SAML SSO
Configuring SAML SSO for Your Organization
Bright supports SAML 2.0 Single Sign-On (SSO), allowing users to sign in with their existing Identity Provider (IdP). This guide explains how to configure, test, and enable SAML SSO for your organization.
Table of Contents
- Supported Identity Providers
- Before You Begin
- Step 1: Get Bright SP Details
- Step 2: Configure Your Identity Provider
- Step 3: Configure SAML in Bright
- Step 4: Configure User Provisioning
- Step 5: Test the Configuration
- Step 6: Enable SSO
- Single Logout (SLO)
- IdP-Initiated SSO
- User Login Flow
- Troubleshooting
- FAQ
- Related Resources
Supported Identity Providers
Bright supports any SAML 2.0-compliant Identity Provider, including:
- Microsoft Azure AD / Entra ID
- Okta
- AD FS (Active Directory Federation Services)
- Any SAML 2.0 provider
Note: Azure AD and Okta also support OIDC. This guide covers SAML only.
Before You Begin
Make sure you have:
- Organization Administrator permissions in Bright (
org:readandauth-providersscopes). - Administrator access to your Identity Provider.
- Your IdP's Entity ID, SSO URL, and X.509 Signing Certificate (or access to the metadata XML).
Step 1: Get Bright SP Details
Before configuring your Identity Provider, collect the Bright Service Provider (SP) details.
- Go to Organization Settings → SSO Authentication.
- Click Configure.
- Copy the following values:
| Field | Description |
|---|---|
| Bright Entity ID | Your organization's unique identifier |
| Assertion Consumer Service (ACS) URL | Where your IdP sends SAML responses |
| Single Logout Service URL | Used for Single Logout requests |
You can also:
- Click Export Metadata to download Bright's metadata XML.
- Click Export Signing Certificate to download the signing certificate.
Step 2: Configure Your Identity Provider
Create a new SAML application in your Identity Provider using the Bright SP details.
Required Configuration
| Setting | Value |
|---|---|
| ACS URL / Reply URL | Bright ACS URL |
| Entity ID / Audience | Bright Entity ID |
| Name ID Format | Email address (recommended) |
| Single Logout URL | Bright Single Logout URL (optional) |
Attribute Mapping
Make sure your IdP sends these attributes:
| SAML Attribute | Bright Field | Default Attribute |
|---|---|---|
| First Name | Given Name | givenName |
| Last Name | Family Name | familyName |
| Email (Name ID) | Used as the unique user identifier |
Note: You can customize the attribute names if your IdP uses different values.
Step 3: Configure SAML in Bright
- Go to Organization Settings → SSO Authentication.
- Click Configure.
- Select SAML.
- Enter your Identity Provider details.
| Field | Required | Description |
|---|---|---|
| Entity ID | Yes | Your IdP Entity ID |
| SSO URL | Yes | Your IdP sign-on URL |
| Signing Certificate | Yes | X.509 certificate |
| Single Logout URL | No | Your IdP logout endpoint |
Import Metadata (Recommended)
Instead of entering the values manually, you can import your IdP metadata.
- From URL - Paste the metadata URL.
- From File - Upload the metadata XML file.
Bright automatically fills in the required fields.
Click Save when you're done.
Step 4: Configure User Provisioning
Just-in-Time (JIT) Provisioning
JIT provisioning creates a Bright account the first time a user signs in with SSO.
-
Enable Automatically create new users at Bright.
-
Configure the attribute mapping:
- Given Name (
givenName) - Family Name (
familyName)
- Given Name (
-
Click Manage Groups and choose which groups new users should join.
The All Users group is always included.
Click Save.
SCIM Provisioning (Azure AD & Okta)
Azure AD and Okta also support SCIM provisioning for automatic user and group synchronization.
- Save your SSO configuration.
- Enable Sync the group & users from your SSO provider to Bright.
- Configure SCIM in your IdP using the endpoint and token provided by Bright.
Note: SCIM is currently supported only for Azure AD and Okta. Other SAML providers should use JIT provisioning.
Step 5: Test the Configuration
Test your configuration before enabling SSO.
- Go to Organization Settings → SSO Authentication.
- Open the menu next to Configure and select Test.
- Sign in through your Identity Provider.
- If the test succeeds, you'll be redirected back to Bright.
If the test fails, check:
- Entity ID
- SSO URL
- Signing Certificate
- ACS URL configuration
- Attribute mapping
Step 6: Enable SSO
When the test succeeds, you can enable SSO.
Go to Organization Settings → SSO Authentication and choose one of the following modes:
| Status | Behavior |
|---|---|
| Disabled | Users sign in with email and password only. |
| Optional | Users can sign in with either SSO or email/password. |
| Mandatory | All users must sign in through your Identity Provider. |
Recommendation: Start with Optional before switching to Mandatory.
Single Logout (SLO)
Single Logout signs users out of both Bright and your Identity Provider.
To enable it:
- Make sure your IdP supports SAML Single Logout.
- Enter the Single Logout URL.
- Enable Initiate Single Logout when users logout from Bright.
- Click Save.
IdP-Initiated SSO
After SAML is configured, users can also sign in directly from their Identity Provider portal, such as Azure My Apps or the Okta dashboard.
User Login Flow
Sign in from Bright
- Open the Bright login page.
- Enter your email address.
- Continue to your Identity Provider.
- Sign in.
- You are redirected back to Bright.
Sign in from your Identity Provider
- Open your Identity Provider portal.
- Click the Bright Security application.
- You are signed in automatically.
Troubleshooting
| Issue | Solution |
|---|---|
| SSO test fails | Verify the Entity ID, SSO URL, Signing Certificate, and ACS URL. |
| User cannot sign in | Verify that the user's email matches their Bright account. |
| User not found | Enable JIT provisioning or invite the user manually. |
| Provisioning fails for short names | Make sure first and last names contain at least one character. |
| SSO settings appear empty | Refresh the page. If needed, save the configuration again. |
| Single Logout not working | Verify the SLO URL and confirm your IdP supports SAML SLO. |
FAQ
Can I use both SAML and OIDC?
No. Only one authentication protocol can be active for an organization at a time.
What happens when I enable Mandatory SSO?
All users must sign in through your Identity Provider. Users who are not available in the IdP will not be able to access Bright.
Can I configure multiple Identity Providers?
No. Each organization supports a single SSO configuration.
Is SCIM required?
No. You can use JIT provisioning or manually invite users. SCIM is optional and provides automatic user and group synchronization for Azure AD and Okta.