Authentication with Azure AD

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio > Security definition > Work Portal Security > Authentication > SAML authentication >

Authentication with Azure AD


Bizagi supports integration with Identity and Access Management systems (i.e, Identity Managers or Identity Providers) which are SAML 2.0 compliant, such as Azure AD.

This section is a step-by-step guide about the configuration needed, both in Azure AD and in Bizagi, to have integrated authentication in Bizagi through Azure AD.




For SAML 2.0 both your Identity Provider and your Bizagi project must be set up to support HTTPS.

For introductory information about SAML 2.0, refer to Authentication via SAML.




If you plan on using an authentication method different than Bizagi and you are performing a deployment to an environment with no user information on it (normally this would only be the case for a project's first deployment), follow these steps so that you can correctly configure your users and authentication without getting locked out of the Work Portal:

1.Perform the deployment with the authentication method set to Bizagi. This lets you access the Work Portal as the Admon user without providing any credentials.

2.Once in the Work Portal you can manually enter your users, or alternatively you can rely on the method of your choice to synchronize your users' information into the WFUser table (SOAP, Excel file, LDAP Synchronization, or performing a Data Synchronization procedure).

3.Perform an IISRESET so that the Admon user can no longer access the Work Portal.

4.After having your users registered in the Work Portal, use the Management Console to set the authentication method to your preferred one.


If you plan on using LDAP authentication with periodic users synchronization, you may ignore the previous steps since you will only need to wait until the next synchronization happens for your users to be able to log into the Work Portal.




To configure Azure AD, as with any Identity Provider supporting SAML 2.0, you need:


1. To have previously generated and imported your own certificates.

The integration uses the certificates to sign assertions.

This step is not bound to Bizagi nor restricted by any special requirement of Bizagi (you normally do it yourself).

If you need some guidance or an example on this step, refer to Generating and installing certificates.


To proceed with these guided steps, you need to have imported certificates into your Identity Provider. For this exercise, you need:

The certificate information (.p12 file).

The password for the .p12 file, as defined by you when you exported the public and private keys.


Azure AD particularly does not demand that the P12 certificates match configuration on Azure's side.


If you will be encrypting assertions as well, you also need this information for another certificate.



You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints).


2. To have already imported and synchronized your users into Bizagi

When integrating any Identity Manager, you need to synchronize authorized accounts so they can access Bizagi's Work portal.

Synchronizing means importing or updating the account's primary identifiers only (domain plus username typically, and the email address).

Bizagi does not store passwords when integrating an Identity Manager.


Once you have verified in the Work Portal that there has been at least an initial import of your users into Bizagi, you may proceed:





In Bizagi, unique identifiers for users are either email or the combination of domain and username.

The examples of SAML-based authentication provided below use email as the unique identifier for users.


What you need to do

Perform the following steps both for Bizagi and for Azure AD:


1. Configure Bizagi as Service Provider in Azure AD.

2. Configure in Bizagi, the settings that make reference to the specification of your SAML setup.




1. Configure Bizagi as Service Provider in Azure AD

Do this in the admin options provided by Azure AD.


1.1 Log in to your Azure services with a user account with admin rights.

Access your Azure subscription with the Azure AD service.

You will need to sign in to Azure's portal at




1.2. Go into your Active Directory.

Click the Active Directory option at the left panel and select App registrations. Click New application registration.




1.3. Input the app's basic details

Provide your appĀ“s name, and select Web App / API for its type.

For its Sign-on URL input the base URL where your end users access the Bizagi Work portal.



For Automation Service (cloud projects), this URL is:


Replace [your_company], [your_project] and [project-name] with your subscription's values accordingly.

Similarly, replace [project_environment] with test for a Testing environment, or with nothing at all for a Production environment.


For <%ONPREMISES%> Bizagi projects, the URL is:


Replace [your_server] and [your_project] depending on how you set up your environment.




Click Create when you are ready.


1.4. Go into the details of your app.

Once the app is added, click it to go into its details and enter its settings.




1.5. Click Properties.




1.6. Configure the App ID URI to reference the Bizagi Work portal.

For Automation Service, the URL uses this format:


For on-premises projects, the URL uses this format:





Leave the other fields blank or accept defaults.


1.7. Scroll down to locate the Logout URL and input the Bizagi Work portal URL while adding the /saml2/logout suffix.




1.8. Click on Reply URLs and edit the appearing default URL so that it references the Bizagi Work portal with the /saml2/assertionConsumer suffix.

For Automation Service, such URL uses this format:


Consider alternatively, if you cloud project uses this format instead:



For on-premises projects, such URL uses this format:





Click Save when done.


1.9. Look up your endpoints

Go back to App registrations and look up the Endpoints to find the URL of the metadata location that you will need later on for configuration in Bizagi.






Adequate authorization settings are usually set OK by default, which means you should not need to configure this setting.

By default new applications and their keys have the Sign in and read user profile, which is what Bizagi requires.

This setting does NOT require Admin:




At this point, configuration directly in Azure AD is set. Now go to Bizagi to complete the procedure.


2. Configure in Bizagi the settings that make reference to the specification of your SAML setup.

Use the Bizagi Management Console targeting the environment you want this configuration to apply to (e.g, your development, testing, staging, Production environment).

Alternatively and only for the Development environment, you may use Bizagi Studio.


2.1. In the Bizagi Management Console, open your Bizagi project.




2.2. Locate the Security module and click the Authentication option found under the Security item.

Select Federated authentication from the drop-down list in the panel to the right, and select SAML v2.0 from the drop-down at the lower right:




Click Update.

You will get a confirmation message. Additional parameters appear under the Authentication item.



If you applied this change into an environment other than development, make sure to apply the same changes in your Development environment.

To do this, follow the same procedure outlined above in the Bizagi Management Console.


2.3. Proceed to configure the additional parameters as described below, ensuring you click Update for each one that you modify.

The parameter values are case-sensitive. Make sure you input them correctly.


Fill in or configure these settings:

Cookie type: Define the type of cookie Bizagi uses Persistent o Session cookies. The idle session time-out defines the expiration time for cookies.

Enable assertion encryption: Unselect this checkbox to turn off encryption (set to Off ).

At the moment Azure is not supporting encrypted assertions.

Enable authentication logging in database: Check this checkbox (set to On) to direct the web application to log every authentication event, according to your auditing requirements and expectations. You can view the log in the Work portal.

Encryption certificate: Use the Browse button to locate and upload the digital certificate (in P12 format, containing the public and private key) that will be used to encrypt the assertions generated by Bizagi.

Encryption certificate password: Provide the password of the digital certificate used for the encryption of assertions.

This password should match the one you defined when you exported certificate information in P12 format.

Force authentication: Check this checkbox (set to On) to disable SSO capabilities so that every time users attempt to log in to Bizagi, they have to provide their credentials. Using this option depends on your authentication requirements and expectations.

Identity Provider Metadata File Path: Provide the path where the Azure AD metadata file is located. This location is typically an URL. Such URL in Azure AD is usually found at:[tenant]/federationmetadata/2007-06/federationmetadata.xml. You need to provide the id of your tenant/subscription (as copied into your clipboard in the first steps of configuring Azure AD).

Idle sessions time-out: Define the minutes of inactivity after which a session expires, according to your authentication requirements and expectations (e.g, 5 minutes).

Organization name: Provide the name of your organization. This is included within the request messages sent by Bizagi.

Organization URL: Provide the URL of the website of your organization.This is included within the request messages sent by Bizagi.

Redirect to a logoff page after loggoff process: Check this checkbox if you wish to redirect users to a static logout page when they logout.

SAML Protocol Binding for SLO: We recommend selecting REDIRECT as supported specifically by Azure.

SAML Protocol Binding for SSO: We recommend selecting POST so that there is support for longer messages.

Service provider URL: Provide the full URL for the Bizagi Work portal.

For Automation Service, such URL uses this format:


For on-premises projects, the URL uses this format:


The above URL is case-sensitive. Do not enter anything for [environment]- to reference the Production environment.

Show detailed authentication error messages: Check this box if you want authentication errors to be shown in a detailed way when they occur.

Signature certificate password: Provide the password of the digital certificate used for the signing of assertions.

This password should match the one you defined when exporting certificate information in P12 format.

Signing algorithm: Select either SHA1 or SHA256.

Signing certificate: Use the Browse button to locate and upload the digital certificate (in P12 format), containing the public and private key that will be used to sign the assertions generated by Bizagi.

Technical email contact address: Provide an email address for contact with your corporation regarding technical issues.




When you are done, review that the system has applied your changes.



Authentication changes may not be reflected immediately. You may need to reset the Bizagi services.


2.4. Perform a reset on your Bizagi services.

For on-premises projects, this means executing an IISReset.

Any change in the authentication type, or any of its settings, are not reflected immediately unless you explicitly refresh the cache of the application server.


At this point you have configured your Azure AD to rely on SAML 2.0 for an integrated authentication with Bizagi!