Configuring Enforced SSO [Azure AD] Configuring Enforced SSO [Azure AD]

Configuring Enforced SSO [Azure AD]

Blinq’s Enforced SSO feature allows a Workspace to force all members to sign in using a specific configured SSO Identity Provider based on the email domain of the user signing in.

In this SAML SSO set up, Azure AD manages your organization's user accounts and credentials and links with Blinq as the service provider for those users. Security Assertion Markup Language (SAML) is a security standard for managing authentication and access.

When you enable SSO with Blinq, the login prompt for your team will change to only allow SSO

To configure enforced SSO with Azure AD you will need:

> A Blinq Business (Enterprise) subscription  & Domains to be enabled by our Sales team

> Owner access to your Blinq Account

> Azure AD Admin access

> Have both Blinq & Azure AD open in different Tabs

How enforced SAML SSO works:

  1. Your team attempts to log in to Blinq via SAML SSO
  2. Blinq sends a SAML request to the Azure AD
  3. They are redirected to the Azure AD Login page, to complete login. 
  4. Azure AD checks your team member’s credentials
  5. Azure AD sends a response to Blinq to verify the team member's identity
  6. Blinq accepts the response and logs the team member into their Blinq account.

Note:

Blinq uses SAML 2.0 for all SAML SSO configurations. This includes configurations with supported identity providers and any custom configurations.

1. Open Security in Blinq

1. Login to dash.blinq.me

2. Navigate to the Team Members page and confirm that you are listed as the Owner role. Only the Owner can access the correct settings page.

CleanShot 2024-02-15 at 15.27.08@2x.png

3. Click on the Workspace menu in the top left corner

4. Select Team Settings from the drop down

5. Click into Security from the settings menu.
Keep this tab open while you work. You will need to copy information into Azure AD and vice versa. 

Security.png

 

2. Configure SSO in Azure AD

1. Navigate to Microsoft Azure (https://portal.azure.com) — it's ok if you use Microsoft 365, this is where you configure Single Sign On for your organisation.

Entra.png

2. Navigate to Enterprise Applications

Enterprise Apps.png

3. Select New Application

4. Search for Blinq

5. Select Blinq from the search results

Screencapture 2024-02-14 at 15.12.16@2x.png

6. Click Create to continue

7. Click on Single Sign On from the manage menu

Screencapture 2024-02-14 at 15.13.34@2x.png

8. Select SAML

9. On Step 1, select Edit in the top right corner

Screencapture 2024-02-14 at 15.15.13@2x.png

10. Navigate to the Security page in the Blinq Dash and copy the ACS URL. It should look like: https://auth.blinq.me/authorize/callback/ID

11. In Entra, paste this into both a Reply URL (Assertion Consumer Service URL) & Sign on URL. 

Screencapture 2024-02-14 at 15.18.00@2x.png

12. On step 3, SAML Certificates, Click Edit

13. Click the Signing option and select Sign SAML response and assertion

Signing Cert.png

14. Click Save

15. From the section Download the Base64 Certificate, open this in a text editor & copy paste the contents of it into the Certificate field in the Blinq security form. 

Screencapture 2024-03-08 at 14.41.52@2x.png

16. Copy the Login URL into the Single Sign on URL field on the Blinq security form

17. Copy the Microsoft Entra Indentifier into the Indentity Provider Entity ID field in the Blinq security form 

Screencapture 2024-02-14 at 15.20.45@2x.png

18. Toggle on “Enforce SSO for all users” to activate enforced SSO for you users

19. With all fields complete, click Save. 

20. Your SSO should now be configured for your organization. All users logging in with email addresses ending in your domain will be directed to log in using SSO.

 

You can now log out of Blinq, when you log back in, you should be taken through the Azure AD SSO flow.