Configure identity provider settings

The identity provider (IDP) provides authentication for users. The service provider (SP), in this case

BlackBerry AtHoc

or Self Service, requests authentication from the IDP.

When SSO is enabled for access to the

BlackBerry AtHoc

management system or Self Service, when a user logs in, they are redirected to their organization's IDP for authentication. If the user is already logged in to the identity provider, the authentication request is processed and sent to the service provider, and the user is granted access without the need to log in again.

BlackBerry AtHoc

management system as an Organization Administrator or Enterprise Administrator.

Click

In the

Users

section, click

User Authentication

On the

User Authentication

page, in the

Assign Authentication Methods to Applications

section in the

Self Service

Management System

section, click

Configuration

If the

Configuration

button is not available, SSO is not enabled. For more information, see Enable single sign-on as an authentication method.

Do one of the following:

Import IDP settings.

On the

Management system SSO configuration

Self Service SSO configuration

window, in the

Identity Provider

section, configure the following

General Settings

Identity Provider Name

: Each SAML configuration is identified by a unique identity provider name. This name is internal to the configuration and is not exposed to partner providers. This field is required only when there are multiple SAML configurations. Enter a name that is a minimum of three characters and a maximum of 512 characters. The following special characters are not allowed: `!?"<>!$%&^()={},;\:?"<>

Sign On Service URL

: Enter the URL of the location of the identity provider's SSO service where SAML authentication requests are sent as part of a SP-initiated single sign-on.

Sign On Service Binding

: Optionally, select

Redirect

POST

as the transport mechanism (SAML binding) to use when sending SAML authentication requests to the partner identity provider. The default setting is

Redirect

Logout Service URL

: The URL of the local service provider's single log out service where SAML logout messages are received. If single logout is not required, leave this field blank. For more information, see SSO logout service.

Logout Service Binding

: Optionally, select

Redirect

POST

as the transport mechanism (SAML binding) to use when sending SAML authentication requests to the partner identity provider. The default setting is

Redirect

Artifact Resolution Service URL

: Optionally, enter an artifact resolution service URL. The service provider uses the Artifact Resolution Protocol to exchange an artifact for the actual SAML message referenced by the artifact.

Artifact Resolution Service Binding

: Optionally, select

SOAP

POST

REDIRECT

ARTIFACT

as the transport mechanism (SAML binding) to use when sending SAML authentication requests to the partner identity provider. The default is

SOAP

Name ID Format

: Optionally, select

Email Address

Persistent

, or

Transient

as the format to be used by the SP and IDP to identify a subject name identifier.

User Mapping Attribute

: Optionally, select the attribute that identifies the user. This attribute is retrieved from the SAML assertion metadata. The default is

Subject Name

Attribute Name

: Enter the name of the attribute used to identify the user.

Configure the following

Security Settings

SAML Response Signature

: Select

Signed

Unsigned

. When

Signed

is selected, SAML responses sent to the partner service provider must be signed. Sending signed authentication requests is highly recommended, but optional.

Assertion Signature

: Select

Signed

Unsigned

. When

Signed

is selected, SAML assertions sent to the partner service provider must be signed.

You must select

Signed

for either

SAML Response Signature

Assertion Signature

or both.

You must have a valid certificate installed for your organization.

Signature Algorithm

: Select an algorithm. The default is

RSA-SHA256

Assertion Encryption

: Select

Encrypted

Unencrypted

. When

Encrypted

is selected, SAML assertions sent to the partner service provider must be encrypted.

Assertion Encryption

is set to

Encrypted

, select an

Assertion Algorithm

. The default setting is

AES128

In the

Certificate*

field, click

Browse

to navigate to and select a certificate file. Only .cer and .crt files are supported.

Optionally, add the following

Additional information

Company Name

: Enter a name that is a minimum of three characters and a maximum of 512 characters. The following special characters are not allowed: `!?"<>!$%&^()={},;\:?"<>

Company Display Name

: Enter a name that is a minimum of three characters and a maximum of 512 characters. The following special characters are not allowed: `!?"<>!$%&^()={},;\:?"<>

Company URL

Contact Person Name

Role or Department

Email Address

Telephone Number

Do one of the following:

If you are modifying an existing SSO configuration, click

Apply

, and then click

Save

on the

User Authentication

page.

For a new SSO configuration, configure Service Provider settings.

Section:

Enable single sign-on as an authentication method