Sign in the MCW with Azure AD

<< Click to Display Table of Contents >>

Navigation:  Automation Service Management > Management Console Web > Sign in Management Console Web > Sign in using Identity Providers >

Sign in the MCW with Azure AD

Overview

The Management Console Web is a web-based application provided by Bizagi for customers to manage settings of testing or production environments.

For enhanced security, it is strongly recommended that customers rely on integrated authentication capabilities of the Management Console Web so that:

Authentication takes places at the customer’s Identity Manager service.

You can rely on role-based configuration at the customer’s Identity Manager service to only allow access to admin profiles.

 

This guide illustrates how to configure your Identity Manager service, more exactly using Azure AD with as an example, with the Bizagi Management Console Web.

 

What you need to do?

The following outline of steps are carried out to integrate the Management Console Web with Azure AD using WS-Federation protocol.

 

1. Configure user group

2. Register the Management Console Web as an application in Azure AD

3. Request to Bizagi that integrated authentication is enabled

 

Before you start

Make sure you have an admin account in Azure AD to perform configuration.

Make sure you have also been provided by Bizagi with the complete URL of your environment’s Management Console Web.

Throughout this document, the URL of the Management Console Web will be referred to as [URL_MC].

 

Procedure

Follow these steps for each of the environments you have (testing, production).

 

1. Configure user group

It is mandatory to have at least a user group to validate the users that have access to the Management Console Web.

1.1 Log in to the Azure portal with an administrator account.

Select Azure Active Directory and click Groups.

 

MCWAzureAD_00

 

1.2 Create or select the user group that has access to the Management Console Web. It is strongly recommended to set a group of type Security.

 

MCWAzureAD_08

 

1.3 Copy the Object Id property. Our support team requires this value, to fill the ClaimRoleValid parameter of the request.

 

MCWAzureAD_09

 

Repeat this procedure as many groups you need to include.

 

2. Register the Management Console Web as an application in Azure AD

2.1 In the Azure Portal, select Azure Active Directory and click App registrations.

Select New registration.

 

MCWAzureAD_01

 

2.2 Enter the following information:

Name: Application name. You can choose any.

Supported account types: Select Accounts in this organizational directory only.

Redirect URI: Select Web and set [URL_MC] ending with /.

 

MCWAzureAD_02

 

Click Register.

 

2.3 Once the app has been created, set the Application ID URI in the newly created app

Go to the Add an Application ID URI option of the newly added app.

 

MCWAzureAD_03

 

2.4 Click Set next to Application ID URI and configure the App ID URI to reference the Bizagi Management Console Web. This parameter indicates the UIRs defined  by you which identify a web application in you Azure AD tenant.

Set [URL_MC].

 

MCWAzureAD_04

 

Click Save when you are ready.

 

2.5. Go to Branding option and set the home page of the Management Console Web. In the Home Page URL field, enter [URL_MC] ending with /.

 

MCWAzureAD_05

 

Click Save when you are ready.

 

2.6 Go to Authentication option and set Logout URL as [URL_MC] ending with /

 

MCWAzureAD_06

 

Click Save when done.

 

2.7 Go to Manifest option and find the property groupMembershipClaims.

Due to security reasons, it is strongly recommended to set SecurityGroup. Nevertheless, if you want to enable other other claim types, set All.

 

MCWAzureAD_07

 

Click Save when done.

 

note_pin

You can grant access to the Management Console Web to more than one user group by separating their identifiers with semicolons.

 

3. Request that integrated authentication is enabled

Request to Bizagi that integrated authentication is enabled for the Management Console.

Make sure within that request, you provide the following inputs:

 

ClaimUsernameDisplay

In the Azure Portal, select Azure Active Directory and click App registrations.

Select the app created for the Management Console Web and click Endpoints.

 

MCWAzureAD_10

 

Copy the Federation metadata document endpoint using the Copy to clipboard option.

 

MCWAzureAD_11

 

Open the copied URL in a new tab/window in your browser.

Locate the claim which refers to the display name of the authenticated user and the claim uri. In our example, given uri is http://schemas.microsoft.com/identity/claims/displayname.

 

MCWAzureAD_12

 

ClaimRoleDisplay

In the Federation metadata document, Locate the claim which refers to the groups of the authenticated user and the claim uri. In our example, given uri is http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.

 

MCWAzureAD_13

 

ClaimRoleValid 

This value was get in Step 1. If you need to configure more than one group, the values must be semicolon separated.

 

audienceUris

In the Azure Portal, select Azure Active Directory and click App registrations.

Select the app created for the Management Console Web and go to Manifest option and find the property identifierUris.

 

MCWAzureAD_14

 

issuerNameRegistry > thumbprint

In the Federation metadata document, Locate the certificate of your Identity Provider. In our example, this certificate is X509Certificate.

 

MCWAzureAD_15

 

Copy its value and paste it in a new instance of the text editor of your choice. make sure the whole value is copied.

 

MCWAzureAD_16

 

Save this file with any name and .crt extension.

 

MCWAzureAD_17

 

Close the text editor when finish.

 

Open the recently created file and go to Details tab

 

MCWAzureAD_18

 

Copy the Thumbprint parameter

 

MCWAzureAD_19

 

federationConfiguration - issuer

In the Azure Portal, select Azure Active Directory and click App registrations.

Select the app created for the Management Console Web and click Endpoints. Copy the WS-Federation sign-on endpoint using the Copy to clipboard option.

 

MCWAzureAD_20