Single sign-on

The Brightpearl back office supports single sign-on using an SAML 2.0 identity provider such as Google, Okta, Azure or PingIdentity, though there are many more available.

Single sign-on can be initiated from the Brightpearl sign in screen or from your provider’s portal.

Supported identity providers

Brightpearl supports SAML 2.0. The following identity providers have been tested to work with Brightpearl:

  • Azure
  • PingOne for Enterprise
  • Google
  • Okta

You can set up SSO using your existing SSO identity provider if they support the SAML 2.0 protocol for authenticating and authorizing users.

If you cannot get single sign-on to work with your identity provider, please read our troubleshooting steps, and if you’re still experiencing problems please contact our Support team. Sometimes identity providers format their calls and responses slightly differently and we may need to make some tweaks on our side.

Note: Brightpearl does not support OAuth2.0 or OpenID at this time. 

Supported features

Brightpearl SAML single sign-on currently supports the following features:

  • IdP-initiated SSO
  • SP-initiated SSO

Remaining signed in

You can configure your identity provider to allow users to remain signed in with them for as long as you like - for example, 30 days. As long as the user is signed into the identity provider, signing into Brightpearl will simply be a case of clicking "Sign in using single sign-on".

Brightpearl will still time out after a period of inactivity and will require the user to sign in again on returning to their session.

Configuring single sign-on

To use single sign-on, you will need to be using an SAML 2.0 supporting identity provider.

When configuring your identity provider, you will need some details from the service provider (in this case, Brightpearl). These can be found within your Brightpearl account.

Once your identity provider is configured they will provide the metadata details you need to complete configuration in Brightpearl.

How to configure single sign-on in Brightpearl

  1. In Brightpearl, go to Settings > Company > Account Security.
  2. Check the box to enable single sign-on.
  3. Under the heading ACS URL and Entity ID you will find the details you need to configure your identity provider.
  4. Configure a custom SAML app in your identity provider, copying and pasting the details from Brightpearl into the relevant fields. There’s more information on doing this for various providers below.
  5. When configuring your identity provider, you will need to configure a custom app which uses the user email address to match.
  6. Your identity provider will provide some relevant information to be entered into the Brightpearl SSO configuration fields.
  7. Save the settings.

Single sign-on terminology

Brightpearl configuration provides and requires various details to set up single sign-on. These details are sometimes named differently in other systems, so here is a list of other names used by these fields:

Brightpearl field Alternative names
ACS URL Reply URL
Entity ID

Identifier

Audience URI

Login URL Single Sign-On URL
Issuer URL Azure AD identifier

Configuring Google single sign-on

Learn how to configure a custom SAML app within your Google Admin account here.

You will need the SSO URL and Entity ID from Brightpearl (the service provider) which can be found within your Brightpearl account at Settings > Company > Account Security.

Configuring Azure single sign-on

  1. You won’t find Brightpearl in the Azure AD Gallery, so you will need to add a new application
  2. Enable single sign-on for your application.
  3. Ensure your users are added to the application.

Configuring Okta for single sign-on

Learn how to configure a custom SAML app within your Okta Admin account here.

You will need the SSO URL and Entity ID from Brightpearl (the service provider) which can be found within your Brightpearl account at Settings > Company > Account Security.

Configuring PingIdentity for single sign-on

Learn how to configure a custom SAML app within PingIdentity account here - select the relevant tab to see instructions for your product.

You will need the SSO URL and Entity ID from Brightpearl (the service provider) which can be found within your Brightpearl account at Settings > Company > Account Security.

Using single sign-on

Provisioning

Brightpearl single sign-on does not manage user creation or removal, or Brightpearl permissions. A user must be created within Brightpearl before they can use single sign-on.

Adding a user

To enable a new user for single sign-on, you need to create them as a user in Brightpearl with the same email address as in the identity provider. They will need back office access enabled on their Brightpearl staff/user record.

Removing a user

If you no longer want a user to log into Brightpearl using single sign-on then they can be removed from the group within your identity provider.

If you want to prevent a user from logging into Brightpearl entirely, you can turn off access to the back office on their staff/user record.

Multi-factor Authentication (MFA)

To enable MFA for Brightpearl you will need to use single sign-on and an SAML 2.0 supporting identity provider. MFA can then be enabled with your identity provider.

Troubleshooting

If single sign-on isn’t working here are some things you can check:

  1. Check that single sign-on is enabled in Brightpearl at Settings > Company > Account security.
  2. Check that the ACS URL and Entity ID provided in your Brightpearl account are correctly set within your identity provider. These can often be named differently by each provider - see above.
  3. If you need to enter an Audience use the URL provided in Brightpearl.
  4. Check that the login URL, issuer URL and certificate provided by your identity provider are correctly entered into your Brightpearl account single sign-on configuration at Settings > Company > Account security.
  5. Check that the identity provider is configured to map the user by their email address, and by the relevant email address - some providers have the option of recording multiple email addresses for users.
  6. Check that the user exists in Brightpearl with the same email address as within the identity provider.
  7. Check that the user has access to the Brightpearl back office enabled at Settings > Staff/users > List staff > edit staff member.
  8. Check that the user has the correct password for your identity provider.
  9. We have tested Brightpearl single sign-on using Azure, Google, PingOne Enterprise and Okta. If you are using a different identity provider, check that they support SAML 2.0. Brightpearl currently only supports SAML and not OAuth 2.0 or OpenID.

If you are configuring SSO for the first time and none of the above works, please contact our support team and provide the name of your identity provider. Some identity providers have slight variations in the calls and responses they send which may mean we need to tweak things on our side to support it.

Have more questions? Submit a request