/
How to Configure SAML Single Sign-On for Barracuda Cloud Control

How to Configure SAML Single Sign-On for Barracuda Cloud Control

You can configure Barracuda Cloud Control (BCC) to use SAML 2.0 Single Sign-On (SSO) so users authenticate with your existing Identity Provider (IdP), such as Microsoft Entra ID, Okta, or Duo. This means users sign in once through your IdP, and BCC trusts that authentication without requiring a separate password.

How it works: When a user accesses BCC, they’re redirected to your IdP to sign in (including any MFA or security policies you require). Your IdP then sends a signed SAML message to BCC confirming the user’s identity, and BCC signs them in automatically.

When you enable SAML for BCC, here is what happens:

  1. You create a SAML 2.0 application in your IdP for BCC.

  2. BCC provides service provider details (Entity ID and URLs) to paste into your IdP.

  3. Your IdP provides metadata (XML) that you upload into BCC.

  4. You specify which email domains should use SAML (for example, example.com, contoso.com).

At a glance

Set up SAML SSO for Barracuda Cloud Control in three main steps:

  • Step 1: Configure SAML in your Identity Provider
    Create a SAML 2.0 application in your IdP (Microsoft Entra ID, Okta, Duo), add the BCC Entity ID and URLs, configure identifiers and attributes, and download the IdP metadata XML.

  • Step 2: Configure SAML in Barracuda Cloud Control
    In BCC, add and verify your email domains with DNS TXT records, then upload the IdP metadata XML and save the configuration.

  • Step 3: Test SAML sign-in
    Test both IdP-initiated and SP-initiated sign-in in a separate browser or private window before assigning additional users and groups to the SAML app.

  • Troubleshooting
    If sign-in fails, use the troubleshooting steps to check SAML response details, certificate, domain verification, and user/email mapping.

Prerequisites

Before you configure SAML, verify the following:

Identity Provider (IdP)

  • You have a SAML 2.0–compatible IdP (Microsoft Entra ID, Okta, Duo, etc.)

  • You have permissions in your IdP to create and configure applications

  • You have administrator access to Barracuda Cloud Control

User attributes in your IdP

Ensure your IdP can send these attributes to BCC:

  • email – user’s email address (required)

  • displayname – user’s full name (recommended)

BCC service provider details

Before you begin, gather the following values from BCC:

  1. Log into BCC as an administrator

  2. Go to Settings > SAML

  3. Copy the following values (you’ll enter these into your IdP):

  • Entity ID

  • Assertion URL

  • SSO URL

  • Logout URL

Note that only an account administrator can configure SAML.

Step 1. Configure SAML in your Identity Provider (IdP)

The exact screens and labels vary by IdP, but the process is similar. Follow the instructions for your Identity Provider below:

  1. Create a SAML 2.0 application.

  2. Enter the service provider details from BCC into your IdP.

  3. Configure the identifiers and attributes in your IdP.

  4. Download the IdP metadata (XML).

See the following instructions for each IdP:

  1. Log into the Azure portal as an administrator and go to Microsoft Entra ID.

  2. Navigate to Enterprise apps > All apps. Select New application.

  3. Select Create your own application.

  4. Enter a name for the app.

  5. Select Integrate any other application you don’t find in the gallery (Non-gallery).

  6. Click Create.

  7. In the new app, go to Manage > Single sign-on and select SAML.

  8. Under Basic SAML Configuration, click Edit and enter the BCC service provider values you copied previously:

    • For Identifier (Entity ID), use the Entity ID from BCC.

    • For Reply URL (Assertion Consumer Service URL), use Assertion URL from BCC.

    • (Optional) For Sign on URL, use SSO URL from BCC.

    • (Optional) For Logout URL, use Logout URL from BCC.

  9. Under User Attributes & Claims, verify or configure the following:

    • emailaddress – maps to user.mail

    • name – maps to user.userprincipalname

  10. Select Save.

  11. In the SAML configuration page, find the App Federation Metadata URL or Download link.

  12. Click Download to get the federation metadata XML file. You will upload this file into BCC.

ConfigSAML.png

 

  1. Log into your Okta Admin Console.

  2. In the left navigation, go to Applications > Applications.

  3. Click Create App Integration.

  4. Under Sign-in method, select SAML 2.0.

  5. Under General Settings, enter a name for the app and logo (optional), then click Next.

  6. Under Configure SAML,

    1. Enter the BCC service provider values you copied previously:

      • For Single sign-on URL, use Assertion URL from BCC.

      • For Audience URI (SP Entity ID), use the Entity ID from BCC.

        configureOkta.png

    2. Set the following:

      • For Name ID format, select EmailAddress.

      • For Application username, select Email.

      • For Update application username on, select Create and update.

    3. For Attribute Statements (optional), add the following:

      • Name – displayname, Name format – URI reference, ValueString.join(" ", user.firstName, user.lastName)

      • Name – email, Name format – URI reference, Valueuser.email

        oktaAttrStatements.png

  7. Click Next, provide your feedback and select Finish.

  8. You will be redirected back to the app you just created. Under the Sign On tab, select Identity Provider metadata.

  9. Save the metadata as an XML file. You will upload this file into BCC.

  1. Log into the Duo Admin Panel.

  2. Navigate to Applications.

  3. Click Protect an Application.

  4. In the application list, search for Generic SAML Service Provider (or SAML Service Provider depending on your Duo edition).

  5. Under Downloads > SAML Metadata, click Download XML. You will upload this file into BCC.

  6. Under Service Provider, enter the BCC service provider values you copied previously:

    • For Entity ID, use the Entity ID from BCC.

    • For Assertion Consumer Service (ACS) URL, use Assertion URL from BCC.

  7. Under SAML Response, set the following:

    1. NameID formaturn:oasis:names:tc:SAML:1:1:nameid-format:emailAddress

    2. Map attributes

      • <Display Name>displayname

      • <Email Address>email

  8. Click Save.

duo_SAML.png
duoMapAttr.png

Step 2. Configure SAML in Barracuda Cloud Control

  1. Log into Barracuda Cloud Control as an administrator.

  2. Go to Settings > SAML.

  3. Under Identity provider domains, enter all the email domains whose users should sign in via SAML, separated by commas (for example, http://domain.com,http://contoso.com).

  4. For each domain, create a DNS TXT record shown on the page to verify ownership.

    bccSAML.png

  5. Wait for DNS to propagate, then confirm in BCC that the domain is verified.

Keep the DNS TXT record(s) in place after verification. Removing them can cause SAML authentication to fail if domain ownership is rechecked.

  1. On the SAML page, upload the Identity Provider XML file you downloaded from your IdP.

    bccuploadXML.png

  2. Review the parsed information (IdP endpoints, certificate, etc.) and click Save Configuration.

Keep your current BCC administrator session open and continue to the next step.

Step 3. Test SAML sign-in

Important: Always test SAML in a separate browser or private/incognito window while keeping your current admin session open. This prevents locking yourself out if something goes wrong.

Test IdP-initiated sign-in

  1. In a private/incognito browser window, sign in to your IdP’s user portal, such as:

    • Azure MyApps

    • Okta dashboard

    • Duo Central

  2. Use a test user account assigned to the BCC SAML application.

  3. Click the Barracuda or Barracuda Cloud Control tile.

  4. Verify that you are redirected to BCC and signed in successfully.

Test SP-initiated sign-in

  1. In the same private window, browse to the Barracuda Cloud Control login page.

  2. Enter the test user’s email address and continue.

  3. Confirm that you are redirected to your IdP for authentication and then back to BCC as a signed-in user.

Once both IdP-initiated and SP-initiated sign-in work as expected, you can assign additional users and groups to the SAML application in your IdP.

Troubleshooting

If users cannot sign in via SAML, check the following areas:

1. Service Provider Configuration

  • The Entity ID in your IdP exactly matches the Entity ID in BCC > Settings > SAML.

  • The Assertion (ACS) URL in your IdP exactly matches the Assertion URL in BCC.

  • Any configured Logout or Sign-on URLs are correct.

2. NameID and Attributes

  • The NameID format is set to EmailAddress.

  • The NameID value is the user’s email address.

  • Your IdP sends the email and displayname attributes.

3. Domain Configuration

  • The user’s email domain is listed under Identity Provider Domains in BCC.

  • The DNS TXT record for that domain exists and matches what BCC shows.

  • DNS changes have fully propagated (can take up to 48 hours).

4. User Assignment

  • The user is assigned to the BCC SAML application in your IdP.

  • The user’s email address in the IdP matches their BCC account email.

Next steps

If issues persist:

  1. If necessary, temporarily disable or clear the SAML configuration in BCC to restore normal username/password sign-in.

  2. Contact Barracuda Networks Technical Support with the following information:

    • The IdP in use (Azure AD, Okta, Duo, etc.)

    • Screenshots of your IdP’s SAML configuration for BCC

    • Any error messages or error IDs shown in BCC or your IdP logs

    • A HAR (HTTP Archive) file captured from a browser session that reproduces the SAML sign-in issue, if available

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.