ADFS configuration and technical details

<< Click to Display Table of Contents >>

Navigation:  Welcome to the Bizagi Modeler 3.7 and Modeler Services documentation > Getting started > Joining the Modeler community  > Signing in to Modeler Services > Signing in with a corporate e-mail >

ADFS configuration and technical details

Overview

To integrate your Enterprise plan with your corporate ADFS carry out the configuration steps described in this section.

These steps are done only once, typically by an admin user of your Enterprise plan having access to your ADFS system.

 

Once you have carried out these steps users sign in to Modeler Services directly via your ADFS, as described at Signing in with a corporate email.

 

Prerequisites

Before you get started, make sure that your ADFS system complies with these Modeler Services requirements:

1. ADFS version 3.0 and 4.0 is supported.

2. The ADFS is accessible via a public URL and has a valid server certificate (supporting HTTPS through a certificate which is issued by a CA).

 

What you need to do

Here are the steps for configuring Bizagi for sign-in using ADFS:

 

1. Create relying party trust with Modeler Services.

2. Communicate with Bizagi for next steps.

 

Configuration

Follow these steps to integrate Modeler Services with your ADFS:

 

1. Create relying party trust with Modeler Services.

To set the trust relationship between Bizagi Modeler Service (the relying party) and your ADFS, create a relying party trust.

 

1.1 Click Add a trusted relying party.

 

SSO_idp0

 

Click Start.

 

1.2. Select the Enter data about the relying party manually option to specify the data source.

 

SSO_idp1

 

Click Next.

 

1.3. Specify the display name and a meaningful description.

 

SSO_idp2

 

Click Next.

 

1.4. Choose the newest AD FS profile supporting SAML 2.0:

 

SSO_idp3

 

Click Next.

 

1.5. Configure the certificate for token encryption purposes as an additional security measure (optional).

You can skip this step and click Next.

 

SSO_idp4

 

1.6. Configure the URL by selecting the Enable support for the WS-Federation protocol.

Specify the following URL: https://accounts-[your_company].bizagi.com

 

SSO_idp5

 

Click Next.

 

1.7. Configure the identifiers using the same URL specified above.

This URL should appear under the identified/valid URLs.

If you need to input another URL with a different identifier, enter this URL and use the Add button.

 

SSO_idp6

 

Click Next.

 

1.8. Configure the Issuance Authorization rules by choosing the Permit all users to access this relying party option.

 

SSO_idp7

 

Click Next.

 

1.9. Review the configuration.

Browse the summary of the configuration you carried out for this relying party trust.

When you are sure that you do not need to make changes, click Next.

 

SSO_idp8

 

1.10. Create the Claim rules for this trust by selecting the Open the Edit claim rules dialog for this relying party trust when the wizard closes.

This way, upon trust creation you immediately create a claim rule and finish the configuration.

 

SSO_idp9

 

Click Close.

 

1.11. Create a claim rule using the Add Rule.. button.

Make sure you can send UPN, Email address and Name as information within the claim that is passed into Modeler Services.

 

For instance, you can create a new claim rule by choosing the Send LDAP Attributes as Claims template:

 

SSO_idpRule0

 

Click Next.

 

1.12. Configure the rule by giving it a name, and explicitly including:

Attribute store: Attribute Directory.

Mapping of LDAP Attributes to outgoing claim types, including:

oUser-Principal-Name mapped to the UPN

oEmail-Addresses mapped to the E-mail Address.

oCommon-Name mapped to the Name.

 

SSO_idpRule1

 

Click Finish.

You should have a registered claim rule for your specific relying party configuration.

Once you have verified this is correct, click OK.

 

2. Communicate with Bizagi for next steps.

Contact our support team and share certain information so that the integration is successful.