How to set up SAML 2.0 Single Sign-On in the Admin Center

Digital DX provides Single Sign-On support based on SAML 2.0 protocol. It accepts SAML Assertions using the SAMLResponse parameter where the NameID of the authenticated user is a mandatory claim.

On the Identity Provider (IdP) side you must set up the connection with the following parameters:

  • Protocol type: SAML 2.0
  • Service type: AssertionConsumerService
  • Binding type: HTTP-POST
  • WantAssertionsSigned: True

Alternatively, you can set up the connection using the Digital DX metadata XML below that contains the required parameters.

Important: Change both instances of xxxxxxxxxx to your account ID. You can find your Bold360 SSO URL on the settings form. Change both instances of yyyyyyyyyy to the web client URL extended with the server set for your data residency region.
Data Center URL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://yyyyyyyyyy/aid/xxxxxxxxxx/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yyyyyyyyyy/aid/xxxxxxxxxx/"/>
  1. In the Web Admin Center, go to General > Single Sign On.
  2. Remember: You must configure SSO on the Identity Provider side first.
    Click Test to check the authentication process.

    You are redirected to the Identity Provider's URL in a pop-up window. If you get back SAMLResponse from the ID Provider then its response will be presented on this setting form. If no SAMLResponse parameter returns or you simply misconfigured your URL, the pop-up window may stay open.

    Important: The Identity Provider URL must be a common link that authenticates and redirects the user to the Digital DX SSO URL with SAMLResponse token, if the user have the necessary rights.
    Result Description
    SAMLResponse is returned

    The response is presented in the form.

    Note: Copy the public key for later use.
    SAMLResponse is not returned

    The pop-up window may stay open.

    It is likely that you have simply misconfigured your URL.

  3. Check that NameID is a mandatory claim in the SAMLResponse token.

    You must add this claim on the Identity Provider side to be a unique attribute of the authenticated user, for example their e-mail address. When you map an authenticated user later on, the NameID field must be the SSO Name ID on the operator field.

  4. In the Public Key field, paste the public key of your signed SAMLResponse token that you received in Step 2.
  5. Save the public key.

    Result: To work with SSO, use the following URL format:

    • To access Agent Workspace:
      • (Replace ACCOUNTID with your account ID)
      • (Replace USERNAME with your username)
    • To access reports: (Replace ACCOUNTID with your account ID)

    • To access Dashboard: (Replace ACCOUNTID with your account ID)

  6. Check that parsing was successful to ensure that Digital DX servers understand the response as a SAML 2.0 Assertion Token.
    Remember: First you must make sure that the SAMLResponse token is returned correctly.

Once parsing has completed successfully, you can check the following:

  • Issuer found: A required attribute in the SAML 2.0 protocol
  • IssueInstant: A required attribute that contains the issuer timestamp. It must be in UTC format by default. Digital DX accepts tokens within a valid time frame.
  • NameID: Required for mapping an agent record with the authenticated user.
  • Public key: Required and must be stored in Digital DX settings as well for signature validation.