Integrate BILL with Zero Trust Network Access

In this topic, you will find general instructions on how to integrate BILL with Portnox™ Zero Trust Network Access using the conditional access method.

Note: To enable SAML SSO in BILL, you must make a request to BILL support. This guide only shows the configuration of Portnox Cloud and the identity provider. The configuration on BILL side must be performed manually by BILL support specialists.

Modify your identity provider configuration to support BILL

BILL SAML integration requires your identity provider to send specific attributes/claims. We recommend that you check if your identity provider configuration already includes these attributes/claims. You must change your existing identity provider configuration or create a copy of the identity provider configuration especially for BILL.

  • If you use Entra ID, open your Zero Trust Network Access application configuration and do the following steps.
    1. Open the Attributes & Claims pane (Single Sign-on > Attributes & Claims > Edit).

    2. Check if you have the following claims. If not, follow the next step to add each missing claim.
      • user.mail mapped to: email
      • user.givenname mapped to: firstName
      • user.surname mapped to: lastName
    3. In the Name field, type the claim name (for example, email, firstName or lastName), and in the Source attribute field, select the relevant source attribute (user.mail, user.givenname, or user.surname). Then, click on the Save button. Repeat for other missing claims.
  • If you use Google Workspace, open your configuration and do the following steps.
    1. Open the SAML attribute mapping pane (Apps > Web and mobile apps > your Zero Trust Network Access application > Configure SAML attribute mapping.

    2. Check if you have the following attributes. If not, follow the next step to add each missing attribute.
      • Primary email mapped to: email
      • First name mapped to: firstName
      • Last name mapped to: lastName
    3. In the Google Directory attributes field, select the relevant source attribute (Primary email, First name, or Last name). In the App attributes field, type the attribute name (for example, email, firstName or lastName). Then, click on the Save button. Repeat for other missing attributes.

Create a Portnox Cloud application configuration

In this step, you will create a configuration in Portnox Cloud that will contain all the information necessary to integrate with BILL.

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Zero Trust Resources option.

  3. On the Resources screen, click on the Create resource button.

    1. In the What type of resource is this? section, select the SSO web resource option.
    2. In the Authentication protocol section, select the SAML option.
    3. Click on the Next button.

  4. Optional: If you have more than one SAML identity provider configured, select the identity provider in the Select an identity provider to use for this resource section.
  5. In the Resource details section, enter a Resource name and optionally a Description.

    In this example, we used the name BILL for the new application configuration but you can use any name you like.

  6. Keep this browser tab open. You will need it later.

Exchange configuration values with BILL support

In this section, you will exchange configuration values with BILL support, for example, during a call or via email.

  1. In the SAML metadata section, click on the  ⧉  icon next to the text field to copy the value.

  2. Provide this value to BILL support.
  3. Ask BILL support for the audience URI.
  4. In the Resource properties section, click on the empty field under the Entity ID / Service Provider Entity URL heading and enter the value obtained from BILL support.

    This value should have the format: https://www.okta.com/saml2/service-provider/unique_identifier

  5. Ask BILL support for the assertion consumer service URL.
  6. In the Resource properties section, click on the empty field under the Assertion Consumer Service (ACS) URL / Reply URL heading and enter the value obtained from BILL support.

    This value should have the format: https://federatedbillcom.okta.com/sso/saml2/unique_identifier

  7. Finalize the configuration in the Portnox tab.
    1. Optional: In the Policy enforcement section, in the Device risk assessment section, change the setting to Override with custom policy and then select a risk assessment policy if you want to assess risk with this application using a custom risk assessment policy, and in the Access control section, change the setting to Override with custom policy and then select an access control policy if you want to control access to this application using a custom access control policy.
    2. Scroll all the way down to the end of the page, and then click on the Save and Close button.

Result: You have configured BILL to be accessible using Portnox Zero Trust Network Access.