured sso brightsign is a verified microsoft publisher , and the login with microsoft button requests only minimal, low privilege scopes ( openid , profile , and email ) — it does not request access to your organization’s mailboxes, files, or any other data however, this button uses a multi tenant microsoft application registered by brightsign when a user from your organization clicks it for the first time, microsoft may automatically create an enterprise application entry in your entra id tenant and register consent on behalf of that user whether this happens silently or triggers an admin approval prompt depends entirely on how your entra id tenant is configured in many organizations, entra id is configured to allow users to consent to third party applications themselves without requiring administrator approval in this case, users may find they can sign in to bsn cloud via the login with microsoft button without any it involvement or awareness — which may be unexpected if your organization expects all third party application access to be administrator approved sso via your identity provider (saml or oidc) bsn cloud supports sso through a wide range of identity providers, including microsoft entra id, okta, cloudflare, and any provider that supports the saml or oidc protocols configuring sso through the bsn cloud organizations settings is a separate, more controlled process from the login with microsoft button after verifying your domain and adding your identity provider, bsn cloud will automatically redirect any user whose email matches your verified domain to your identity provider for authentication this means your organization’s existing conditional access policies, mfa requirements, and session controls are enforced at login saml (security assertion markup language) is a widely supported federation standard your identity provider issues a signed xml assertion to bsn cloud confirming the user’s identity it is a good choice for organizations that already use saml based sso with other applications oidc (openid connect) is a more modern, token based protocol built on oauth 2 0 your identity provider returns a jwt (json web token) to bsn cloud confirming identity both protocols achieve the same outcome for end users — a seamless single sign on experience — but your it team will need to create and configure an application registration in your identity provider as part of setup unlike the login with microsoft button, sso configuration gives your it team full control users are redirected automatically based on their email domain, and authentication is governed entirely by your identity provider’s policies entra id administrators controlling the login with microsoft button if your organization has not yet configured sso in bsn cloud, or even if it has, it is worth reviewing your entra id user consent settings by default, some entra id tenants allow users to consent to third party multi tenant applications on their own because brightsign is a verified publisher requesting only low privilege scopes, the default entra policy of allowing consent to verified publishers will permit the login with microsoft button to work silently for your users — so if you want to prevent this, you will need to explicitly restrict access preventing users from signing in via the login with microsoft button there are several ways to control or block use of the login with microsoft button for your organization’s users these are listed in order from least to most restrictive option 1 require user assignment on the bsn cloud enterprise application once the bsn cloud enterprise application has been created in your tenant (either because a user has already signed in, or by adding it manually), you can enable assignment required on it this means only users or groups explicitly assigned to the application can sign in via the login with microsoft button all other users will be blocked navigate to entra admin centre > identity > applications > enterprise apps , find the bsn cloud application, go to properties , and set assignment required to yes you can then manage who has access via the users and groups tab option 2 enable the admin consent workflow rather than blocking access outright, you can require all users to request administrator approval before being permitted to sign in to third party applications this allows your it team to review and approve requests on a case by case basis navigate to entra admin centre > identity > applications > enterprise apps > consent and permissions > admin consent settings and enable the admin consent workflow option 3 restrict or disable user consent for all applications for the most comprehensive control, you can prevent users from independently consenting to any third party application, including bsn cloud navigate to entra admin centre > identity > applications > enterprise apps > consent and permissions > user consent settings and set user consent to require admin approval for all applications, or disable it entirely note that this setting applies to all third party applications in your tenant, not just bsn cloud, so consider whether this is appropriate for your organization before making the change if your organization intends to use bsn cloud with controlled, policy enforced access, we recommend configuring sso through the organizations settings as described above and reviewing your entra id consent policies to ensure they align with your organization’s security requirements if you need assistance, please contact https //brightsign biz/support