Navigation: » No topics above this level«
Identity and access management
The Work Portal is a web application which lets each of your users perform their corresponding tasks and configurations. And as such, before working in the application, each user must identify himself to the system so that only the expected people can perform such activities.
This concept of identifying a user to a system is known as Authentication. This section covers everything you need to know about Authentication and whatever you need to do to configure it according to your needs in Bizagi.
Simply put, authentication is the process of confirming the identity of a user against a system. In other words, it determines whether someone or something is in fact who or what it claims itself to be.
This concept has its own meaning and utility in technology, where it provides access control for systems by checking if the credentials provided by a user match those stored beforehand in the database of authorized users (which can be handled in a variety of ways, as it is described in this section). The following image illustrates how a user requests resources from the Work Portal but he needs to be authenticated in order to be granted access to such resources.
Authentication is commonly confused with Authorization, and even though the concepts are related, they are rather different. Authentication is in charge of letting in or denying the access of a user to a system, while Authorization is responsible of letting a user do only whatever he is supposed to. For example, if assistants are allowed to review some information but not edit it, the Authorization module of the application is the one that handles such functionality.
Authentication alternatives for the Bizagi Work Portal
There are plenty of ways of implementing the Authentication system of the Work Portal, they are described here from a general stand point but in this sub-hierarchy of the User's Guide you can find additional information on each one of them.
The diagram below depicts the authentication alternatives for a Bizagi application hosted on Automation Service, it shows the type of user experience they offer and whether the method is recommended.
This type of authentication delegates the responsibility of identifying and authenticating a user to a third-party configured server, as shown in the image below.
There are multiple types of Federated authentication, from those options Bizagi supports:
oSAML 2.0: With this type of authentication Bizagi delegates the authentication procedure to the third-party Identity Manager of your choice (Bizagi Supports integration with Azure AD, ADFS, NetIQ, Okta, PingFederate and SiteMinder) which will handle the information with secure messages through the SAML standard protocol. We encourage you to use this type of authentication since it is a widely adopted industry protocol that can be configured with multiple vendors. For more information about this method, refer to SAML authentication.
oOAuth: This type of authentication uses the OAuth and OpenID Connect protocols for your Bizagi project to delegate authentication to an identity provider such as another Bizagi project. The following image shows how you can setup this alternative using a VPN.
•LDAP Authentication: This type of authentication supports integration with an on-premises Microsoft AD and it relies on standard LDAP protocol (e.g, connecting via an LDAP URL with filters as supported by LDAP format). It offers a "Same Sign-On" user experience. For more information about this alternative, refer to LDAP authentication.
•Bizagi authentication: This type of authentication uses Bizagi’s local authentication mechanism, while allowing you to enforce your security policies for passwords and accounts. For more information about this alternative, refer to Bizagi authentication.
Authentication user experience alternatives
There are two notable user experiences when talking about authentication. Each one of them have different characteristics and are a consequence of the nature of the authentication alternative that has been configured.
Single sign-on is the concept of authenticating yourself once and get access to all of the the applications that share the same authentication method and third-party server.
Same sign-on refers to using the same user credentials in each of the log in screens of the applications a user needs have access to.
Please bear in mind the following:
1.It is the customer's responsibility to manage end user accounts and their access to Bizagi’s Work portal.
The customer is also responsible for enforcing adequate security policies for these accounts and their passwords.
2.With any type of authentication, the default domain\admon system user should be kept enabled, though this user should not be assigned to a specific end user, and it should not be granted rights to use Work portal menus and options.
Instead, we recommend that you define a user explicitly assigned as your business administrator, with privileges to use admin menu options (i.e modify parameter entity values, manage your users, licenses, cases, etc).
3.When integrating an Identity Manager, and regardless of the chosen one, you need to synchronize the accounts that are authorized to access Bizagi's Work portal.
Synchronizing means inserting or updating the account's primary identifier only (domain plus username typically, and the e-mail) in Bizagi.
Remember that passwords are not stored in Bizagi when you integrate an Identity Manager with it.
You should synchronize users periodically, using one of these approaches:
1. Have a Bizagi process which expects an Excel file to be uploaded.
You will need to define the process and generate the Excel file from the user information your Identity Provider manages.
2. Have a SOAP web services client at your premises which invokes the Bizagi SOAP API to push user information.
3. Have secure web services that support your Identity Provider so Bizagi can invoke these web services from a process to pull user information.
For this option you need to define the Bizagi process
4. Have Bizagi connect to your Active Directory through an out-of-the-box feature which is set to run on a daily basis.
Remember you need to use a VPN so Automation Service can access your on-premises system which does not offer a public endpoint such as an Active Directory.
For testing purposes, you can simply import some users, or register them manually through Bizagi Work portal admin options.
You can find further information about this in the following articles: