Brightspot CMS User Guide

Configuring a self-service SAML authenticator

You can configure a SAML authenticator with any identity provider running an SSO server that supports X509 certificates.

As a best practice, ensure users have email addresses as their usernames. You can then configure different authenticators for different email domains. For example, logins from users with an email address in the domain are routed to the Google Cloud Service authenticator, and logins from users with an email address in any domain outside of are routed to an Okta authenticator.

To configure a self-sevice SAML authenticator:

  1. Obtain from the identity provider the following:
    • Metadata file that Brightspot uses to verify a SAML response originated from the intended identity provider. This is an XML file starting with an EntityDescriptor element.
    • Identity provider's URL to which Brightspot sends SAML requests.
    • Identity provider's entity ID from the EntityDescriptor/entityID attribute.
  2. Click menu> Admin > Sites & Settings > Sites > Global.
  3. Click search, located to the left of more_horiz, and type Authenticators.
  4. Under Authenticators, click add_circle_outline and select Self Service SAML Tool Authenticator.
  5. Configure the identity provider to accept requests from Brightspot by doing the following:
    1. Click View Service Provider Metadata.
      Service provider metadata
      Displaying SAML service provider metadata
    2. Use the displayed metadata to configure the identity provider as required.
  6. Using the following table as a reference, complete the fields as needed.
  7. Click Save.
Field Description
Valid Domains Enter login email domains that are routed to this authenticator. For example, if you enter, login requests from emails in the domain (such as are routed to this authenticator.

Users attempting to log in using an email domain that is not specified in this or any other SAML authenticator are routed to the default authenticator (a standard username/password challenge).
Configuration Select SAML X509.
Name Enter a name for this SSO configuration. Brightspot uses this name in various widgets and in the _saml query parameter. See the Hidden field, below.
Auth Link Name Enter text for the SSO label in the Brightspot login widget. If you enter Single Sign On, the label is Log Into Single Sign On.
SSO login label
Identity Provider URL Enter the identify provider's URL you obtained in step 1.
Entity ID Enter the identity provider’s entity ID you obtained in step 1.
Idp Meta Data Upload the identity provider’s entity metadata XML file you obtained in step 1.
Issuer URL Enter the value Brightspot assigns to the element <saml:issuerurl> in a SAML authorization request.
Email Attribute Field

Enter the name of the field into which the identity provider returns a user's email. For example, if you enter mail in this field, the identity provider returns an XML clause similar to the following:

<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 
    <saml:AttributeValue xsi:type="xs:string"></saml:AttributeValue>

After receiving the assertion from the identity provider, Brightspot uses the value of the email attribute field as the editor’s username. For example, if the SAML element <saml:attribute name="mail"> contains the address, Brightspot uses that address as the editor’s username.

Username from SAML email attribute
Username from SAML email attribute

Groups Attribute Field

Enter the name of the field into which the identity provider returns a user's associated groups.

Brightspot uses the value in the this field as the editor's role. (If more than one group is returned, Brightspot uses the first one returned.) Therefore, in an SSO environment, ensure the roles on the SSO server match the roles in Brightspot. (For information about configuring roles, see Roles.)

Hidden If toggled on, this SAML authenticator appears in the login widget only if the query string _saml=PROVIDER_NAME appears in the login URL. For example, editors typically log in to Brightspot at the URL If this field is toggled on, editors must log in at the URL The value of PROVIDER_NAME is the value you configure for the Name field described above. If the Name field is set to bspsso, then editors must log in at
Disable Newly Provisioned Tool Users

When a new editor successfully logs in through this SAML configuration, Brightspot creates a new account for that editor.

If this field is toggled on, that new editor cannot log in to Brightspot, and an admin must manually activate the account. If this field is toggled off, the editor can log in to the new account. (This field has no impact when the editor is already provisioned on the identity provider’s server.)

Key Info Required If this field is toggled on, Brightspot requires the identity provider to return data in a <ds:KeyInfo> element. If field is toggled off, the identity provider does not need to return data in a <ds:KeyInfo> element.

The following illustration shows the relationship between Brightspot as a service provider and Simple SAML PHP as an identity provider.

Integrating Brightspot with SimpleSAML Identity Provider
Integrating Brightspot with SimpleSAML Identity Provider

See also:

Previous Topic
Integrating single sign-on
Next Topic
Reviewing SSO logins
Was this topic helpful?
Thanks for your feedback.
The elements that get you up and running in a matter of days, from pre-built content types, to modules, to landing pages.

Content types
Landing pages
Everything you need to manage and administer content within Brightspot CMS, including plug-and-play integrations.

Admin configurations
A guide for installing, supporting and administering code on the Brightspot platform, including integrations requiring developer support to use.

Field types
Content modeling
Rich-text elements