Bullseye SAML Integration

Required: SAML is an add-on subscription. To add a subscription or add-on to your account, contact Tom Flynn at 732-868-8463.

Our SAML integration allows businesses to integrate Bullseye’s backend administration interface with other applications and offer single sign-on (SSO) capabilities to their users.  Once the SAML module is enabled and configured, users only need to login via the IdP and they are automatically logged into the Bullseye admin.  

Bullseye also supports a hybrid model allowing some users to be authenticated via an IdP and other users to be authenticated locally within Bullseye itself.  The hybrid model is useful for businesses who have their own users managing content within Bullseye, and also might want independent stores or locations to manage their own content.

In the hybrid model, users who visit the Bullseye login screen are prompted to log in.  If Bullseye detects the user is a SAML user, they will be directed to the IdP login screen.  In the non-hybrid model, Bullseye’s login screen automatically redirects to the login screen for the IdP.  

Users who are logged into Bullseye via IdP are assigned a role via the Bullseye admin.  Permissions for these roles are governed by the role manager within Bullseye.  Presently, Bullseye does not support role management via IdP.  

Configuring SAML

To enable the SAML module, you must have a SAML subscription.  If you need a SAML subscription or would like a trial of the SAML module, please contact our sales team at 800-606-1415.  

Once the SAML module is enabled, you can go to Settings > Setup > Options/SAML Options.

At the top of the configuration field is a checkbox to “Allow users outside of my organization to login”   This is the configuration option to use a hybrid model.  If you are converting an existing account to SAML, you will need to decide which model you will use and if you want to convert existing users to SAML users.  Leaving this checkbox unchecked (using pure SAML config) will warn you if you have existing non-SAML users and give you the option to convert them. 

If you want to have both SAML and non-SAML users, check this box and existing users will remain as non-SAML users.  You can change them later via the User Manager. 

Below the checkbox, the SAML Options accordion is divided into 2 sections.  The first section contains the configuration for using Bullseye as a Service Provider (SP).  If your service provider has provided a URL for the Metadata, you can simply enter the URL and select “Fetch Metadata” This should automatically populate the configuration screen with the correct configuration information.  If your IdP does not have a URL for the Metadata, this information will need to be entered manually. 

About the Fields

  • IdP-Entity ID or Issuer
  • Identity Provider Name-Enter the name of the identity provider.  This is for your use only.
  • Single Sign-On Service URL-This is the URL where the users are authenticated
  • Single Logout Service URL- This is an optional value.  If there is a value entered, SAML users who log out from Bullseye are logged out automatically from the IdP.  If there is no value entered, they will be logged out only locally in Bullseye
  • NameID Format- This is a read-only field to ensure that the IdP sends back email and not username
  • X.509 Certificate- Enter the certificate information for the IdP. This can be entered either as a text file or you can upload the certificate. 

The second section only appears once you enter the IdP configuration.  It contains the information that the IdP will need to talk to Bullseye.  You can copy this information and enter it manually or you can also use the Metadata link provided by Bullseye.  Using the link should automatically populate the configuration fields in the IdP. 

Creating SAML users in Bullseye

In order to allow SSO, users in the IDP must be added to Bullseye and assigned a role.  There are 2 methods for adding users in Bullseye:  (1) Individually through the user manager (2) in batch via .csv upload.

Adding Users Through the User Manager

Adding SAML users to Bullseye is very similar to adding regular users.  The key difference is that when you add a SAML user, the invitation email to the user is bypassed since there is no need for a user to provide a password.  

Select the User tab in the left-hand navigation, then select Add User.  Now select the “SAML Enabled” checkbox and the page should refresh with additional required fields for First Name and Last Name.  If you have configured a pure SAML environment, the “SAML Enabled” checkbox will be grayed out since there is no option to create non-SAML users.  Assign the correct role to your user and select Save If you wish to go on and create user assignments.  Here is an article on creating user assignments.  Or select Save and Close if you are done.  

Users who are logged in through their IdP will automatically be logged into Bullseye.  If they are not logged in, they will be redirected to the login screen for the IdP

Adding Users via the .CSV upload

Below the Users tab in the left-hand navigation is an Import tab.  Select this and you’ll see the feature that lets you imports users.  On the right-hand side of the page you can download the .csv template which provides the correct formatting for your .csv upload. 

The template has 5 fields. Of these, 4 are required.  Required fields are Username, FirstName, LastName and Role.  The first field SAML Enabled is used to specify that a user is SAML enabled.  If this field is set to true (possible values “True”, Y, 1),  the email invitation will be bi-passed in the same way that it is when adding users through the user manager.  If it’s set to false (“false” No, or 0) of left blank users will get an invitation email to be part of the system. 

If the SAML Enabled field is set to false or left blank, users will receive an invitation and will be able to create their own passwords.  This allows the upload tool to be used for both pure SAML implementations as well as hybrid or non-SAML implementations.

When building out the batch import, you should use the role name.  This matches the name of the role exactly.