SSO setup and JIT provisioning: BMS and Passly

Introduction

This article covers the Auth setup with BMS and Passly. Follow this guide to setup, SSO, SAML, and Just in time provisioning using Passly and BMS

Single sign-on with Passly

This section covers how to configure BMS to authenticate users with Passly using SAML-based Single Sign-On (SSO).

  1. Create Passly Group
  2. Add BMS to Passly
  3. Download Certificate
  4. Setup BMS SSO
  5. Enable SSO for Employees

Create Passly group

You need to have a Passly user group to associate with the BMS SSO configuration.

  1. In Passly, navigate to Directory Manager > Groups.
  2. Click the '+' button to create a new group.
  3. Give a name to your group.
  4. Click the Add Group button.
  5. Add users to the group. 

Add BMS to Passly

  1. Navigate to SSO Manager.
  2. Click the '+' button followed by the book button.
  3. Search for 'Kaseya BMS' in the application catalog and select it. 
  4. Check Application is Enabled.
  5. Click Add Application.

SSOsetup1.png

Permissions

  1. Navigate to the Permissions tab.
  2. Click Add Group.
  3. Select the group you created previously.
  4. Click Add Groups.

Attribute Transformation

  1. Navigate to the Attribute Transformation tab.
  2. Remove the CompanyName attribute.
  3. Save your changes.
  4. Click Add Custom Attribute Map.
  5. Add back the CompanyName attribute, referencing your tenant name.
  6. Click Add Mapping.
  7. Save your changes. 

SSOsetup2.png

SSOsetup3.png

Protocol Setup

  1. Navigate to the Protocol Setup tab.
  2. For Assertion Consumer URL, change the base url to the base url of your BMS server. In the example below, the base url is na1bmspreview.kaseya.com.
  3. For Service Entity ID, change the base url to the base url of your BMS server. In the example below, the base url is na1bmspreview.kaseya.com.
  4. Save your changes.

SSOsetup4.png

Download certificate 

  1. Navigate to the Signing and Encryption tab.
  2. Click Download.

SSOsetup5.png

Passly application assignment

  1. Navigate to Launchpad in the left menu.
  2. Right-click on the BMS application, and copy the link to a text pad.
  3. Click on the BMS application.
  4. Verify that you are redirected and logged in to BMS

SSOsetup6.png

Setup BMS SSO

  1. In BMS, navigate to Admin > My Company > Auth and Provision.
  2. On the Single Sign On tab, click Upload Certificate.
  3. Select the Passly certificate you previously downloaded.
  4. Set Enable Single Sign On via SAML to Yes.
  5. Paste the Passly login url you copied above into the SAML Login Endpoint URL field. This enables user authentication with Passly from the BMS login page.
  6. Click Save.

SSOsetup7.png

Enable SSO for employees

  1. Navigate to HR > Employees.
  2. Select an employee.
  3. Under External Authentication Type, select SAML SSO.

SSOsetup8.png

Just-in-time (JIT) provisioning is a method of application account creation. JIT is integration with your active directory services, your IDP (Passly), and your web application (BMS). 

With the implementation of JIT with BMS, AD users are created and provisioned during their sign-on to the BMS portal. This eliminates the need for manual user creation and automates employee/end-user onboarding effectively.

To set up your JIT directory with BMS perform the following steps : 

Prerequisites in Passly  

  • SAML based single sign-on enabled.
  • The end-user/groups should have the SAML app assigned in Passly Applications.
  • The Domain and security groups should be present and match the mapping rules setup in BMS
  • User account should have an email address associated with it.

Enable JIT provisioning

An additional attribute, DisplayName needs to be added in Passly for JIT provisioning. 

mceclip1.png

Just-in-Time (JIT) provisioning is set up on the BMS Authentication page

    1. In BMS, navigate to Admin > My Company > Auth and Provision.
    2. Choose SSO JIT Provisioning.   
    3. Set default values under Employee Defaults, these will be assigned to the users being provisioned.
    4. Add Mapping Rules to start provisioning Active Directory Groups to BMS.
    5. Multiple rules can be added to establish mapping for different security groups.
    6. Save your settings.
    7. Users will be auto-provisioned based on your Active Directory Domain, Security group/User mappings to BMS.
    8. The provisioned user will be attached to the account defined in Employee defaults. 

mceclip1.png

Logs

For any issues with heck the logs to see the error messages for any issues with JIT or SAML.

Navigate to Admin > Logs > System, review the logs for source SAML and you will see where the setup is failing. mceclip2.png