Authentication with Azure AD

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio > Security definition > Work Portal Security > Authentication > SAML authentication >

Authentication with Azure AD

Overview

Bizagi supports integration with Identity and Access Management systems (i.e, Identity Managers or Identity Providers) which are SAML 2.0 compliant, such as Azure AD.

This section is a step-by-step guide about the configuration needed, both in Azure AD and in Bizagi, to have integrated authentication in Bizagi through Azure AD.

 

SAML_Azure_OV

 

For SAML 2.0 both your Identity Provider and your Bizagi project must be set up to support HTTPS.

For introductory information about SAML 2.0, refer to Authentication via SAML.

 

Prerequisites

To configure Azure AD, as with any Identity Provider supporting SAML 2.0, you need:

 

1. To have previously generated and imported your own certificates.

The integration uses the certificates to sign assertions.

This step is not bound to Bizagi nor restricted by any special requirement of Bizagi (you normally do it yourself).

If you need some guidance or an example on this step, refer to Generating and installing certificates.

 

To proceed with these guided steps, you need to have imported certificates into your Identity Provider. For this exercise, you need:

The certificate information (.p12 file).

The password for the .p12 file, as defined by you when you exported the public and private keys.

 

If you will be encrypting assertions as well, you also need this information for another certificate.

 

note_pin

You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints).

 

2. To have already imported and synchronized your users into Bizagi

When integrating any Identity Manager, you need to synchronize authorized accounts so they can access Bizagi's Work portal.

Synchronizing means importing or updating the account's primary identifiers only (domain plus username typically, and the e-mail address).

Bizagi does not store passwords when integrating an Identity Manager.

 

Once you have verified in the Work Portal that there has been at least an initial import of your users into Bizagi, you may proceed:

 

125Users13

 

note_pin

In Bizagi, unique identifiers for users are either e-mail or the combination of domain and username.

The examples of SAML-based authentication provided below use e-mail as the unique identifier for users.

 

What you need to do

Perform the following steps both for Bizagi and for Azure AD:

 

1. Configure Bizagi as Service Provider in Azure AD.

2. Configure in Bizagi, the settings that make reference to the specification of your SAML setup.

 

Procedure

 

1. Configure Bizagi as Service Provider in Azure AD

Do this in the admin options provided by Azure AD.

 

1.1 Log in to your Azure services with a user account with admin rights.

Access your Azure subscription with the Azure AD service.

You will need to sign in to Azure's portal at https://portal.azure.com.

 

AzureAD_portal01

 

1.2. Go into your Active Directory.

Click the Active Directory option at the left panel and select App registrations. Click New application registration.

 

Azure_auth1

 

1.3. Input the app's basic details

Provide your appĀ“s name, and select Web App / API for its type.

For its Sign-on URL input the base URL where your end users access the Bizagi Work portal.

 

Consider:

For Automation Service (cloud projects), this URL is:

https://[project_environment]-[your_project]-[your_company].bizagi.com

Replace [your_company] and [your_project] with your subscription's values accordingly.

Similarly, replace [project_environment] with test for a testing environment, or with nothing at all for a production environment.

 

For <%ONPREMISES%> Bizagi projects, the URL is:

https://[your_server]/[your_project]

Replace [your_server] and [your_project] depending on how you set up your environment.

 

Azure_auth2

 

Click Create when you are ready.

 

1.4. Go into the details of your app.

Once the app is added, click it to go into its details and enter its settings.

 

Azure_auth3

 

1.5. Click Properties.

 

AzureAD_4

 

1.6. Configure the App ID URI to reference the Bizagi Work portal.

For Automation Service, the URL uses this format:

https://[environment]-[project]-[company].bizagi.com/

For on-premises projects, the URL uses this format:

https://[server]/[project]

 

AzureAD_5

 

Leave the other fields blank or accept defaults.

 

1.7. Click on Reply URLs and edit the appearing default URL so that it references the Bizagi Work portal with the /saml2/assertionConsumer suffix.

For Automation Service, such URL uses this format:

https://[environment]-[project]-[company].bizagi.com/saml2/assertionConsumer

For on-premises projects, such URL uses this format:

https://[server]/[project]/saml2/assertionConsumer

 

AzureAD_6

 

Click Save when done.

 

1.8. Look up your endpoints

Go back to App registrations and look up the Endpoints to find the URL of the metadata location that you will need later on for configuration in Bizagi.

 

AzureAD_7

 

 

note_pin

Adequate authorization settings are usually set OK by default, which means you should not need to configure this setting.

By default new applications and their keys have the Sign in and read user profile, which is what Bizagi requires.

This setting does NOT require Admin:

 

Azure_auth10

 

At this point, configuration directly in Azure AD is set. Now go to Bizagi to complete the procedure.

 

2. Configure in Bizagi the settings that make reference to the specification of your SAML setup.

Use the Bizagi Management Console targeting the environment you want this configuration to apply to (e.g, your development, testing, staging, production environment).

Alternatively and only for the development environment, you may use Bizagi Studio.

 

2.1. In the Bizagi Management Console, open your Bizagi project.

 

UsingStudio01

 

2.2. Locate the Security module and click the Authentication option found under the Security item.

Select Federated authentication from the drop-down list in the panel to the right, and select SAML v2.0 from the drop-down at the lower right:

 

SAML_Bizagiparams1

 

Click Update.

You will get a confirmation message. Additional parameters appear under the Authentication item.

 

note_pin

If you applied this change into an environment other than development, make sure to apply the same changes in your development environment.

To do this, follow the same procedure outlined above in the Bizagi Management Console.

 

2.3. Proceed to configure the additional parameters as described below, ensuring you click Update for each one that you modify.

The parameter values are case-sensitive. Make sure you input them correctly.

 

Fill in or configure these settings:

Enable assertion encryption: Check this checkbox to turn on encryption (set to On). Make sure you configure Encryption certificate and Encryption certificate password.

Enable authentication logging in database: Check this checkbox (set to On) to direct the web application to log every authentication event, according to your auditing requirements and expectations. You can view the log in the Work portal.

Encryption certificate: Use the Browse button to locate and upload the digital certificate (in P12 format, containing the public and private key) that will be used to encrypt the assertions generated by Bizagi.

Encryption certificate password: Provide the password of the digital certificate used for the encryption of assertions.

This password should match the one you defined when you exported certificate information in P12 format.

Force authentication: Check this checkbox (set to On) to disable SSO capabilities so that every time users attempt to log in to Bizagi, they have to provide their credentials. Using this option depends on your authentication requirements and expectations.

Identity Provider Metadata File Path: Provide the path where the Azure AD metadata file is located. This location is typically an URL. Such URL in Azure AD is usually found at:

https://login.microsoftonline.com/[tenant]/federationmetadata/2007-06/federationmetadata.xml. You need to provide the id of your tenant/subscription (as copied into your clipboard in the first steps of configuring Azure AD).

Idle sessions time-out: Define the minutes of inactivity after which a session expires, according to your authentication requirements and expectations (e.g, 5 minutes).

Organization name: Provide the name of your organization. This is included within the request messages sent by Bizagi.

Organization URL: Provide the URL of the website of your organization.This is included within the request messages sent by Bizagi.

SAML Protocol Binding for SLO: We recommend selecting POST so that there is support for longer messages.

SAML Protocol Binding for SSO: We recommend selecting POST so that there is support for longer messages.

Service provider URL: Provide the full URL for the Bizagi Work portal.

For Automation Service, such URL uses this format:

https://[environment]-[project]-[company].bizagi.com/

For on-premises projects, the URL uses this format:

https://[server]/[project]

The above URL is case-sensitive. Do not enter anything for [environment]- to reference the production environment.

Signature certificate password: Provide the password of the digital certificate used for the signing of assertions.

This password should match the one you defined when exporting certificate information in P12 format.

Signing algorithm: Select either SHA1 or SHA256.

Signing certificate: Use the Browse button to locate and upload the digital certificate (in P12 format), containing the public and private key that will be used to sign the assertions generated by Bizagi.

Technical email contact address: Provide an e-mail address for contact with your corporation regarding technical issues.

 

SAML_Bizagiparams2

 

When you are done, review that the system has applied your changes.

 

note_pin

Authentication changes may not be reflected immediately. You may need to reset the Bizagi services.

 

2.4. Perform a reset on your Bizagi services.

For on-premises projects, this means executing an IISReset.

Any change in the authentication type, or any of its settings, are not reflected immediately unless you explicitly refresh the cache of the application server.

 

At this point you have configured your Azure AD to rely on SAML 2.0 for an integrated authentication with Bizagi!