SAML Settings

Black Duck Binary Analysis supports single sign-on (SSO) via SAML. With SSO, users can log in via an Identity Provider and won't need separate login credentials for different services.

Set up SAML

How to set up SSO via SAML depends on the identity provider. You should refer to the identity provider documentation for full details on how to do it.

In Black Duck Binary Analysis, you need to do the following:

  1. From the pulldown menu under your user name, select Manage account.
  2. Select the Account settings tab.
  3. Select SAML from the right hand menu.
  4. Turn on Enable SAML.
  5. Fill the Single Sign On Url and Service provider entity ID fields.
  6. Optionally, enter the expected group attribute key in the SAML response.
  7. Optionally, enter the expected role group attribute key in the SAML response and enter the group names for poweruser and/or administrator assignment.
  8. Select File or URL depending on if you want to provide metadata as an XML file or through an URL.
  9. Provide the metadata file or URL from the identity provider.

Creating User Accounts Automatically

You can enable automatic user account creation for SAML.

  1. From the pulldown menu under your user name, select Manage account.
  2. Select the Account settings tab.
  3. Select SAML from the right hand menu.
  4. Turn on Enable SAML.
  5. Turn on Create user accounts automatically in Black Duck Binary Analysis.

Set User Email Address Attribute Key In SAML Response

By default BDBA selects username/email from the value of the SAML assertion’s NameID field. Some identity providers may set this as something else than the user’s email address, for example some customized unique identifier. In this case, you can configure the attribute statement key which contains the user’s username/email. Often identity providers send the username/email in an attribute statement by default with the key name or emailAddress. It should also be possible to configure the IDP to add an attribute statement containing the user’s username/email if it’s not included by default.

SAML Group Attributes

You can enter the provider's group attribute key to be added to the SAML response. This enables adding users to corresponding groups at login. The group has to be added to a SAML group in the Group Settings.

SAML Role Group Attributes

You can enter the provider's role group attribute key to be added to the SAML response. This enables automatically assigning users the Poweruser or Administrator permission at login. Permissions are not affected on login if the role group attribute key is not set. Also if a group name is not set, login doesn't affect the respective permission. Permissions are also automatically removed if the respective group name is set and the SAML response does not contain a matching attribute statement.

Note:

If a user is removed from a permission assigning group in the identity provider, the change is not propagated to BDBA before the user logs in the next time. This means that until the user's existing session expires, their permission will not change since they will not have to log in until expiry. If you want to make sure that a permission is immediately removed, do it manually in the user's permission settings.

SSO Bypass

For Power Users and Administrators, it is possible to bypass the SSO and login with the Black Duck Binary Analysis credentials.

To do this, add /login/?sso-bypass to the appliance URL, for example, https://BDBA.company-name.com/login/?sso-bypass