Setting Up Single Sign-On (SSO) on P2PE Manager

What is Security Assertion Markup Language (SAML) ?

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between identity and service providers. P2PE Manager Supports Single Sign-on in accordance to 2.0 SAML specifications. Single Sign-On (SSO) can be configured for Partners, Sub-partners and Clients.

📘

This feature is designed to support one Identity Provider and is implemented by System Users!

Setup Process

  1. Complete the Single Sign-On Request Form and the SAML User Agreement. Involve your Identity Provider to gather the requested information and to create a field in the SSO system to validate P2PE Manager usernames.

📘

The Identity Provider will need to provide the entire X-509 Certificate.

  1. Add users to P2PE Manager as usual.
  2. After Bluefin receives the requested information, our system administrators configure SAML in P2PE Manager. Then, the Single Sign-On Request form will be returned with the SAML Configuration Key.

Information Identity Providers Need

The following information is required by Identity Providers to facilitate SAML configuration. This information should be shared with your Identity Provider's administrator so that your single sign-on system can be updated.

  1. Usernames. (List of active P2PE Manager users.)
  2. SAML Configuration Key : This key is generated during the setup process after receipt of the Single Sign-On Request Form.
  3. URLs (The names of the fields vary such as ACS, Audience or Consumer.)
  • Consumer Validator: bluefin.p2pemanager.com/saml/callback/samlconfigkey
  • Consumer Connection URL: bluefin.p2pemanager.com/saml/callback/samlconfigkey
  • Logout URL: (Depending on the IDP this might or might not be needed)
    bluefin.p2pemanager.com/logout

Example

https://cert-bluefin.p2pemanager.com/saml/callback/8d34e9b997087646912c13a02c5ae726

Sample IDP Setup

IDP Configuration

The following illustrates an IDP Configuration screen that's used and controlled by the Merchant. In this example, we're using screenshots from OneLogin.

Field

Description

X.509 Certificate

The value generated here must to be communicated to Bluefin to setup the SSO connection.

In this example, the actual certificate generated is inside the “View Details” link.

SAML Signature Algorithm

This setting contains the hash algorithm specified by the Partner based on their security level needs.
Bluefin does not need this value.

Issuer URL

The value here needs to be communicated to Bluefin to setup the SSO connection (SAML Issuer)
This URL should be the source URL for all
IDP users. (The URL from which all users originate from.)

SAML Endpoint URL

The value here needs to be communicated to Bluefin to setup the SSO connection (SAML End Point)
This URL should be the end point of the IDP being used.

IDP User Configuration

The following illustrates configuring a User inside an IDP. In this example, we're again using screenshots from OneLogin.

Basic demographic information about each user needs to be completed by the merchant in their IDP.

🚧

Important

The user login is the only field relevant to configuring SAML/SSO. In the example shown, the p2pe_username parameter was added specifically for the SAML/SSO configuration to P2PE Manager.

This field name (p2pe_username) needs to be communicated to Bluefin to setup the SSO connection (SAML Field Name) Bluefin does not need the value of this entry (“muser” in the example shown), but the value must match a user in P2PE Manager who has access to this specific Partner/Client.

For reference, the following image illustrates the various IDP user fields including a field specifically added for the P2PE Manager SAML/SSO configuration. The IDP administrator should be familiar with this type of screen.

Azure Setup Overview

The following information is an overview of how to prepare Azure To set up Azure Active Directory portal access do the following:

  1. Log in to your Azure portal as usual and navigate to the Azure Active Directory.
  2. In the left panel, select Enterprise Applications.
  1. Create a new application or use an existing one.
  1. Follow the instructions shown to assign users to the application and Set up Single Sign-On.
  1. From the SSO page, enter your information into the Set up SAML test sign on section to populate your information in P2PE Manager.

Single Sign-On Request Form (Sample)

❗️

Single Sign-On is designed to support one Identity Provider per Partner.

  1. Collect the information in the tables below and submit to Bluefin. ([email protected])
  2. Users need to be added to P2PE Manager as usual and be marked as Active users.
  3. Your Identity Provider (IDP) administrator will need to create a field to validate the P2PE Manager username.
  4. You will need to provide us with the full Certificate from the IDP that signs the authentication request.
  5. Bluefin will return this SSO Request Form to the IDP Administrator along with the SAML configuration KEY.
  6. The IDP Administrator will need to update their single sign-on software with the SAML configuration key and the proper URLs.

📘

Logging in to P2PE Manager for SAML Users

After SSO is fully implemented by Bluefin and your IDP, users will access the P2PE Manager from the following URL: https://bluefin.p2pemanager.com/saml/samlconfigkey

  1. SAML Configuration Information

Field

Description

Partner Name

Enter the partner / sub-partner name. This will enable SAML for partner users (Partner Supervisors, Partner Fulfillment and Partner User.)

SAML Config Name

Enter the name of this SAML configuration.

SAML EndPoint

Enter the URL of the Identity Provider for the SAML authentication request. (This is the URL of the Partner's instance of their IDP.) Typically called SAML Endpoint, SSO Endpoint, or IDP Login URL.

SAML Field Name

The field/variable that contains the P2PE Manager Username. This could be a custom parameter from the Identity Provider or an existing one that contains the P2PE Manager Username.
NOTE: The IDP administrator will need to create this field in their single sign-on system to validate P2PE Manager usernames.

SAML Issuer

Enter the Issuer URL of the Identity Provider. This is the URL of the Partner's IDP user connection to the P2PE Manager.

Certificate file included

  • Enter the Certificate from the Identity Provider that signs the authentication request.
  • The entire content of the certificate must be entered. (URL links are not allowed.)
  • This is commonly called the X-509 certificate that the Partner's IDP will generate for secure authentication to the P2PE Manager. You might need to download the certificate as Base 64 and then open it as a text file.

Bluefin returned SAML Configuration KEY

Bluefin will return this form with this value when the setup has been completed.

  1. Submission Information

Field

Description

Submitted By

[Name of Person Submitting Change Request]

Submitter's Company

[Name of Submitter’s Company]

Date Submitted

[mm/dd/yyyy]

Requests are completed 2 business days from receipt of complete and accurate forms. Changes are completed during business hours. Monday through Friday, 8:30 a.m. to 5:30 p.m. CST. Some requests may require scheduling and may take longer than 48 hours to complete.

Partners and Resellers are responsible for Tier 1 application and IDP support.


Did this page help you?