Parameters configuration

<< Click to Display Table of Contents >>

Navigation:  » No topics above this level«

Parameters configuration

Overview

Bizagi supports integration with an Identity provider to provide Federated authentication and Single Sign-On capabilities.

For more information about this type of authentication in Bizagi and its prerequisites, refer to Federated authentication.

 

Once you have configured ADFS as your Identity provider, you may configure the authentication parameters in Bizagi.

 

SSO_overview_bizagi

 

 

Parameters configuration in Bizagi

Bizagi being a service provider in your Federated authentication setup, you will need to make sure you configure the necessary authentication parameters in your project.

When using federated authentication, you rely on the WS-Federation Passive Protocol (supported by Identity providers such as Active Directory Federation Services).

 

 

Using WS-Federation

When setting the use of WS-Federation in Bizagi, assertions will rely on the WS-Federation Passive Protocol standard.

To configure the authentication parameters in Bizagi for this scenario, carry out the following steps:

 

1. Configure Federated authentication.

Do this by using Bizagi Management Console targeting the environment you want this configuration to apply to (e.g, development environment, testing environment, production environment).

 

First open Bizagi Management Console and locate the Security module.

Click on the Authentication option found under the Security item, and select Federated authentication from the drop-down list in the panel to the right:

 

SSO_Federated_MC

 

Notice you will see this authentication relies on the WS-Federation protocol

Click Update.

You will get a confirmation message and notice that additional parameters appear under the Authentication item.

 

note_pin

If you applied this change into an environment other than development, then you should also make sure such same changes are applied in your development environment as well.

To do this, follow the same procedure mentioned above while using the Bizagi Management Console.

 

2. Configure further parameters.

Proceed to configure these additional parameters as described below, ensuring you click Update for each one that is modified.

Note that the parameter values are case-sensitive and therefore you will need to ensure you input these correctly.

 

SSO_Subconfig

 

FEDERATED AUTHENTICATION PARAMETER

DESCRIPTION

RECOMMENDATIONS AND MANDATORY FIELDS

Certificate validation mode

Specify the certificate validation mode when retrieving the certificate information.

Possible values are: Peer trust, chain trust, Peer or chain trust, and Custom.

This field is not mandatory.

You may use none as set by default.

Cookie Handler requires SSL

Enable or disable this parameter to rely on SSL when handling cookies.

This field is not mandatory.

Federation Metadata Location

Specify the URL of the federation metadata XML document that complies to WS-Federation 1.2.

The URL has to use the HTTPS protocol (over HTTP), or reference the metadata file from a physical path.

Example:

https://[your_ADFS_server].[your_domain].loc/FederationMetadata/2007-06/FederationMetadata.xml

This field is mandatory and fundamental.

Ensure that the Bizagi server has access to the metadata file as specified.

Issuer URI

Specify the URI that identifies the issuer of involved security tokens (i.e your identity provider).

The URI must use the HTTPS protocol.

Example:

https://[your_ADFS_server].[your_domain].loc/adfs/ls/

This field is mandatory and fundamental.

Passive redirect enabled

Enable or disable this parameter to allow WS-Federation protocol redirects.

This field is not mandatory.

It is recommended to be set as enabled, otherwise active redirects will be implied.

Realm URI

Specify the URI of the wtrealm parameter, set as the entry point for Bizagi Work portal (when redirected).

The URI must use the HTTPS protocol.

Example for Bizagi PaaS projects:

https://[project_environment]-[your_project]-[your_company].bizagi.com/

This field is mandatory and fundamental.

Ensure that you use the same exact URL (case sensitive, and with the same format and slash characters) as defined at the ADFS; otherwise a trust relationship will not happen if there are differences.

Trusted Issuers Name URI

Specify the base URI where the trusted issuer's name is defined.

The URI must use the HTTPS protocol.

Example:

https://[your_ADFS_server].[your_domain].loc/adfs/services/trust

This field is mandatory and fundamental.

Trusted Issuers Thumbprint

Specify the hexadecimal string containing the hash of the signing certificate as employed by/configured in the ADFS.

Make sure this string is entered without any blank spaces or hidden special characters (it is recommended to enter them manually instead of doing a copy/paste).

Example:

‎31d3bf3176783a25375f6632bf9d6034b04d2220

This field is mandatory and fundamental.

Ensure that you do not copy/paste this content directly from your ADFS.

Recall that you need to wipe out blank spaces, and ensure that no special hidden characters are taken.

WS-Federation requires HTTPS

Enable or disable this parameter to enforce the use of HTTPS for WS-Federation.

This field is not mandatory, however this setting should be left as enabled.

 

 

Important

For any type of authentication, you will need to ensure that users are registered beforehand at the Bizagi Work portal  (you are in charge of managing users).

For your Work Portal login at runtime, you will need to have imported/synchronized users from your user repository and into Bizagi (this task may be scheduled in Bizagi to connect to your AD by relying on a VPN).

For more information about this option, refer to Importing LDAP Users.

 

Alternate options to an AD/LDAP sync through a VPN, consider invoking Bizagi web services from your end (a "push"), or having Bizagi invoke a web service on your side to fetch users (a "pull").

 

note_pin

If you will not synchronize users about yet, then you may test that the authentication works as expected by simply creating one user manually in Bizagi Work portal for validation purposes. To create such user, consider:

1. You may need to temporarily switch back to using Bizagi authentication so that you can log in.

2. Ensure your created user is set with the exact domain\username combination matching your users in ADFS.

 

Checkpoint

Once you set up both your ADFS Identity provider and Bizagi's Federated authentication parameters, you should make sure that there are no networking issues to access the ADFS server and its metadata (e.g, targetting https://[your_ADFS_server].[your_domain].loc/FederationMetadata/2007-06/FederationMetadata.xml should be accessible from where you have Bizagi).

 

note_pin

Even though for a successful setup and the trust relationship between Bizagi and the ADFS, there should be and allowed connectivity between these two services, at runtime having end user devices connect to both services can also cover such requirement.

 

You may also use the following test page as a checkpoint:

https://[project_environment]-[your_project]-[your_company].bizagi.com/ClaimsTest.aspx

 

If this page loads up the claims and a successful authentication status (as shown below), you will verify that your configuration is OK.

 

SSO_ClaimsTest

 

note_pin

In case that you need to troubleshoot your configuration in a development environment where you have Bizagi Studio, you may edit the following key at the web.config file of your Work portal (by default at C:\Bizagi\Projects\[your_project]\WebApplication\) in order to analyze error traces:

<add key="ShowDetailedAuthenticationMessage" value="true" />

And similarly review configuration set at the XML located by default at C:\Bizagi\Projects\[your_project]\WebApplication\FederationAuth.config.