How to set up SAML Single Sign-on
SAML-based single sign-on (SSO) gives members access to Blink through an identity provider (IDP) of your choice. This authentication method only applies when signing in with their email address - if the user signs on with their phone number it will always authenticate via SMS.
Some of the steps below will involve jumping back and forth between the Blink admin panel and your identity provider. Therefore we recommend that you open each in a new tab (if the IDP console is browser based) before continuing.
- Enable SAML in the Blink Admin panel
- Configure the Identity Provider
- Add IDP Metadata to Blink
Enable SAML in the Blink Admin panel
The first step in configuring SAML with Blink is to open the admin panel. This can be accessed via the in-app menu.
Once in the admin panel find the Authentication menu item. Only Organisation Admins can manage these settings.
Once on the Authentication page select the SAML option.
You will now be presented with a series of URLs which you will require when configuring your identity provider. If your IDP supports importing a metadata xml file for configuration (e.g. Azure AD) then download this now.
Configure the Identity Provider
Azure Active Directory
Go to the Azure AD portal and select Enterprise Applications. If you have an existing Azure AD app configured for provisioning users in Blink via SCIM select the app and continue to the next step. If not select New Application -> Non-gallery application. Enter a name and click Add.
Once created select the Single sign-on tab in the navigation bar then select SAML.
The simplest way to set the configuration is to upload the metadata file you downloaded from Blink earlier. To upload simply click the Upload metadata file button.
Once uploaded press Save. Next click on the pencil icon in the top of the 2nd section (User Attributes & Claims).
Followed by the pencil next to "Name identifier value".
Ensure that the name identifier format is set to Email address and that the source attribute is mapped to whichever AD attribute contains the email address you wish the user to login to Blink with. Usually this is contained in the user.mail attribute. Once set click save.
Once saved download the Federation Metadata XML file. Remember where you save this as you will need it in a later step.
Finally you need to assign which Users and Groups can login to Blink via SAML. To do this navigate to the Users and groups tab in the navigation bar. Click Add User followed by Users and Groups. You can either select a group containing all users who require Blink access or you can assign them individually.
Once you have assigned the users continue to Add IDP Metadata to Blink.
Go to the Google admin portal and select Apps.
Followed by SAML apps.
Click the add button to create a new SAML app.
Click Setup my own custom app.
When presented with the Google IdP Information download the IDP metadata. Remember where you save this as you will need it in a later step.
Name the application.
Enter the ACS Url and Entity Id from the Blink SAML settings page. Check Signed Response, ensure the Name ID is set to Primary Email and the Name ID Format is EMAIL.
The console will then redirect you to the configured app. To enable login via SAML click edit service.
You can then choose to enable SAML login for all users in your G Suite account or on a per organizational unit basis. Remember to press save for each unit you enable.
Once you have enabled all the users you require continue to Add IDP Metadata to Blink.
Add IDP Metadata to Blink
The final step in the process is to add the IDP metadata into Blink. The simplest method for setting these details is to read the metadata provided by the IDP. If you have this simply click "Read metadata file" and select the file - if you followed our guides on setting up Azure AD or G Suite this is the file you downloaded earlier.
If you do not have a metadata file from the IDP click "Or enter details manually" and you will be presented with 4 fields. You will need to complete these fields with details provided by your IDP.