When a user accesses the Work Portal, they usually open the Work Portal's URL in a browser. If the environment has integrated authentication with an external identity provider, Bizagi redirects to the login page of that identity provider, for example, Azure AD. However, users can also open the Bizagi's Work Portal from the identity provider. That means, starting the authentication flow, from the identity provider, to access Bizagi's Work Portal.
•This option is only available for the SAML 2.0 authentication protocol.
•You must have configured the Work Portal with an identity provider using SAML 2.0. Refer to SAML authentication.
•The identity provider must have an application hub.
SAML Identity Provider Initiated Flow
Your identity provider (IdP) can be integrated with several applications, to centralize the authentication. Some IdPs have an application hub, where all the applications registered can be accessed from there. For example, Microsoft (using Azure AD), have an application hub that can be found in the following URL:
In this example, Azure AD shows all the applications where the user can access with the same account.
If the user clicks on the Bizagi application, the Work Portal of that application is opened automatically, and the user does not have to register login credentials again.
The Identity Provider Initiated flow applies for the Work Portal authentication only. Other portals from the Bizagi cloud offering, like the Customer Portal, cannot be accessed using this feature.
The Identity Provider Initiated flow is explained as follows:
On the other hand, with the Service Provider Initiated flow, the user must register the Work Portal's URL in the browser, register the credentials, and finally they will have access to the Work Portal, as explained in the following image.
Other Identity Providers have their own application hub. For example, Okta has the application hub accessing the Home page of the account, adding this suffix to the URL
Using ADFS you can develop a portal as your application hub. Refer to Identity Provider Initiated using ADFS.