Overview
As explained in Accessing Portals and Applications, all the Bizagi cloud-based offerings, except the Work Portal, are authenticated through a private identity provider (IdP). This identity provider lets users sign in to all your service's portals shown in the image below. Bizagi provides a default identity provide and lets you integrate an additional corporate identity provider like Azure AD or Okta, so users can easily sign in using your corporate Identity Provider.
Active IdPs affect all portals and applications of the Bizagi cloud-based services you have purchased.
This section explains how you can change the identity provider of cloud portals and applications.
Before you start
To change the identity provider you must have access to the Customer Portal as a Company Administrator. See How to set company administrators.
Managing Identity Providers
You can manage your cloud-based portals' identity provider from the Customer Portal. You can perform any of the following actions:
•Activate/deactivate an authenticator
•Edit an authenticator properties
•Restore the authentication protocols' default settings
•Change the session expiration times
•Configuring Single Sign On with the corporate Identity Provider
As a Company Administrator access the Customer Portal. Click the Settings icon, and then open the Protocols section. By default, you find the Bizagi identity provider. The name of this identity provider is Accounts. To add another Identity Provider, click the Add authenticator button and select the protocol of your IdP.
You can choose between the following options
Click any of the IdP to see configuration examples.
Protocol |
Supported Identity Providers |
|---|---|
SAML 2.0 |
You can use any IdP that supports the SAML 2.0 protocol. See Azure AD configuration example. Or the General configuration for other IdPs that support the SAML 2.0 protocol. |
Open ID Connect |
You can use OKTA, see the configuration example. No further IdPs are supported. |
WS-Federation |
The following IdPs are supported using the WS-Federation protocol: |
Forms Authentication (Bizagi Accounts) |
This is the default authentication protocol using Forms Authentication offered by Bizagi. When adding an authenticator using this protocol, you can configure the security policies. |
Activate /deactivate an authenticator
To activate an authenticator you must open the Protocols menu, and activate one authenticator. Before activating the new authenticator, review carefully your configuration settings.
When you activate an authentication protocol an email is sent to the user who activates the authenticator.
Bizagi displays a warning message.
In the Protocols menu, you can find the list of all the authenticators. You can delete non-active authenticators by clicking the trash bin on the right-hand side of each authenticator.
Edit an authenticator properties
You can edit any authenticator properties from the Customer Portal. As a Company Administrator, access the setting options, select the Protocols menu, and click the Edit icon on the right-hand side of each authenticator.
Restore the authentication protocols' default settings
Bizagi's authentication recovery functionality allows you to restore Bizagi Accounts as the default IdP. Hence, if you have already configured multiple identity providers for different domains, these are deactivated and Bizagi Accounts is defined as the IdP for all domains. This functionality is available only for users with the Platform Owner or Subscription Owner role, and can be executed from the Customer Portal in two ways:
•Via the authentication recovery URL
•Via the recovery email
To execute the authentication recovery functionality using this method, you must access your company's authentication recovery URL. The generic structure of this URL is your Accounts URL with the characters /recovery added at the end of it (e.g. https://accounts-mycompany.bizagi.com/recovery). To describe the flow of the authentication recovery process, the wholeproduct company's account is used. Thus, the authentication recovery URL of this company is https://accounts-wholeproduct.bizagi.com/recovery.
Once you have accessed the authentication recovery URL, the following page is displayed:
Enter your recovery email, which is the email address where you want to receive the code that lets you restore the authentication protocol's default settings. After you have entered it, click the Send restoration code button.
Once you have clicked the Send restoration code button, a message appears on the screen confirming that a twelve digit code has been sent to the recovery email, along with a text field in which you need to type this code to continue with the authentication recovery process. Moreover, you can find at the bottom of the page a Resend email button that allows you to send again the code, and is enabled after 3 minutes have elapsed since the first email. If you mistyped the recovery email, you can click the Re-enter your email and try again link next to the Resend email button, and return to the step where you entered it.
If you did not have problems specifying the recovery email, you should have received an email with the recovery code (the twelve digit code needed to continue with the authentication recovery process).
Enter the recovery code in the corresponding text field, and then click the Confirm code button.
Once you have done this, you are redirected to the Authentication Protocols settings in the Customer Portal, where you can verify that Bizagi Accounts has been defined as the IdP for all domains and is the only active protocol.
Recovery email
When a user activates a new IdP, an email is sent to this user with instructions to restore Bizagi Accounts as the default authentication protocol.
The email states that a new authentication protocol has been activated, and displays a brief summary of it. This summary comprises the name assigned to the protocol, the protocol selected, supported identity providers, and the activation date. Along with the protocol's description, the message specifies the email address of the user that activated the new protocol, and includes the button Go to the restoration page to access the authentication recovery page. Once the user has accessed this page, the steps described in Authentication recovery URL section must be followed to complete the authentication recovery process.
Change the session expiration times
You can define the session expiration time of each portal independently. When the user is authenticated, either using the default or your company Identity Provider, Bizagi generates a token that is stored in the user's browser. The token contains characteristics of the session, including the expiration time. Bizagi provides two options that can be configured in a token:
Access Tokens per Portal
Access Token Lifetime: The Access Token contains the permissions that a user has over a portal after they are authenticated. The Access Token Lifetime defines how long a user can have a valid active session. This time must be set as short-lived as possible, to prevent having compromised the access to a particular application.
Refresh Token Lifetime: The refresh token, on the other hand, is issued along with the access token, and it is responsible to request a new access token when the existing access token is expired. The Refresh Token lifetime is long-lived, and at least must be greater than the Access Token Lifetime.
Access the Customer Portal as a Company Administrator, click the Settings icon, and open the Sessions expiration time section.
Click the Edit pencil icon on the right-hand side of each portal. You can edit the Access Token and Refresh Token lifetimes.
|
The Refresh Token must be greater than the Access Token, and it is usually significantly higher. |
Single Sign-On Token
Single Sign-On (SSO) let users access multiple portals with one authentication instance. For example, you can sign in to the Customer Portal, and if you use the same browser, you can access other cloud-based portals, like Modeler or a Management Console Web. You can configure the SSO lifetime to define for how long a user can access other portals without providing authentication credentials again.
Configuring Single Sign On with the corporate Identity Provider
You can set the authentication of all users in your cloud platform services using only your corporate identity provider.
|
The following steps apply for version 2.0.5 of the Customer Portal or higher. |
Requirements
You need a user with Company Administration permissions, to perform all the configurations. This user must be registered in the Identity Provider you are configuring.
To do so, follow these steps:
1. Log in to the customer portal as the subscription owner. This user can later use the recovery option in case of any issue in the configuration. If you are not a subscription owner, you must ask the Company Administrator to add you. Refer to Manage Subscription Users.
2. Add a new authenticator.
For further information refer to Add an authenticator.
3. In the domains section include your corporate domain, for example, @mycompany.com . The domain must match the one used in your identity provider.
|
IMPORTANT: If you only leave ONE authenticator activated, ALL THE USERS, regardless of this configuration, will use the activated authenticator. If you have two or more authenticators, you need to define at least one authenticator with the ALL DOMAINS option active. |
4. Activate the authenticator you just add.
5. Deactivate the Bizagi Accounts authenticator. Open the authenticators' section in the Customer Portal, and deactivate the Bizagi authenticator that comes by default. So only your corporate identity provider works as the unique authenticator.
6. Sign out the Customer Portal.
7. Make sure that there are not active sessions, and delete all cookies.
8. Sign in again to the Customer Portal as the Subscription Owner, using the domain configured in the previous step (@mycompany.com).
|
If there are issues you can use the Recovery procedure. Make sure that the Subscription Owner activates the recovery procedure. |
9. Now your configuration is done. The next time, any user accessing any Bizagi Cloud-based portal, will be redirected to your corporate identity's provider log-in page.
