Bambu SSO
Bambu by Sprout Social offers SAML 2.0 Single Sign-on (SSO) support across web and mobile. SSO enables your employees to use a single set of managed login credentials (e.g., name and password) to access multiple applications.
This article contains the following sections:
Benefits of SSO
The main benefit of implementing SSO is account security. If an employee’s permissions, access or employment status changes, your network administrator can easily disable all accounts that are associated with that user with minimal effort. Additionally, SSO creates a more seamless user login experience because it eliminates the need for employees to remember or keep track of several passwords.
Technical specifications
Collaborate with your IT/Security teams to set up SSO for Bambu. Here is some technical information your IT team may need to get the process started:
- Bambu supports IdP and SP initiated SSO via SAML 2.0.
- Bambu's AuthnRequests have an Issuer value/Entity ID of https://api.getbambu.com
- Bambu's Assertion Consumer Service URL is https://api.getbambu.com/saml/consume.
- Bambu requires that IdPs use emailAddress as their Response's Subject's NameIDPolicy.
- When Bambu initiates SSO, users are referred from URLs on https://app.getbambu.com (e.g. https://app.getbambu.com/login, https://app.getbambu.com/stories, etc).
Bambu can use HTTP Redirect or HTTP POST bindings, whichever is required.
SSO implementation
Sprout recommends that you create an Admin account in Bambu for an IT team member to set up SSO.
Then your IT team member should:
- Log into Bambu.
- Navigate to Company Settings.
- Click the Single Sign On tab.
- Click Choose File in the SAML Upload box.
- Upload the appropriate XML file.
- Make updates to the URL and Issuer if need be.
- (Optional) You can toggle to allow Bambu Managed Passwords on or off if you still want users to log in with their Bambu password.
- Click Save SSO Settings.
Supported SSO providers
Single Sign-on for Bambu is directly supported by the following IdPs:
- OneLogin
- Okta
- Azure AD
Bambu supports SAML (Security Assertion Markup Language) 2.0 for SSO, so even if your IdP isn’t listed, you should still be compatible as long as your IdP supports SAML 2.0.
If you happen to use Okta, Azure or OneLogin as your SSO provider, Bambu has apps for these IdPs that you may find helpful in your setup:
SSO FAQ
Does Bambu support SAML?
Yes. Bambu supports SAML 2.0, an XML-based industry standard for communicating identities over the Internet.
Does Bambu integrate with any identity providers (IDPs)?
Yes, Bambu integrates with any IdP which supports SAML2.0. Examples include Okta, OneLogin and Auth0.
Does Bambu support user provisioning?
Bambu supports just-in-time (JIT) provisioning for user accounts. If you're configured for SSO, a user account gets automatically generated for any user that successfully accesses Bambu where a user account was not already available. This user account is created with Reader permissions. Any role permissions upgrades must be managed by your Bambu Admin.
Can a user log in to Bambu on their mobile device?
Yes.
What if someone loses their SSO password when Allow Bambu Managed Passwords is disabled?
You can recover passwords through the IdP. Bambu doesn't store any user passwords and relies exclusively on your IdP for authentication.
Can we use SSO and passwords at the same time?
Yes, you can configure your account as "SSO only" or "SSO + Password".
Does SSO support different domain email addresses? (Eg: sarah@sproutsocial.com and taylor@simplymeasured.com)
Yes, contact your Sprout CSM and let them know that you need to enable multiple domain emails.
Can my agency still log in to my account if we’ve enabled SSO?
Because the agency doesn't have access to your company's SSO, they can't log in if SSO is forced. You can turn on Allow Bambu Managed Passwords to ensure the agency can still log in with their email and password.
What happens if a user changes their name in Bambu?
Name changes in Bambu only appear in Bambu. The user still needs to log in per your settings, either SSO or password.
What happens if a Bambu user's name or email address is changed by the IdP?
No changes occur to the user in Bambu if their name is changed by the IdP. If the user’s email address is changed, a new user gets created assuming Just-in-time (JIT) provisioning is enabled. If JIT is not enabled, that user can't login.
What is Bambu's SSO login timeout?
Four hours.
What if I need to disable just-in-time (JIT) provisioning?
Contact your Sprout representative for assistance.
What if I need to adjust binding behavior?
Contact your Sprout representative for assistance.