How to set up Single Sign On with SAML

Set up SAML single sign on with automatic metadata configuration or manual configuration. Change permitted login methods.

Updated over a week ago


Security Assertion Markup Language (SAML) is the standard for secure single sign on (SSO), and is the basis of SSO products from Okta, OneLogin, Microsoft, Bitium, Ping Identity, and more. Bonusly fully supports the SAML v2.0 standard, making it easy to add a layer of security and convenience to your Bonusly program.

SAML Single Sign On is available as part of Bonusly Pro. Learn more about Bonusly Pro

There are two ways to set up SAML Single Sign On: Automatic configuration, and manual configuration. We strongly recommend automatic configuration, if it is supported by your identity provider.

Here is some basic terminology to help you in this guide:

  • Identity Provider (IdP): The software/service that verifies the identity of your users. For example, Okta, OneLogin, Active Directory, etc.

  • Service Provider (SP): A unique string that identifies the provider of the service to be authenticated for. According to the SAML specification, the string should be a URL, though not all providers respect this.

  • Metadata URL: URL for the provider’s metadata. Both the IdP and the SP should have a Metadata URL.

  • Issuer (Entity ID): A unique string that identifies the provider issuing a SAML request. According to the SAML specification, the string should be a URL, though not all providers respect this. Not required by all providers.

  • Consumer URL: The Bonusly (SP) URL that will receive SAML requests from your IdP.

  • IdP SSO target URL: The IdP URL that will receive SAML requests from Bonusly (the SP).

Automatic Configuration

Automatic configuration via metadata exchange is by far the easiest way to set up SAML SSO. Make sure you've clicked on "Integrations" from the toolbar to get to the list of simple and secure SAML SSO.

Once you clicked on the specific SAML SSO you're trying to set up, simply check the box for “Automatically Configure from Metadata” and provide the Metadata URL and Issuer for your IdP. Leave the rest of the fields blank.

In the SAML SSO screen, make sure Automatically Configure from Metadata is checkmarked, the fourth item from the top, along with entering in iDP Metadata URL and IDP Issuer (Entitiy ID) before clicking the save button on the bottom of the page.

Leave all other fields blank, and save the settings.

Your IdP may require Bonusly’s metadata URL. You can retrieve Bonusly's (SP) metadata URL by right-clicking on the metadata link:

Metadata is right clicked, opening the drop-down to select Copy Link Address, which is the fifth option from the drop-down.

If automatic configuration is not supported by your IdP, then try manual configuration.

Manual Configuration

Uncheck the box for “Automatically Configure from Metadata”.

Fill in the following fields:

  • IdP Issuer (Entity ID)

  • IdP SSO target URL

  • X.509 Cert OR Cert Fingerprint (Bonusly will automatically generate the fingerprint if the full X.509 certificate is provided.)

Save the settings.

Testing Single Sign On

Once you've configured SSO, you can test it as followed:

IdP-initiated SSO:

  1. Log out of Bonusly

  2. Log in to your IdP (e.g. Okta, OneLogin, etc)

  3. Click on the Bonusly app in your app panel

SP-initiated SSO:

  1. Log out of Bonusly

  2. Visit the URL (where APP_ID is the "App Id" provided on the SSO configuration page in Bonusly)

Restricting Login Methods

Once you have tested SSO and verified that it is working, you can restrict sign on methods for your Bonusly account to require that users authenticate via SSO. This is more secure and makes it so that your employees don’t need to remember passwords for Bonusly.

To restrict to SAML SSO only:

  1. Click “Show advanced settings”.

  2. Check “Restrict to Single Sign On”.

  3. Save Settings

Questions? Send us a note to [email protected]; we'd be happy to help!

Was this article helpful? Let us know by rating it below with an emoji and sharing your feedback!

Did this answer your question?