Configuring Enforced SSO [Azure AD] Configuring Enforced SSO [Azure AD]

Configuring Enforced SSO [Azure AD]

Blinq’s Enforced SSO feature allows a Workspace to force all members to sign in using a specific configured SSO Identity Provider based on the email domain of the user signing in.

In this SAML SSO set up, Azure AD manages your organization's user accounts and credentials and links with Blinq as the service provider for those users. Security Assertion Markup Language (SAML) is a security standard for managing authentication and access.

When you enable SSO with Blinq, the login prompt for your team will change to only allow SSO

To configure enforced SSO with Azure AD you will need:

> A Blinq Business (Enterprise) subscription

> Owner access to your Blinq Account

> Azure AD Admin access

> Have both Blinq & Azure AD open in different Tabs

How enforced SAML SSO works:

  1. Your team attempts to log in to Blinq via SAML SSO
  2. Blinq sends a SAML request to the Azure AD
  3. They are redirected to the Azure AD Login page, to complete login. 
  4. Azure AD checks your team member’s credentials
  5. Azure AD sends a response to Blinq to verify the team member's identity
  6. Blinq accepts the response and logs the team member into their Blinq account.

Note:

Blinq uses SAML 2.0 for all SAML SSO configurations. This includes configurations with supported identity providers and any custom configurations.

1. Confirm Domains with Blinq Support

  • Your organization’s Enforced SSO will ensure that team members who seek to log in with email addresses from your selected domains will be prompted to sign in via SSO. 
  • Your team members will only be able to join your Workspace if their email address ends in one of your validated domains.
  • You can list more than one domain, including subdomains.

1. Contact Blinq Support and send a list of domains you seek to register for SSO, including an example email address for each. 

2. Blinq will approve the domains and advise you can continue to configuration.

3. You may be required to validate you own each domain name via DNS verification.

Note

You can request to add or remove domains to their organisation at any time by contacting Blinq Support.

2. Open Security in Blinq

1. Login to dash.blinq.me as your Blinq account Owner

2. Click on the Workspace menu in the top left corner

3. Select Team Settings from the drop down

4. Click into Security from the settings menu. Keep this tab open while you work. You will need to copy information into Azure AD and vice versa. 

3. Configure SSO in Azure AD

1. Open the Azure Active Directory

2. Go to Default Directory

3. Click Create new application

4. Click Create your own

5. Enter a new application name e.g Blinq SSO

Note

Don’t use the Blinq entry that is auto-recommended – it is for provisioning users not for the Enforced SSO

re-name application.png
6. Click Create

7. Under the Manage menu on the left click Single Sign-on

click single sign on.png

7. Select SAML 2.0

8. Click Edit on the Basic SAML Configuration step

click edit SAML.png

9. Swap back to the Blinq Security tab and locate the “Service Provider App Entity ID (SP Entity ID)” It will be pre populated. 

10. Copy the contents of the Service Provider App Entity ID (SP Entity ID) field

11. Paste those details into the Identifier (Entity ID) input in Azure

Indentifier entity.png

11. Swap back to the Blinq Security tab and locate the “ACS URL” 

12. Copy the ACS URL from Blinq

13. Paste the value into the Reply URL field in Azure

Reply URL.png

14. Copy Login URL from Azure

login url.png

15. Paste the values into Single Sign on URL in Blinq

16. Copy Azure AD Identifier from Azure

Azure AD Identifier.png

17. Paste values into Identity Provider Entity ID (Issuer Entity ID) in Blinq

16. Under SAML Certifications in Azure, Click CertificateBase64 and download the certificate

certificate base 64.png

17. Open the certificate file in a text editor to see the certificate which reads as “—BEGIN CERTIFICATE—”

18. Copy the contents to your clipboard

19. Paste the contents into the empty Certificate field in Blinq. Do not use any special formatting.

20. Assign users and groups in Azure as you normally would.

3. Enable SSO in Blinq

1. Toggle on “Enforce SSO for all users” to activate enforced SSO for you users

7d77cbc5-cdf0-4055-a575-ee1bd7b45e4c.png

2. Your SSO should now be configured for your organization. All users logging in with email addresses ending in your domain will be directed to log in using SSO.

3. You can now log out of Blinq, when you log back in, you should be taken through the Azure AD SSO flow.