About federated authentication

Overview

Blueprint's federated authentication provides on-premise and cloud customers with the ability to leverage their existing identity provider to authenticate users in Blueprint. In other words, after a user has authenticated with your identity provider, Blueprint does not require a username and password to access the system.

What is federated authentication and SAML?

Federated authentication is the practice of allowing an external system to provide authentication services for another application. This goes beyond acting as a repository for credentials, but actually acting as the system which validates authentication attempts. One example of a federated authentication technology includes SAML.

SAML (Security Assertion Markup Language) is a technology used to implement federated authentication and single sign on (SSO). SAML provides a secure, XML-based solution for exchanging user security information between an identity provider (your company) and a service provider (Blueprint).

How it works

With federated authentication, no direct connection is required between Blueprint and the identity provider:

When the client accesses the service provider (that is, Blueprint), Blueprint requests that the client identifies itself through SAML. The user authenticates with the identity provider, which in turn returns an assertion (that is, a token). This token is then sent to Blueprint as proof of successful authentication and identity.

System requirements

This section outlines technology requirements and variables that are needed in order to configure federated authentication.

Federated authentication technology requirements

Blueprint supports the following federated authentication technologies:

Required variables

Identity provider requirements

Federated authentication settings requirements

After configuring your identity provider to work with Blueprint, you must enable federated authentication in Blueprint.

You must provide information for the following fields:

Example setup

Jamal, an IT administrator, is setting up federated authentication for a company (called BP Airlines) using the Blueprint cloud instance.

First, Jamal makes sure the identity provider is configured properly, like so:

Next, Jamal configures the Federated Authentication Settings in Blueprint (Instance Administration Console, Configure Settings section). He selects Enable Federated Authentication and uploads a new certificate. Jamal also specifies values for the Login URL (defines the identity provider service URL) and the Logout URL (the URL users navigate to after clicking the Logout button):

After the setup is complete, Jamal's chosen implementation allows cloud customers to forgo the default log-on process with the click of a link.

User flows

Service provider initiated login

  1. User navigates to the Blueprint login screen.

  2. User clicks the Go button.

  3. User logs in with corporate identity (if not already authenticated)

The user is authenticated and can begin using Blueprint.

Identity provider initiated login

Identity provider initiated login is very flexible and may vary drastically depending on your chosen implementation. For demonstration purposes, here is a common implementation of identity provider initiated login:

  1. User navigates to a company Intranet webpage.

  2. User clicks a Blueprint link.

  3. Blueprint is loaded and authenticated automatically.

The user is authenticated and can begin using Blueprint.

Expired session

Expired sessions can happen for both service provider initiated login and identity provider initiated login.

An expired session can happen for a variety of reasons:

Here is the typical user flow when a user encounters an expired session:

  1. User is presented with a dialog explaining the session has expired

  2. User clicks OK.

  3. User is re-authenticated automatically, assuming the user is still authenticated with the identity provider. If the user is not still authenticated with the identity provider, the user is prompted to re-authenticate with the identity provider.

The user is re-authenticated and can continue using Blueprint.

Configuration

Setting up Blueprint federated authentication is a two step process:

Tasks

Configuring your identity provider for Blueprint federated authentication

Enabling Blueprint federated authentication

Learn More

Instance Administration

Managing Active Directory settings