Configuring SAML for Single Sign-On

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties. For example, between an identity provider and a service provider. Black Duck's SAML implementation provides single sign-on (SSO) functionality, enabling Black Duck users to be automatically signed-in to Black Duck when SAML is enabled. Enabling SAML applies to all your Black Duck users and cannot be selectively applied to individual users.

All hosted customers should secure access to their Black Duck application by leveraging our out-of-the-box support for single sign on (SSO) via SAML or LDAP. Information on how to enable and configure these security features can be found in the installation guides. In addition, we encourage customers that are using a SAML SSO provider that offers two-factor authorization to also enable and leverage that technology to further secure access to their Black Duck application.

Note the following:

  • It is not possible to configure both SAML and LDAP at the same time.

  • To enable or disable SAML functionality, you must be a user with the system administrator role.

  • Black Duck is able to synchronize and obtain an external user's information (Name, FirstName, LastName and Email) if the information is provided in attribute statements. Note that the first and last name values are case-sensitive.

    Black Duck is also able to synchronize an external user's group information if you enable group synchronization in Black Duck.

  • When logging in with SAML enabled, you are re-directed to your identity provider's login page, not Black Duck's login page.

  • When SSO users log out of Black Duck, a logout page now appears notifying them that they successfully logged out of Black Duck. This logout page includes a link to log back into Black Duck; users may not need to provide their credentials to successfully log back in to Black Duck.

  • If there are issues with the SSO system and you need to disable the SSO configuration, you can enter the following URL: Black Duck servername/sso/login to log in to Black Duck.

Enabling or disabling single sign-on using SAML

  1. Click Administration icon and select System Settings.

  2. Select User Authentication to display the User Authentication page.



  3. In the External Authentication settings, complete the following:
    1. Select SAML from the Choose an authentication method dropdown menu.

    2. Select the Enable SAML configuration check box.

    3. Service Provider Entity ID field: Enter the information for the Black Duck server in your environment in the format https://host where host is your Black Duck server.
    4. Select one of the following Identity Provider Metadata:

      • URL and enter the URL for your identity provider.

      • XML File and either drop the file or click in the area shown to open a dialog box from which you can select the XML file.

    5. Service Provider Entity ID field. Enter the information for the Black Duck server in your environment in the format https://host where host is your Black Duck server.

    6. External Black Duck Url field. The URL of the public URL of the Black Duck server.

      For example: https://blackduck-docker01.dc1.lan

    7. Optionally, select any of the following:

      • Send Signed Authentication Request: If this option is enabled, it indicates the asserting party's preference that relying parties should sign the authentication request before sending.

      • Enable Group Synchronization: If this option is enabled, upon login, groups from the Identity Provider (IDP) are created in Black Duck and users will be assigned to those groups. Note that you must configure IDP to send groups in attribute statements with the attribute name of 'Groups'.

      • Enable Local Logout Support: If this option is enabled, after logging out of Black Duck, the IDP's login page would appear. When local logout support is enabled, SAML requests are sent with ForceAuthn="true". Check with the IDP to confirm that this is supported.

      • Create user accounts automatically in Black Duck: If a user logs in using the IdP and the user doesn't exist in Black Duck, we create a local user in Black Duck's database if that option is selected.

  4. Click Save.

After clicking Save, the Black Duck Metadata URL field appears. You can copy the link or directly download the SAML XML configuration information.

To disable single sign-on using SAML

  1. Click Administration icon.

  2. Select User Authentication to display the User Authentication page.

  3. In the External Authentication settings, clear the Enable SAML configuration check box.

  4. Click Save.

Additional information

  • Assertion Consumer Service (ACS): https://<host>/saml/SSO

  • Recommended Service Provider Entity ID: https://<host> where host is your Black Duck server location.