Identity managers

<< Click to Display Table of Contents >>

Navigation:  Integration and authentication >

Identity managers

Overview

Bizagi PaaS supports integration with Identity Management services by means of industry standards, such as the OAuth and OpenID Connect protocol.

Identity managers in Bizagi PaaS provide secure sign-in capabilities and compliance to your security and authentication policies.

 

Authentication possibilities

Bizagi PaaS supports the following authentication systems/types:

 

Azure Active Directory (Azure AD): This type offers a Single Sign-on experience, while relying on the OAuth and OpenID Connect protocol.

For more information about this alternative, refer to Azure Active Directory Authentication.

 

Federated authentication: This type offers a Single Sign-on experience, while connecting to Microsoft ADFS 3.0 and relying on the the WS-Federation protocol.

For more information about this alternative, refer to Federated authentication.

 

LDAP: This type connects to an on-premises LDAP system and requires VPN setup.

This alternative does not offer a  Single Sign-on experience.

For more information about this alternative, refer to LDAP authentication.

 

Bizagi: This type uses Bizagi’s local authentication mechanism, while allowing you to enforce your security policies for passwords and accounts.

For more information about this alternative, refer to Bizagi authentication.

 

OAuth: This type offers a Single Sign-on experience, while relying on the OAuth and OpenID Connect protocol for your Bizagi project to delegate authentication to an identity provider different than Azure AD  such as another Bizagi project.

For more information about this alternative, refer to OAuth authentication.

 

Technical details and specs

Consider the standards and protocols supported by the different authentication types.

The table below presents information for those most common types used, which integrate to your systems and are most recommended in Bizagi PaaS (recommendations ordered from top to bottom).

 

AUTHENTICATION TYPE

CHARACTERISTICS AND SUPPORT

TECHNICAL SPECS

(PROTOCOLS AND STANDARDS)

Azure AD

Azure AD service supported (from a subscription provided by the customer).

Does not require VPN setup.

Supports a Single Sign-On experience for active browser sessions (not at a network-level).

It is important to note that using Azure AD demands management on your side regarding authorized OAuth credentials to sign allow integration with Bizagi. This means that you need to generate keys which are valid to the date, and watch after their expiration/renewal.

Relies on the OAuth 2.0 protocol and its OpenID extension.

Federated

Microsoft ADFS 3.0 supported.

Does not require VPN setup.

Supports a Single Sign-On experience for active browser sessions (not at a network-level).

It is important to note that using ADFS demands management on your side regarding certificates to sign off assertions. This means that you need to use certificates which are valid to the date, and watch after their expiration/renewal (most often these expire on a yearly basis).

Relies on WS-Federation protocol (involves WS-Trust).
This protocol uses assertions based on the SAML token spec, version 1.1, though these are not entirely SAML-compliant.

LDAP

Microsoft AD supported.

Requires VPN setup, given that such LDAP system is usually installed on-premises.

Supports a "Same Sign-On" concept, while it doesn’t support a Single Sign-On experience.

Relies on standard LDAP protocol (e.g, connecting via an LDAP URL with filters as supported by LDAP format).

 

Important

Please bear in mind the following:

1.It is the customer's responsibility to manage end user accounts and their access to Bizagi’s Work portal, and their responsibility to ensure they enforce adequate security policies for these accounts and their passwords.

2.Regardless of the chosen Identity manager, customers need to synchronize the authorized accounts for Bizagi Work portal (even though for integrated authentication, passwords are not stored in Bizagi when doing so).

When synchronizing users with Bizagi PaaS, users are uniquely defined by their domain and username combination.