1

A step by step guide on how to set up Single Sign On (SSO) for your Blue Jeans Enterprise account.

Configuring Microsoft ADFS for SSO integration with Blue Jeans

2

Prerequisites

SSL Certificate for signing.

A Blue Jeans Enterprise account with a Custom Landing Page (CLP) e.g. https://bjnsupport.bluejeans.com

Group Admin level access to your Blue Jeans Enterprise account.

If your Blue Jeans Enterprise account has active users, then we recommend that you contact the Blue Jeans Support team (support@bluejeans.com) to create a test Enterprise account.

3

Prerequisites – Windows Server 2008 R2 only

Windows Server 2008 R2 installations require ADFS 2.0 including the ADFS Rollup 2 update.

After the update has been installed, please add the following line to the microsoft.identityServer.web block to the file located in: C:\inetpub\adfs\ls\web.config

<microsoft.identityServer.web>

...

<useRelayStateForIdpInitiatedSignOn enabled="true"/>

</microsoft.identityServer.web>

4

ADFS Configuration

Load the ADFS MMC Snap-In and select Add a trusted relying partyto start the wizard.

5

ADFS Configuration – Add Blue Jeans RP

On the welcome screen click on Start.

Leave the default option of Import data about the relying party published online or on a local network checked and then enter the following URL into the Federated metadata address (hostname or URL) field: https://bluejeans.com/support/saml-metadata.xml

6

ADFS Configuration – Add Blue Jeans RP

You can leave the Display name field with the default value of bluejeans.com unless you wish to choose a different name.

Keep the default option Permit all users to access this relying partychecked.

While at the Ready to Add Trust step, please verify the following tabs:- Monitoring: The Relying party’s metadata URL should show: https://bluejeans.com/support/saml-metadata.xml- Identifiers: The Relying party identifiers field should show: http://samlsp.bluejeans.com- Endpoints: The URL field should show: https://bluejans.com/sso/saml2/

7

ADFS Configuration – Claim Rule

Click Next and leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option checked to proceed.

Within the default tab named Issuance Transform Rules click Add Rule…

8

ADFS Configuration – Claim Rule

Leave the default option of Send LDAP Attributes of Claims selected and click Next.

For the Claim rule configuration please use the following:- Claim rule name: E-Mail-Address- Attribute store: Active Directory- LDAP Attribute (Select or type to add more): E-Mail-Addresses- Outgoing Claim Type (Select or type to add more): E-Mail-Address

9

ADFS Configuration – Claim Rule

Now select the rule that you just created and click Edit Rule…

Select View Language…

Copy and paste the http string as highlighted in the screenshot on the next page and save it to a text editor, such as Notepad.

We will need this string for step #10 in the Blue Jeans Enabling Single Sign On for Enterprise Groups (SAML) guide.

10

ADFS Configuration – Claim Rule

11

ADFS Configuration – Transform Rule

We now need to create a second rule, so click on Add Rule…

From the Claim rule template drop down menu select Transform an Incoming Claim.

12

ADFS Configuration – Transform Rule

Configure the Transform Claim with the following details:- Claim rule name: Transform- Incoming claim type: E-Mail-Address- Outgoing claim type: Name ID- Outgoing name ID format: Persistent Identifier

Click Finish to complete the configuration.

13

ADFS Configuration – Export Certificate

Click OK and you will be taken back to the ADFS MMC Snap-In.

Expand the option Services and click on Certificates.

Under Token-signing right-click on the certificate and select View Certificate.

14

ADFS Configuration – Export Certificate

Go to the Details tab and click Copy to File…

At the welcome screen click Next and then leave the default option of DER encoded binary X.509 (.CER) checked and click Next.

You will need to import this certificate to your Blue Jeans Enterprise account later on.

15

Blue Jeans Enterprise Account Configuration

Log in to your Blue Jeans Enterprise account.

Go to ADMIN > Group Settings > Security

Check SAML Single Sign On

Per the Blue Jeans Enabling Single Sign On for Enterprise Groups (SAML) guide do the following:- Import the certificate.- Configure the Login URL to point to your ADFS server, e.g: https://adfs.bjnsupport.local/adfs/ls/- For now, configure the Password Change and Logout URL’s to your CLP URL e.g. https://bjnsupport.bluejeans.com/- Leave Custom Error Page URL blank.- Check the option Pick User Id from <saml2:NameID> element- Paste the http string from your Notepad file into the Email field.- Your setup should look similar to the screenshot on the next page.

16

Blue Jeans Enterprise Account Configuration

17

Blue Jeans Enterprise Account Configuration –Testing Authentication Click Save Changes at the bottom of the SAML configuration page and logout of your

Blue Jeans Enterprise account.

Browse to your CLP URL e.g. https://bjnsupport.bluejeans.com/

When prompted, enter your Active Directory username and password to authenticate.

You should now be directed to your Blue Jeans account.

18

Support site: http://bluejeans.com/support/contact

Email: support@bluejeans.com

Phone: US, Canada, and Worldwide: +1 (408) 791 2830

United Kingdom: +44 (0) 800 014 8214

Australia: +61 280 363149 – Option 2Singapore: +65 315 87560 – Option 2

If you require any assistance with your SSO setup please do not hesitate to contact the Blue Jeans

Customer Support Team!

19

bluejeans.com

bluejeans.com/blog

twitter @bluejeansnet