Single Sign On with Black Diamond

Black Diamond supports SAML SSO workflows to allow users to single sign on both into and out of the Black Diamond Wealth Platform. Please refer to the below documentation on how to get this set up and work with your Black Diamond contact to provide the required information.

SSO from Black Diamond into your software

Required Elements:

  • Black Diamond will provide you with a valid x509 certificate issued by DigiCert.

  • Issuer URL: https://login.bdreporting.com

  • A logo that Black Diamond can use on its Connections page for initiating the single sign on.

Workflow:

  1. Please install the certificate provided to you by Black Diamond for the signature validation.

  2. Please provide Black Diamond with the following configuration settings:

    1. Audience:  This is the URL identifier for your software that we will include in the SAML assertion.

    2. Assertion Consumer URL: This is the URL we will post the SAML assertion to.

  3. Once you install the certificate and provide us with the audience and the assertion consumer URL, Black Diamond will post the assertions to you with the standard SAML attributes, including:

    1. Issuer: https://login.bdreporting.com

    2. Audience:  Defined by you.

    3. Name ID: This will be a GUID that represents a unique user on the Black Diamond platform.

    4. NotBefore and NotOnOrAfter:  Each assertion will be valid for a maximum of 5 minutes.

    5. Signature: the SAML assertion will be signed using the certificate provided to you.

Additional Parameters:

Please let us know if Black Diamond should include any of the following parameters in the SAML assertion:

  1. Relay State

  2. Account Number

  3. Black Diamond Portfolio ID

  4. Black Diamond Account ID

  5. Custom attributes required by your SAML solution

SSO from your software into Black Diamond

Required Elements:

  • A certificate issued by a trusted certificate authority.

  • Issuer URL – this is the identifier that tells Black Diamond who you are (i.e. the partner) .

  • Ability to generate the SAML assertion.

  • Ability to post the signed SAML assertion to an endpoint provided to you by Black Diamond.

Workflow

  1. Provide the public key of the certificate and your Issuer URL to Black Diamond. 

  2. Assertion Consumer URL - post the SAML assertions to https://login.bdreporting.com/saml/acs

  3. Generate the SAML assertion with the following parameters at the very least:

    1. Issuer: Your unique identifier that you have provided us.  This should be a URL.  It represents you, the partner, to Black Diamond.

    2. Audience: This is the Black Diamond identifier that you must include in the SAML assertion.  This should be set as https://login.bdreporting.com.

    3. Name ID: This is the unique individual user identifier.  Please note that the identifier must be unique to the user across all firms that you support.

    4. NotBefore and NotOnOrAfter.  These are valid from and valid to times during which the assertion will be accepted.

    5. Signature: The assertion must be signed by you using the private key.  While you are not required to provide an x509 certificate in the XML itself, the signature must be verifiable using the x509 public key you provided to Black Diamond in step 1. 

  4. Once you post the SAML assertion, one of the following results are possible:

    1. User is logged in automatically into Black Diamond;

    2. User is prompted for their Black Diamond username and password: this means that the NameID is not federated with a Black Diamond user.  Upon entering the username and password successfully the first time, the user will be able to log in automatically, bypassing the challenge, going forward.

  5. SSO Management Field: With the Black Diamond application you will notice a new SSO Management section at the bottom of the Firm User/Client User setup pages. This is where the NameID is stored and can be updated if needed.