1

A step by step guide on how to set up Single Sign On (SSO) for your Blue Jeans Enterprise account.

Configuring Microsoft ADFS for SSO integration with Blue Jeans

2

Prerequisites

▪ SSL Certificate for signing.

▪ A Blue Jeans Enterprise account with a Custom Landing Page (CLP) e.g. https://bjnsupport.bluejeans.com

▪ Group Admin level access to your Blue Jeans Enterprise account.

▪ If your Blue Jeans Enterprise account has active users, then we recommend that you contact the Blue Jeans Support team (support@bluejeans.com) to create a test Enterprise account.

3

Prerequisites – Windows Server 2008 R2 only

▪ Windows Server 2008 R2 installations require ADFS 2.0 including the ADFS Rollup 2 update.

▪ After the update has been installed, please add the following line to the microsoft.identityServer.web block to the file located in: C:\inetpub\adfs\ls\web.config

<microsoft.identityServer.web>

...

<useRelayStateForIdpInitiatedSignOn enabled="true"/>

</microsoft.identityServer.web>

4

ADFS Configuration

▪ Load the ADFS MMC Snap-In and select Add a trusted relying party to start the wizard.

5

ADFS Configuration – Add Blue Jeans RP

▪ On the welcome screen click on Start.

▪ Leave the default option of Import data about the relying party published online or on a local network checked and then enter the following URL into the Federated metadata address (hostname or URL) field: https://bluejeans.com/support/saml-metadata.xml

6

ADFS Configuration – Add Blue Jeans RP

▪ You can leave the Display name field with the default value of bluejeans.com unless you wish to choose a different name.

▪ Keep the default option Permit all users to access this relying party checked.

▪ While at the Ready to Add Trust step, please verify the following tabs:- Monitoring: The Relying party’s metadata URL should show: https://bluejeans.com/support/saml-metadata.xml- Identifiers: The Relying party identifiers field should show: http://samlsp.bluejeans.com- Endpoints: The URL field should show: https://bluejeans.com/sso/saml2/

7

ADFS Configuration – Claim Rule

▪ Click Next and leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option checked to proceed.

▪ Within the default tab named Issuance Transform Rules click Add Rule…

8

ADFS Configuration – Claim Rule

▪ Leave the default option of Send LDAP Attributes of Claims selected and click Next.

▪ For the Claim rule configuration please use the following:Claim rule name = E-Mail-AddressAttribute store = Active DirectoryLDAP Attribute (Select or type to add more) = E-Mail-AddressesOutgoing Claim Type (Select or type to add more) = E-Mail-Address

9

ADFS Configuration – Claim Rule

▪ Now select the rule that you just created and click Edit Rule…

▪ Select View Language…

▪ Copy and paste the http string as highlighted in the screenshot on the next page and save it to a text editor, such as Notepad.

▪ We will need this string for step #10 in the Blue Jeans Enabling Single Sign On for Enterprise Groups (SAML) guide.

10

ADFS Configuration – Claim Rule

11

ADFS Configuration – Transform Rule

▪ We now need to create a second rule, so click on Add Rule…

▪ From the Claim rule template drop down menu select Transform an Incoming Claim.

12

ADFS Configuration – Transform Rule

▪ Configure the Transform Claim with the following details:

• Claim rule name = Transform

• Incoming claim type = E-Mail-Address

• Outgoing claim type = Name ID

• Outgoing name ID format = Persistent Identifier

▪ Click Finish to complete the configuration.

13

ADFS Configuration – Issuance Authorization Rule

▪ Optionally you can configure ADFS to restrict access to BlueJeans by setting up a Security Group in Active Directory.

1. In Active Directory create a new group with the following settings:

• Group name = BlueJeans

• Group type = Security

• Group scope = Domain local

2. In the ADFS snap-in right-click on the Relying Party Trust and select "Edit Claim Rules".

3. Navigate to the "Issuance Authorization Rules" tab.

4. Select the existing rule and click "Remove Rule...“

5. Click "Add Rule..." and select the following "Claim rule template":

• Permit or Deny Users Based on an Incoming Claim

6. Configure the rule with the following:

• Claim rule name = BlueJeansSecurityGroup

• Incoming claim type = Group SID

• Incoming claim value = Browse for the Security Group

• Check the option "Permit access to users with this incoming claim"

7. Click "Finish".

14

ADFS Configuration – Export Certificate

▪ Click OK and you will be taken back to the ADFS MMC Snap-In.

▪ Expand the option Services and click on Certificates.

▪ Under Token-signing right-click on the certificate and select View Certificate.

15

ADFS Configuration – Export Certificate

▪ Go to the Details tab and click Copy to File…

▪ At the welcome screen click Next and then leave the default option of DER encoded binary X.509 (.CER) checked and click Next.

▪ You will need to import this certificate to your Blue Jeans Enterprise account later on.

16

Blue Jeans Enterprise Account Configuration

▪ Log in to your Blue Jeans Enterprise account.

▪ Go to ADMIN > Group Settings > Security

▪ Check SAML Single Sign On

▪ Per the Blue Jeans Enabling Single Sign On for Enterprise Groups (SAML) guide do the following:- Import the certificate.- Configure the Login URL to point to your ADFS server, e.g: https://adfs.bjnsupport.local/adfs/ls/- For now, configure the Password Change and Logout URL’s to your CLP URL e.g. https://bjnsupport.bluejeans.com/- Leave Custom Error Page URL blank.- Check the option Pick User Id from <saml2:NameID> element- Paste the http string from your Notepad file into the Email field.- Your setup should look similar to the screenshot on the next page.

17

Blue Jeans Enterprise Account Configuration

18

Blue Jeans Enterprise Account Configuration –Testing Authentication▪ Click Save Changes at the bottom of the SAML configuration page and logout of your Blue Jeans

Enterprise account.

▪ Browse to your CLP URL e.g. https://bjnsupport.bluejeans.com/

▪ When prompted, enter your Active Directory username and password to authenticate.

▪ You should now be directed to your Blue Jeans account.

19

Support site: http://bluejeans.com/support/contact

Email: support@bluejeans.com

Phone: US, Canada, and Worldwide: +1 (408) 791 2830

United Kingdom: +44 (0) 800 014 8214

Australia: +61 280 363149 – Option 2Singapore: +65 315 87560 – Option 2

If you require any assistance with your SSO setup please do not hesitate to contact the Blue Jeans

Customer Support Team!

20

bluejeans.com

bluejeans.com/blog

twitter @bluejeansnet