Sign in the MCW with ADFS

<< Click to Display Table of Contents >>

Navigation:  Automation Service Management > Management Console Web > Sign in Management Console Web > Sign in using Identity Providers >

Sign in the MCW with ADFS

Overview

The Management Console Web is a web-based application provided by Bizagi for customers to manage settings of testing or production environments.

For enhanced security, it is strongly recommended that customers rely on integrated authentication capabilities of the Management Console Web so that:

Authentication takes places at the customer’s Identity Manager service.

You can rely on role-based configuration at the customer’s Identity Manager service to only allow access to admin profiles.

 

This guide illustrates how to configure your Identity Manager service, more exactly using ADFS4 as an example, with the Bizagi Management Console Web.

 

What you need to do?

The following outline of steps are carried out to integrate the Management Console Web with ADFS4.

 

1. Register the Management Console Web as an application in ADFS4

2. Request to Bizagi that integrated authentication is enabled

 

Before you start

Make sure you have an admin account in ADFS4 to perform configuration.

Make sure you have also been provided by Bizagi with the complete URL of your environment’s Management Console Web.

Throughout this document, the URL of the Management Console Web will be referred to as [URL_MC].

 

Procedure

Follow these steps for each of the environments you have (testing, production).

 

1. Register the Management Console Web as an application in ADFS4

1.1. In your ADFS server, open the administration console.

 

1.2. Launch the creation of a relying party trust.

Right-click Relying party trust to display the options menu, and select New Window from Here:

 

ADFS_001

 

1.3. In the new window, click Right-click Relying party trust and select Add Relying Party Trust to open the configuration wizard. in this wizard, you configure the authentication properties.

 

ADFS_002

 

1.4. Select Claims aware and click Start,

 

ADFS_003

 

1.5. Select Enter data about the relying party manually and click Next >.

 

ADFS_004

 

1.6. Provide a meaningful name for the relying party. You can also add some optional notes for it.

Click Next >.

 

ADFS_005

 

1.7. In the Configure Certificate step, leave the default values and click Next >.

 

ADFS_006

 

1.8. Check Enable support for the WS-Federation Passive protocol and [URL_MC] as its URL.

Click Next >.

 

ADFS_007

 

1.9. In the Configure Identifier step, leave the default values and click Next >.

Click Next >.

 

ADFS_008

 

1.10. In the Access Control policy, select Permit everyone.

Click Next >.

 

ADFS_009

 

1.11. Finish the procedure by reviewing the resume of the configuration. Then click Next >.

 

ADFS_010

 

1.12. Click Close to finish the configuration and lose the wizard.

 

ADFS_011

 

1.13. If you marked the Configure claims issuance policy for this application option in the previous wizard, the Edit Claim Issuance Policy window appears.

Otherwise, right-click the newly created relying party and select Edit Claim Issuance Policy....

 

ADFS_012

 

1.14. Add the following claims or authentication properties. All rules use Send LDAP Attributes as Claims as template.

 

Claim rule name

Attribute store

LDAP Attribute

Outgoing Claim

upn

Active Directory

User-Principal-Name

UPN

group

Token-Groups as SIDs

Group SID

 

To do so, click Add Rule.

 

ADFS_013

 

Add the upn claim which provides the user's principal name to identify them in the Management Console Web.

In the first step, select Send LDAP Attributes as Claims in the Claim rule template. Click Next >.

 

ADFS_014

 

Add the rule properties using the values mentioned in the table above for the upn claim.

 

ADFS_015

 

Click Finish. Then, repeat the procedure for the group claim.

 

ADFS_016

 

When finish, the claim rules are listed in the Edit Claim Issuance Policy window.

 

ADFS_017

 

At this point, you have configured the access of the Management Console so that it is integrated with ADFS.

 

2. Request that integrated authentication is enabled

Request to Bizagi that integrated authentication is enabled for the Management Console.

Make sure within that request, you provide the following inputs:

 

Configuration

Value

audienceUris

[URL_MC]

wsFederation - issuer

URL of the ADFS4 Identity Provider with the following structure:

https://[IdP_Domain]/adfs/ls/

wsFederation - realm

[URL_MC]

wsFederation - reply

Reply URL of the MCW with the following structure:

https://[IdP_Domain]/assertionConsumer

ClaimRoleValid

Value of the authorized user group in the Identity Provider.