The following instructions are applicable to Okta IdP implementations.
To get started, first submit a request. Be sure to include your company name and include in your request that you wish to enable SSO using either SAML 2.0 or OIDC. We may ask for additional details to correctly identify your account.
To set up a new implementation, navigate to the Okta administrative interface and navigate to "Applications". Select the "Create New Application" button, and then select either "OIDC - OpenID Connect" or "SAML 2.0" based on your preferred standard. Once you select the standard, see below for additional instructions based on the standard selected:
SAML 2.0
General Settings
Enter the following details:
- App Name: Blanchard Exchange
- App logo: Download the Blanchard Exchange logo from here.
- App visibility: Choose whether to display the application tile to users.
- App visibility is not required. Users are generally sent a direct login link via email or can visit our general sign-in page to initiate a login through SSO.
SAML Settings
- Single sign on URL: Enter the ACS URL provided by Blanchard.
- Audience URI (SP Entity ID): Enter the Entity ID provided by Blanchard.
- Default RelayState: Leave this blank
- Name ID format: EmailAddress
- Application username: Email
- Update application username on: Create and Update
Enter the following attributes:
NAME | NAME FORMAT (OPTIONAL) | VALUE |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Unspecified | user.email |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Unspecified | user.firstName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Unspecified | user.lastName |
Finalize the setup and then connect with your Blanchard contact to provide the following:
- Metadata URL: This can be retrieved under the "Sign On" tab of the configured Blanchard Exchange application, specifically under the "SAML Signing Certificates" section. Locate the "SHA-2" certification, select the "Actions" button, and then select "View IdP Metadata".
- Confirmation of domains that fall into the scope of your SSO implementation.
OIDC
General Settings
Enter the following details:
- App Name: Blanchard Exchange
- App logo: Download the Blanchard Exchange logo from here.
- Grant Type: "Authorization Code" should be selected by default which is sufficient. Implicit (Hybrid) is also supported, but not required.
- Sign-in redirect URIs: Enter the Authorized Redirect URI provided by Blanchard.
- Controlled access: Set the appropriate access, whether it will be for all users, or based on selected groups.
After completing the setup, copy the following information and provide to your Blanchard contact:
- Client ID
- Client Secret
- Discovery endpoint: This will typically be based on the following format: https://<your-okta-instance>/.well-known/openid-configuration.