How do I enable SAML within BLOX CMS?
To be a SAML authentication provider, a customer must set up a SAML 2.0 server and provide us with the following values from it via a ticket to our Customer Support team:
- Entity ID
- SSO URL (where we will redirect applicable users to log in)
- x.509 public key/certificate
- One or more email domain(s) for which the provider will manage authentication
The first three of these are exportable from many systems as a single XML configuration file.
These items are used by Blox Digital staff to configure the integration.
Beyond the basic configuration, a prospective provider must also include the user's email address as a long assertion attribute with one of the following names:
How do I Configure for auto-provisioning?
In its basic mode SAML may be used only to log in to existing admin accounts. New accounts must be created manually in the admin UI before they can be logged into.
The provider may optionally supply an auto-provisioning attribute in its login assertion which declares the sites and groups the user should have access to. The attribute should have a name of
It may contain one or more values, with each value being in the format of example.com:Group name.
A SAML config XML document describing the endpoint is available at:
If the identity provider asserts this information, and if the BLOX account's current state does not match it, the BLOX account's per-site group assignments will be immediately updated to match. Per-site profiles will be created, upgraded, or downgraded as appropriate in response to site access gained or lost through the assertion.
If no BLOX admin account exists for the asserted identity then one will be created provided a) the email address does not conflict with an existing account and b) at least one asserted group on one asserted site exists to permission the account into.
A site must have configured its consent to the identity provider in question to be considered touchable by this mechanism.
Once configured, the site admin must enable SAML within BLOX CMS by going to the user app -> Application settings -> Admin SAML login. Choices will be available based on what has been set up in the Blox Digital system.
For each provider, the site is given the option to flag itself as:
- Consenting to have its users be auto-provisioned by that provider's group assertions
- Requiring that all its admin accounts be authenticated through that provider (or others so flagged)
