ADFS configuration and technical details

<< Click to Display Table of Contents >>

Navigation:  Automation Service Management > Bizagi Customer Portal > Signing in to the Customer Portal >

ADFS configuration and technical details


To integrate your Customer Portal with your corporate ADFS carry out the configuration steps described in this section.

These steps are done only once, typically by an admin user of Customer Portal having access to your ADFS system.


Once you have carried out these steps users sign in to any cloud-based service directly via your ADFS, as described at Signing the Customer Portal.


Before you start

The Customer Portal and cloud-based services supports ADFS using the WS-Federation protocol. Other protocols are not supported.



Before you get started, make sure that your ADFS system complies with these requirements:

ADFS version 3.0 and 4.0 are supported.

The ADFS is accessible via a public URL.


What you need to do

Here are the steps for configuring Bizagi for sign-in using ADFS:

1.Create company users

2.Create relying party trust

3.Communicate with Bizagi for the next steps



Follow these steps to integrate the Customer Portal with your ADFS, after you've created the company users in the Customer Portal:


Create relying party trust

To set the trust relationship between cloud platform services (the relying party) and your ADFS, create a relying party trust.


Click Add a trusted relying party.




Click Start.


Select the Enter data about the relying party manually option to specify the data source.




Click Next.


Specify the display name and a meaningful description.




Click Next.


Choose the newest AD FS profile supporting SAML 2.0:




Click Next.


Configure the certificate for token encryption purposes as an additional security measure (optional).

You can skip this step and click Next.




Configure the URL by selecting the Enable support for the WS-Federation protocol.

Specify the following URL: https://accounts-[your_company]




Click Next.


Configure the identifiers using the same URL specified above.

This URL should appear under the identified/valid URLs.

If you need to input another URL with a different identifier, enter this URL and use the Add button.




Click Next.


Configure the Issuance Authorization rules by choosing the Permit all users to access this relying party option.




Click Next.


Review the configuration.

Browse the summary of the configuration you carried out for this relying party trust.

When you are sure that you do not need to make changes, click Next.




Create the Claim rules for this trust by selecting the Open the Edit claim rules dialog for this relying party trust when the wizard closes.

This way, upon trust creation you immediately create a claim rule and finish the configuration.




Click Close.


Create a claim rule using the Add Rule.. button.

Make sure you can send UPN, Email address and Name as information within the claim that is passed into the Customer Portal.


For instance, you can create a new claim rule by choosing the Send LDAP Attributes as Claims template:




Click Next.


Configure the rule by giving it a name, and explicitly including:

Attribute store: Attribute Directory.

Mapping of LDAP attributes to outgoing claim types, including:

oUser-Principal-Name mapped to the UPN

oEmail-Addresses mapped to the E-mail Address.

oCommon-Name mapped to the Name.


For the UPN claim type make sure that it contains both the username (a unique identifier for users) and the domain. This claim will need to specify this information in either of the following formats: domain\username, or as




Click Finish.

You should have a registered claim rule for your specific relying party configuration.

Once you have verified this is correct, click OK.


Communicate with Bizagi for the next steps.

Contact our support team and share certain information so that the integration is successful.