Skip to main content

Set up SAML SSO using Okta

Overview

This guide provides step-by-step instructions for configuring Single Sign-On (SSO) with Security Assertion Markup Language (SAML) 2.0 using Okta as the Identity Provider (IdP) for Bambuser Live Shopping. This integration allows your organization to manage user authentication through your existing Okta infrastructure.

Prerequisites

  • An active Okta administrator account
  • Access to the Bambuser Live Shopping dashboard
  • Administrative access to your organization's domain DNS settings
  • The domain used for user emails must be verified in Okta

Configuration Steps

1. Create an Okta SAML Application

  1. Log in to your Okta Admin Dashboard
  2. Navigate to Applications > Applications
  3. Click Create App Integration
  4. Select SAML 2.0 and click Next
  5. Enter an App name (e.g., "Bambuser Virtual Commerce")
  6. Click Next to configure SAML

2. Configure SAML Settings

General Settings

  • Single sign on URL (ACS URL):
    • US Data Region: https://svc-prod-us.liveshopping.bambuser.com/functions/auth/sso/saml/callback
    • EU Data Region: https://svc-prod-eu.liveshopping.bambuser.com/functions/auth/sso/saml/callback
  • Audience URI (SP Entity ID): bambuser_saml_service_provider
  • Name ID format: EmailAddress
  • Application username: Email

img

Attribute Statements

Add the following attribute statements:

  • Name: email
    • Value: user.email
  • Name: firstName
    • Value: user.firstName
  • Name: lastName
    • Value: user.lastName

Group Attribute Statements (Optional)

If you want to pass group information:

  • Name: groups
    • Filter: Matches regex .*

3. Configure Feedback and Provisioning

  • Set Provisioning to Disabled (SCIM provisioning is not supported)
  • Click Next to review your settings
  • Click Finish
Automatic User Provisioning

For organizations requiring automated user provisioning and deprovisioning, you can implement a custom SCIM (System for Cross-domain Identity Management) integration using our public API.

Domain Configuration

Data Region Location

Your Data Region URL is determined by your Bambuser dashboard location:

RegionDashboard URLSAML ACS URL
Europehttps://lcx-eu.bambuser.com/https://svc-prod-eu.liveshopping.bambuser.com/functions/auth/sso/saml/callback
United Stateshttps://lcx.bambuser.com/https://svc-prod-us.liveshopping.bambuser.com/functions/auth/sso/saml/callback

Share SAML Configuration with Bambuser

After configuring the Okta application, share the following information with your dedicated Bambuser contact:

  1. Method 1: Export and share the metadata file

    • In Okta, go to Sign On > Settings > SAML 2.0
    • Click View Setup Instructions
    • Download the metadata file and share it with Bambuser

  2. Method 2: Manual configuration

    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer (Entity ID)
    • X.509 Certificate (Base64 encoded)

Configure User Access

Option A: Manual User Management (Default)

Manage users/roles manually in the Bambuser dashboard.

For each new user:

  • Add them to your Okta
  • Manually create their account in the Bambuser dashboard
  • Assign appropriate roles and permissions on the Bambuser dashboard

Manage users/roles through groups in Okta:

  1. In Okta, create groups for different permission levels (e.g., bambuser-owner, bambuser-moderator)
  2. Share the group names with your Bambuser representative
  3. Bambuser team will map these groups to existing roles in Bambuser ecosystem

Testing and Verification

Once the SAML configuration is completed by Bambuser on your workspace, you can test the integration by logging in to the Bambuser dashboard.

Testing the Integration

  1. Assign test users to the application in Okta
  2. Attempt to log in to the Bambuser dashboard
  3. Verify successful redirection to Okta
  4. Confirm successful authentication and session creation

Test Environment Considerations

If you have a separate Bambuser workspace for testing, you can use it to test the SAML integration.

  • Use a different email domain for testing to avoid impacting production users. Example:
    • Production domain: user@company.com
    • Test domain: user@test-company.com

Authentication Flow

note

Bambuser currently supports Service Provider-initiated login flow only. Identity Provider-initiated login flow is not supported.

  1. User navigates to the Bambuser login page
  2. User enters their email address and clicks Sign in with Email
  3. System validates the domain and redirects to your Okta login page
  4. User authenticates with their Okta credentials
  5. Upon successful authentication, user is redirected back to Bambuser with a SAML assertion
  6. Bambuser validates the assertion and creates a session for the user

Support

For additional assistance, please contact your dedicated Bambuser support representative or email support@bambuser.com with "Okta SAML Integration" in the subject line.