Single Sign-On (SSO) - Bluewater

Single Sign-On (SSO)


SSO is an authentication service that allows a user to use single login to access multiple applications. SSO uses Security Assertion Markup language (SAML) for exchanging authentication between the applications.

The Bluewater platform offers a Single Sign On (SSO) capability through Security Assertion Markup Language (SAML) protocol version 2.0. It allows users to access the Bluewater portal using usernames and passwords from their corporate Federation Service. This means your users can use one login to access all your platforms rather than managing separate passwords and you get to manage who can access the Bluewater portal and what they can see once they are logged in.

Once your users have been authenticated to access the portal, you can then configure different profiles and assign users to each profile to ensure that they have the proper Cost Centre access and permissions in the Bluewater portal.


Security Assertion Markup Language (SAML) is an open-standard for exchanging authentication and authorization data between two parties ie., Service Provider (SP) and Identity Provider (IdP).

Service Provider agrees to trust the Identity Provider for authenticating the user. Identity Provider generates authenticating assertion for the user and communicate that with Service Provider.

The most important use case that SAML addresses is web browsers single sign-on (SSO). Single sign-on can be established between different domains.


1. Business Data Synchronisation

Reduce the time and effort for Admin to create user logins, and login management (password resets, access changes etc).

2. Leverage existing content
Using your existing infrastructure to manage user’s access to Bluewater, as well as remove access for those Users who have left your organisation. By utilising your Federation Service, this enables all your staff to use the Bluewater platform.
3. Time savings

Reduce the number of passwords users must remember and streamline the authentication process.

4. Increased security
By applying the Company’s password security policy to the Bluewater login, accessible only behind the Corporate firewall, there is no risk to your organisation when users leave, as users who are accessing the Bluewater platform have been authenticated from a central control point (exist in your Active Directory) and are authorised (have the relevant permissions/access).

How SSO Works?

  1. When a User accesses the Bluewater Portal from within your network Bluewater (Service Provider) will generate a SAML request to an SSO URL for authentication.
  2. The Bluewater customer (Identity Provider) parses the SAML request, authenticates user and generates a SAML response to Bluewater to authorise the user’s access.
  3. Bluewater will verify the SAML response and allow the User to log in.
  4. If a user record is not found in Bluewater, Bluewater will auto-provision the user with the additional attributes provided in the SAML response and assign the user with permissions that correspond to the user group mapping.

How to enable SSO for your Bluewater Portal?

1. Decide your IdP: Your Identity Provider is the one who authenticates and authorizes user to perform an action. It can be:

  • Third party vendor (e.g. ADFS, Okta, Google, OneLogin)
  • Your own application

2. Ask the Bluewater Implementation / Customer Success team for an SSO Federation Requirement Questionnaire to commence the set-up process. In this questionnaire you will be asked for Identification Details and your IdP metadata or settings.

Bluewater will enable the SSO for your portal and contact your Administrator to configure Access Levels for Bluewater logins. e.g.:

  • Level 1 Access: See Control module only
  • Level 2 Access: See Procurement module only
  • Level 3 Access: See full admin access
3. Get the Bluewater Service Provider metadata from the following link and import it into your Federation Service.