Skip Navigation

Configure identity provider settings

The identity provider (IDP) provides authentication for users. The service provider (SP), in this case
BlackBerry AtHoc
or Self Service, requests authentication from the IDP.
When SSO is enabled for access to the
BlackBerry AtHoc
management system or Self Service, when a user logs in, they are redirected to their organization's IDP for authentication. If the user is already logged in to the identity provider, the authentication request is processed and sent to the service provider, and the user is granted access without the need to log in again.
  1. Log in to the
    BlackBerry AtHoc
    management system as an Organization Administrator or Enterprise Administrator.
  2. Click The Settings icon.
  3. In the
    Users
    section, click
    User Authentication
    .
  4. On the
    User Authentication
    page, in the
    Assign Authentication Methods to Applications
    section in the
    Self Service
    or
    Management System
    section, click
    Configuration
    .
    If the
    Configuration
    button is not available, SSO is not enabled. For more information, see Enable single sign-on as an authentication method.
  5. Do one of the following:
    • On the
      Management system SSO configuration
      or
      Self Service SSO configuration
      window, in the
      Identity Provider
      section, configure the following
      General Settings
      .
      1. Identity Provider Name
        : Each SAML configuration is identified by a unique identity provider name. This name is internal to the configuration and is not exposed to partner providers. This field is required only when there are multiple SAML configurations. Enter a name that is a minimum of three characters and a maximum of 512 characters. The following special characters are not allowed: `!?"<>!$%&^()={},;\:?"<>
      2. Sign On Service URL
        : Enter the URL of the location of the identity provider's SSO service where SAML authentication requests are sent as part of a SP-initiated single sign-on.
      3. Sign On Service Binding
        : Optionally, select
        Redirect
        or
        POST
        as the transport mechanism (SAML binding) to use when sending SAML authentication requests to the partner identity provider. The default setting is
        Redirect
        .
      4. Logout Service URL
        : The URL of the local service provider's single log out service where SAML logout messages are received. If single logout is not required, leave this field blank. For more information, see SSO logout service.
      5. Logout Service Binding
        : Optionally, select
        Redirect
        or
        POST
        as the transport mechanism (SAML binding) to use when sending SAML authentication requests to the partner identity provider. The default setting is
        Redirect
        .
      6. Artifact Resolution Service URL
        : Optionally, enter an artifact resolution service URL. The service provider uses the Artifact Resolution Protocol to exchange an artifact for the actual SAML message referenced by the artifact.
      7. Artifact Resolution Service Binding
        : Optionally, select
        SOAP
        ,
        POST
        ,
        REDIRECT
        or
        ARTIFACT
        as the transport mechanism (SAML binding) to use when sending SAML authentication requests to the partner identity provider. The default is
        SOAP
        .
      8. Name ID Format
        : Optionally, select
        Email Address
        ,
        Persistent
        , or
        Transient
        as the format to be used by the SP and IDP to identify a subject name identifier.
      9. User Mapping Attribute
        : Optionally, select the attribute that identifies the user. This attribute is retrieved from the SAML assertion metadata. The default is
        Subject Name
        .
      10. Attribute Name
        : Enter the name of the attribute used to identify the user.
  6. Configure the following
    Security Settings
    :
    1. SAML Response Signature
      : Select
      Signed
      or
      Unsigned
      . When
      Signed
      is selected, SAML responses sent to the partner service provider must be signed. Sending signed authentication requests is highly recommended, but optional.
    2. Assertion Signature
      : Select
      Signed
      or
      Unsigned
      . When
      Signed
      is selected, SAML assertions sent to the partner service provider must be signed.
      You must select
      Signed
      for either
      SAML Response Signature
      or
      Assertion Signature
      or both.
      You must have a valid certificate installed for your organization.
    3. Signature Algorithm
      : Select an algorithm. The default is
      RSA-SHA256
      .
    4. Assertion Encryption
      : Select
      Encrypted
      or
      Unencrypted
      . When
      Encrypted
      is selected, SAML assertions sent to the partner service provider must be encrypted.
    5. If
      Assertion Encryption
      is set to
      Encrypted
      , select an
      Assertion Algorithm
      . The default setting is
      AES128
      .
    6. In the
      Certificate*
      field, click
      Browse
      to navigate to and select a certificate file. Only .cer and .crt files are supported.
  7. Optionally, add the following
    Additional information
    :
    1. Company Name
      : Enter a name that is a minimum of three characters and a maximum of 512 characters. The following special characters are not allowed: `!?"<>!$%&^()={},;\:?"<>
    2. Company Display Name
      : Enter a name that is a minimum of three characters and a maximum of 512 characters. The following special characters are not allowed: `!?"<>!$%&^()={},;\:?"<>
    3. Company URL
    4. Contact Person Name
    5. Role or Department
    6. Email Address
    7. Telephone Number
  8. Do one of the following:
    • If you are modifying an existing SSO configuration, click
      Apply
      , and then click
      Save
      on the
      User Authentication
      page.
    • For a new SSO configuration, configure Service Provider settings.