Parameters configuration

<< Click to Display Table of Contents >>

Navigation:  Integration and authentication > Identity managers > Federated authentication >

Parameters configuration

Overview

Bizagi supports integration with an Identity provider to provide Federated authentication and Single Sign-On capabilities.

For more information about this type of authentication in Bizagi and its prerequisites, refer to Federated authentication.

 

Once you have configured your Identity provider, you may configure the authentication parameters in Bizagi.

 

SSO_overview_bizagi

 

 

Parameters configuration in Bizagi

Bizagi being a service provider in your Federated authentication setup, you will need to make sure you configure the necessary authentication parameters in your project.

 

When using federated authentication, you may rely on either the WS-Federation Passive Protocol (supported by Identity providers such as Active Directory Federation Services v2.0) or the SAML 2.0 standard (supported by Identity providers such as Ping Identity).

 

Using WS-Federation

When setting the use of WS-Federation in Bizagi, assertions will rely on the WS-Federation Passive Protocol standard.

To configure the authentication parameters in Bizagi for this scenario, carry out the following steps:

 

 

1. Configure Federated authentication.

To do this in Bizagi Studio, go into the Expert View and locate the Security module.

 

Click on the Authentication option found under the Security item, and select Federated authentication from the drop-down list in the panel to the right:

 

SSO_Federated

 

Notice you will see this authentication relies on the WS-Federate protocol

Click Update.

You will get a confirmation message and notice that additional parameters appear under the Authentication item.

 

2. Configure further parameters.

Proceed to configure these additional parameters as described below, ensuring you click Update for each one that is modified.

Note that the parameter values are case-sensitive and therefore you will need to ensure you input these correctly.

 

SSO_Subconfig

 

 

FEDERATED AUTHENTICATION PARAMETER

DESCRIPTION

RECOMMENDATIONS AND MANDATORY FIELDS

Certificate validation mode

Specify the certificate validation mode when retrieving the certificate information.

Possible values are: Peer trust, chain trust, Peer or chain trust, and Custom.

 

 

This field is not mandatory.

You may use none as set by default.

 

Cookie Handler requires SSL

Enable or disable this parameter to rely on SSL when handling cookies.

 

This field is not mandatory.

Federation Metadata Location

Specify the URL of the federation metadata XML document that complies to WS-Federation 1.2.

The URL must use the HTTPS protocol.

Example:

https://[your_ADFS_server].[your_domain].loc/FederationMetadata/2007-06/FederationMetadata.xml

This field is mandatory and fundamental.

Ensure that the Bizagi server has access to the metadata file as specified.

Issuer URI

Specify the URI that identifies the issuer of involved security tokens (i.e your identity provider).

The URI must use the HTTPS protocol.

Example:

https://[your_ADFS_server].[your_domain].loc/adfs/ls/

This field is mandatory and fundamental.

Passive redirect enabled

Enable or disable this parameter to allow WS-Federation protocol redirects.

This field is not mandatory.

It is recommended to be set as enabled, otherwise active redirects will be implied.

Realm URI

Specify the URI of the wtrealm parameter, set as the entry point for Bizagi Work portal (when redirected).

The URI must use the HTTPS protocol.

Example for Bizagi Cloud projects:

https://[project_environment]-[your_project]-[your_company].bizagi.com

This field is mandatory and fundamental.

Ensure that you use the same exact URL (case sensitive, and with the same format and slash characters) as defined at the ADFS; otherwise a trust relationship will not happen if there are differences.

Trusted Issuers Name URI

Specify the base URI where the trusted issuer's name is defined.

The URI must use the HTTPS protocol.

Example:

https://[your_ADFS_server].[your_domain].loc/adfs/services/trust

This field is mandatory and fundamental.

Trusted Issuers Thumbprint

Specify the hexadecimal string containing the hash of the signing certificate.

Make sure this string is entered without any blank spaces or hidden special characters (it is recommended to enter them manually instead of doing a copy/paste)..

Example:

‎31d3bf3176783a25375f6632bf9d6034b04d2220

This field is mandatory and fundamental.

Ensure that you do not copy/paste this content directly from your ADFS.

Recall that you need to wipe out blank spaces, and ensure that no special hidden characters are taken.

WS-Federation requires HTTPS

Enable or disable this parameter to enforce the use of HTTPS for WS-Federation.

This field is not mandatory.

 

 

Important

For any type of authentication, you will need to ensure that users are created at Bizagi Work portal before having them log in at runtime.

Disregarding the selected Authentication type for your Work Portal login, you may choose to configure a schedule in Bizagi to import and synchronize users from your LDAP Server into Bizagi.

 

Checkpoint

Once you set up both your Identity provider and Bizagi's Federated authentication parameters, and when running Bizagi Work portal in a .NET platform, you should make sure that there are no networking issues to access the ADFS server and its metadata (e.g, targetting https://[your_ADFS_server].[your_domain].loc/FederationMetadata/2007-06/FederationMetadata.xml from a browser should show results).

 

note_pin

Even though for a successful setup and the trust relationship between Bizagi and the ADFS, there should be and allowed connectivity between these two services, at runtime having end user devices connect to both services can also cover such requirement.

 

You may also use the following test page as a checkpoint:

https://[project_environment]-[your_project]-[your_company].bizagi.com/ClaimsTest.aspx

 

If this page loads up the claims and a successful authentication status (as shown below), you will verify that your configuration is OK.

 

SSO_ClaimsTest

 

In case that you need to troubleshoot your configuration in a development environment, you may edit the following key at the web.config file of your Work portal (by default at C:\Bizagi\Projects\[your_project]\WebApplication\) in order to analyze error traces:

<add key="ShowDetailedAuthenticationMessage" value="true" />