Configure the authentication parameters in Bizagi

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio > Security definition > Work Portal Security > Authentication > Advanced Authentication > Federated Authentication >

Configure the authentication parameters in Bizagi

Overview

Bizagi supports integration with an Identity provider to provide Federated authentication and Single Sign-On capabilities.

For more information about this type of authentication in Bizagi and its prerequisites, refer to Federated authentication.

 

Once you have configured your Identity provider, you may configure the authentication parameters in Bizagi.

 

SSO_overview_bizagi

 

 

Parameters configuration in Bizagi

Bizagi being a service provider in your Federated authentication setup, you will need to make sure you configure the necessary authentication parameters in your project.

 

When using federated authentication, you may rely on either the WS-Federation Passive Protocol (supported by Identity providers such as Active Directory Federation Services v2.0) or the SAML 2.0 standard (supported by Identity providers such as Ping Identity).

 

Using WS-Federation

When setting the use of WS-Federation in Bizagi, assertions will rely on the WS-Federation Passive Protocol standard.

To configure the authentication parameters in Bizagi for this scenario, carry out the following steps:

 

note_pin

Before you move on, make sure you have already setup your Identity provider to work with Bizagi as presented in the ADFS configuration example.

 

 

1. Configure Federated authentication.

To do this in Bizagi Studio, go into the Expert View and locate the Security module.

 

Click on the Authentication option found under the Security item, and select Federated authentication from the drop-down list in the panel to the right:

 

SSO_Federated

 

Notice you will see this authentication relies on the WS-Federate protocol

Click Update.

You will get a confirmation message and notice that additional parameters appear under the Authentication item.

 

2. Configure further parameters.

Proceed to configure these additional parameters as described below, ensuring you click Update for each one that is modified.

Note that the parameter values are case-sensitive and therefore you will need to ensure you input these correctly.

 

SSO_Subconfig

 

 

FEDERATED AUTHENTICATION PARAMETER

DESCRIPTION

ITS USE IS MANDATORY?

Certificate validation mode

Specify the certificate validation mode when retrieving the certificate information.

Possible values are: Peer trust, chain trust, Peer or chain trust, and Custom.

 

 

 

No (use none by default).

Cookie Handler requires SSL

Enable or disable this parameter to rely on SSL when handling cookies.

No.

Federation Metadata Location

Specify the URL of the federation metadata XML document that complies to WS-Federation 1.2.

The URL must use the HTTPS protocol.

Example:

https://[your_ADFS_server].[your_domain].loc/FederationMetadata/2007-06/FederationMetadata.xml

Yes.

Issuer URI

Specify the URI that identifies the issuer of involved security tokens (i.e your identity provider).

The URI must use the HTTPS protocol.

Example:

https://[your_ADFS_server].[your_domain].loc/adfs/ls/

Yes.

Passive redirect enabled

Enable or disable this parameter to allow WS-Federation protocol redirects.

No.

Recommended to be set as enabled, otherwise active redirects will be implied.

Realm URI

Specify the URI of the wtrealm parameter, set as the entry point for Bizagi Work portal (when redirected).

The URI must use the HTTPS protocol.

Example:

https://[your_Bizagi_server].[your_domain].loc/[your_Bizagi_Portal]/

Yes.

Trusted Issuers Name URI

Specify the base URI where the trusted issuer's name is defined.

The URI must use the HTTPS protocol.

Example:

https://[your_ADFS_server].[your_domain].loc/adfs/services/trust

Yes.

Trusted Issuers Thumbprint

Specify the hexadecimal string containing the hash of the signing certificate.

Make sure this string is entered without any blank spaces.

Example:

‎31d3bf3176783a25375f6632bf9d6034b04d2220

Yes.

WS-Federation requires HTTPS

Enable or disable this parameter to enforce the use of HTTPS for WS-Federation.

No.

 

Checkpoint

Once you set up both your Identity provider and Bizagi's Federated authentication parameters, and when running Bizagi Work portal in a .NET platform, you may use the following test page as a checkpoint:

https://[your_Bizagi_server].[your_domain].loc/[your_Bizagi_Portal]/ClaimsTest.aspx

 

If this page loads up the claims and a successful authentication status (as shown below), you will verify that your configuration is OK.

 

SSO_ClaimsTest

 

note_pin

Note that the configuration for federated authentication in execution, will be stored into a XML located by default as C:\Bizagi\Projects\[your_project]\WebApplication\FederationAuth.config.

You may also verify that the above parameters are set in this file.

 

SSO_config