To integrate your cloud portals with your corporate Okta you need to carry out the configuration steps as described in this section.
Note that these are done only once, typically by an admin user of your Customer Portal having access to your Okta.
Once you have carried out these steps users sign in to any cloud-based service directly via your Okta, as described at Signing in the Bizagi Cloud Portals and Applications.
To configure your Identity Provider you must follow these steps:
1. Generate certificates to sign assertions (mandatory)
This step is not bound to Bizagi nor restricted by any special requirement of Bizagi (you normally do it yourself).
If you need some guidance or an example on this step, refer to Certificates for SAML 2.0 authentication.
To proceed with these guided steps, you need to have:
•One certificate to sign assertions (mandatory) in .P12 or .PFX file format. You need The password for the certificate file, as defined by you when you exported the public and private keys.
•One certificate to encrypt messages (optional) in .P12 or .PFX file format. You need The password for the certificate file, as defined by you when you exported the public and private keys. You will also need the key in CER or CRT format to be uploaded in Okta.
You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints).
Open the Okta portal as an administrator, select the Applications section and create a new App Integration.
Select SAML 2.0:
Give a name to the application:
Configure the following parameters:
•Single sign on URL: This is the destination in the SAML response https://accounts-<companyname>.bizagi.com/saml2/assertionConsumer
•Use this for Recipient URL and Destination URL: activate this option.
•Audience URI (SP Entity ID): It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com
•Default RealyState: Leavi it Empty.
•Name ID format: EmailAddress
•Application username: Email
Now open the advanced settings and configure the following parameters:
•Response: Select Signed.
•Assertion Signature: Select Signed.
•Signature Algorithm: We recommend using RSA-SHA256. The same value must be configured in the Bizagi Customer Portal.
•Digest Algorithm: We recommend using RSA-SHA256.
•Assertion Encryption: Optional, if you select Encrypted you need a certificate.
•Encryption Algorithm: Select AES256-CBC if you activate Assertion Encryption.
•Key Transport Algorithm: Select RSA-1.5 if you activate Assertion Encryption.
•Encryption Certificate: upload your encryption certificate in cer o crt format, if you activate Assertion Encryption
•Enable Single Logout: Select Allow application to initiate Single Logout.
•Single Logout URL: It is the Bizagi's cloud logut URL https://accounts-<companyname>.bizagi.com/saml2/logout
•SP Issuer: It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com
•Signature Certificate: Upload a certificate in cer o crt format. The same certificate must be uploaded in the Bizagi Customer Portal.
•Authentication context class: Select PasswordProtectedTransport.
•Honor force authentication: Select Yes.
•SAML Issuer ID: Leave the default value.
Click Next, and then Finish.
Open the Assignments tab and select users or groups of users that are going to be authenticated using this application.
Finally, get the metadata URL. Open the Sign On tab and click Identity Provider Metadata.
Copy the URL in the browser tab opened. It has the following format:
After you configure the application in Okta, now you must access the Bizagi Customer Portal and register the Identity Provider. Follow the steps in Configure a SAML 2.0 IdP in the Customer Portal.
To test your configuration we recommend that all users log out and opening a new tab using incognito mode, or use a different browser. If the configuration with a new IdP fails, you can Restore the authentication protocol.
In case the authenticator fails, you can review: