Overview
Bizagi supports integration with Identity and Access Management systems (i.e, Identity Managers or Identity Providers) which are SAML 2.0 compliant, such as Okta.
This section is a step-by-step guide to the configuration needed, both in Okta and in Bizagi, to have an integrated authentication in Bizagi against Okta.
For SAML 2.0, both your Identity Provider and your Bizagi project need to support HTTPS.
For introductory information about SAML 2.0, refer to Authentication via SAML.
1. Generate certificates to sign assertions (mandatory)
This step is not bound to Bizagi nor restricted by any special requirement of Bizagi (you normally do it yourself).
If you need some guidance or an example on this step, refer to Certificates for SAML 2.0 authentication.
To proceed with these guided steps, you need to have:
•One certificate to sign assertions (mandatory) in .P12 or .PFX file format. You need The password for the certificate file, as defined by you when you exported the public and private keys.
•One certificate to encrypt messages (optional) in .P12 or .PFX file format. You need The password for the certificate file, as defined by you when you exported the public and private keys.
|
You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints). |
2. Configure Bizagi as Service Provider in Okta
2.1. Log in with admin rights to your Okta portal.
2.2. Locate the Applications menu and from it to select Applications.
Then click Add Application:
2.3. Click Create New App.
2.4. Provide the following details:
•Platform: Select Web.
•Sign on method: Click SAML 2.0.
Click Create when done.
2.5. Go to the Create SAML integration section.
2.6. Fill out General settings:
•App name: Provide unique name for your app.
•App logo: Select a representative for your app.
Click Next when done.
2.7. Fill out Configure SAML:
•Single Sign on URL: Provide the URL of your Bizagi Work Portal followed by the /saml2/assertionConsumer suffix.
For Automation Service, the URL has this format:
https://[environment]-[project]-[company].bizagi.com/saml2/assertionConsumer
For on-premises projects, the URL has this format:
https://[server]/[project]/saml2/assertionConsumer
•Use this for Recipient URL and Destination URL: Check this option.
•Audience URI (SP Entity ID): Provide the URL of the Bizagi Work Portal just configured in Bizagi Studio (or the Bizagi Management Console).
For Automation Service, the URL has this format:
https://[environment]-[project]-[company].bizagi.com
For on-premises projects, the URL has this format:
https://[server]/[project]
•Use this for Recipient URL and Destination URL: Check this option.
•Default RelayState: Leave empty.
•Name ID format: Select E-mailAddress.
•Application Surname: Select Email.
2.8. Fill out Show Advanced Settings:
•Response: Select Signed.
•Assertion Signature: Select Signed.
•Signature Algorithm: Select RSA-SHA1 or RSA-SHA256, according to the one configured in Bizagi.
•Digest Algorithm: Select SHA1 or SHA256. We recommend using SHA256 as SHA1 is a deprecated algorithm.
•Assertion Encryption: Select Encrypted.
•Encryption Algorithm: Select AES256-CBC.
•Key Transport Algorithm: Select RSA-1.5.
•Encryption Certificate: Browse for the public certificate for encryption purposes and upload it.
•Enable Single Logout: Select Allow application to initiate Single Logout.
•Single Logout URL: Provide the URL of the Bizagi Work Portal followed by the /saml2/logout suffix.
For Automation Service, the URL has this format:
https://[environment]-[project]-[company].bizagi.com/saml2/logout
For on-premises projects, the URL has this format:
https://[server]/[project]/saml2/logout
•SP Issuer: Enter the URL of the Bizagi Work Portal just as it was configured in Bizagi Studio (or the Bizagi Management Console).
For Automation Service, such URL uses this format:
https://[environment]-[project]-[company].bizagi.com
For on-premises projects, such URL uses this format:
https://[server]/[project]
•Signature Certificate: Browse for the security certificate for signing purposes and upload it.
•Authentication context class: Select PasswordProtectedTransport.
•Honor force authentication: Select Yes.
•SAML Issuer ID: Leave the default value as generated by Okta.
Click Next when done.
2.9. Leave the defaults and empty fields for other options and click Next.
You can preview how the assertion would be set in runtime:
2.10. In the Feedback tab, you may choose to set:
•Are you a customer or partner?: Select I'm an Okta customer adding an internal app.
•App type: Check the This is an internal app that we have created checkbox.
Click Finish when done.
2.11. Finally, once the app is created, browse to its details and into the Sign On tab.
2.12. Select the hyperlink labeled as Identity Provider metadata.
3. Configure your IdP in Bizagi
After you configure the application in Azure AD, now you must access the Bizagi Studio or the Management Console and register the Identity Provider. Follow the steps in Configure a SAML 2.0 IdP in Bizagi.
Now when you run the Work Portal, Bizagi displays the IdP log-in page and users can be authenticated with your Identity Provider.
|
Remember to do this configuration in all your environments, or to deploy security configurations in your target environments, for example, test or production environments. |