How to manage identity providers

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio Collaboration Services > Enterprise subscription > Accessing Portals and Applications >

How to manage identity providers

Overview

As explained in Accessing Portals and Applications, all the Bizagi cloud-based offerings, except the Work Portal, are authenticated through a private identity provider (IdP). This identity provider lets users sign in to all your service's portals shown in the image below. Bizagi provides a default identity provide and lets you integrate an additional corporate identity provider like Azure AD or Okta, so users can easily sign in using your corporate Identity Provider.

 

Active IdPs affect all portals and applications of the Bizagi cloud-based services you have purchased.

 

This section explains how you can change the identity provider of cloud portals and applications.

 

customerportal_120

 

 

Before you start

To change the identity provider you must have access to the Customer Portal as a Company Administrator. See How to set company administrators.

 

Managing Identity Providers

You can manage your cloud-based portals' identity provider from the Customer Portal. You can perform any of the following actions:

 

Add an authenticator

Activate/deactivate an authenticator

Delete an authenticator

Edit an authenticator properties

Restore the authentication protocols' default settings

Change the session expiration times

Configuring Single Sign On with the corporate Identity Provider

 

How to add an authenticator

As a Company Administrator access the Customer Portal. Click the Settings icon, and then open the Protocols section. By default, you find the Bizagi identity provider. The name of this identity provider is Accounts. To add another Identity Provider, click the Add authenticator button and select the protocol of your IdP.

 

note_pin

Maximum one additional authenticator can be added. So you can have the Bizagi Accounts, and an additional authenticator.

 

customerportal_117

 

You can choose between the following options

 

customerportal_118

 

Click any of the IdP to see configuration examples.

 

Protocol

Supported Identity Providers

SAML 2.0

You can use any IdP that supports the SAML 2.0 protocol. See Azure AD configuration example. Or the General configuration for other IdPs that support the SAML 2.0 protocol.

Open ID Connect

You can use OKTA, see the configuration example. No further IdPs are supported.

WS-Federation

The following IdPs are supported using the WS-Federation protocol:

Azure AD with WS-Federation.

ADFS 3 with WS-Federation.

ADFS 4 with WS-Federation.

Forms Authentication (Bizagi Accounts)

This is the default authentication protocol using Forms Authentication offered by Bizagi. When adding an authenticator using this protocol, you can configure the security policies.

 

Activate /deactivate an authenticator

To activate an authenticator you must open the Protocols menu, and activate one authenticator. Before activating the new authenticator, review carefully your configuration settings.

 

AzureAD_portal21

 

When you activate an authentication protocol an email is sent to the user who activates the authenticator.

 

MultipleAuth_6

 

Bizagi displays a warning message.

 

AzureAD_portal23

 

Delete an authenticator

In the Protocols menu, you can find the list of all the authenticators. You can delete non-active authenticators by clicking the trash bin on the right-hand side of each authenticator.

 

customerportal_130

 

Edit an authenticator properties

You can edit any authenticator properties from the Customer Portal. As a Company Administrator, access the setting options, select the Protocols menu, and click the Edit icon on the right-hand side of each authenticator. Only non-active authenticators are available for their edition.

 

customerportal_119

 

Restore the authentication protocols' default settings

Bizagi's authentication recovery functionality allows you to restore Bizagi Accounts as the default IdP. Hence, if you have already configured multiple identity providers for different domains, these are deactivated and Bizagi Accounts is defined as the IdP for all domains. This functionality is available only for users with the Platform Owner or Subscription Owner role, and can be executed from the Customer Portal in two ways:

 

Via the authentication recovery URL

Via the recovery email

 

Authentication recovery URL

To execute the authentication recovery functionality using this method, you must access your company's authentication recovery URL. The generic structure of this URL is your Accounts URL with the characters /recovery added at the end of it (e.g. https://accounts-mycompany.bizagi.com/recovery). To describe the flow of the authentication recovery process, the wholeproduct company's account is used. Thus, the authentication recovery URL of this company is https://accounts-wholeproduct.bizagi.com/recovery.

 

Once you have accessed the authentication recovery URL, the following page is displayed:

 

AuthenticationRecoveryFlow_01

 

Enter your recovery email, which is the email address where you want to receive the code that lets you restore the authentication protocol's default settings. After you have entered it, click the Send restoration code button.

 

AuthenticationRecoveryFlow_02

 

Once you have clicked the Send restoration code button, a message appears on the screen confirming that a twelve digit code has been sent to the recovery email, along with a text field in which you need to type this code to continue with the authentication recovery process. Moreover, you can find at the bottom of the page a Resend email button that allows you to send again the code, and is enabled after 3 minutes have elapsed since the first email. If you mistyped the recovery email, you can click the Re-enter your email and try again link next to the Resend email button, and return to the step where you entered it.

 

AuthenticationRecoveryFlow_03

 

 

If you did not have problems specifying the recovery email, you should have received an email with the recovery code (the twelve digit code needed to continue with the authentication recovery process).

 

AuthenticationRecoveryFlow_04

 

Enter the recovery code in the corresponding text field, and then click the Confirm code button.

 

AuthenticationRecoveryFlow_05

 

Once you have done this, you are redirected to the Authentication Protocols settings in the Customer Portal, where you can verify that Bizagi Accounts has been defined as the IdP for all domains and is the only active protocol.

 

AuthenticationRecoveryFlow_06

 

Recovery email

When a user activates a new IdP, an email is sent to this user with instructions to restore Bizagi Accounts as the default authentication protocol.

 

AuthenticationRecoveryFlow_07

 

The email states that a new authentication protocol has been activated, and displays a brief summary of it. This summary comprises the name assigned to the protocol, the protocol selected, supported identity providers, and the activation date. Along with the protocol's description, the message specifies the email address of the user that activated the new protocol, and includes the button Go to the restoration page to access the authentication recovery page. Once the user has accessed this page, the steps described in Authentication recovery URL section must be followed to complete the authentication recovery process.

 

Change the session expiration times

You can define the session expiration time of each portal independently. When the user is authenticated, either using the default or your company Identity Provider, Bizagi generates a token that is stored in the user's browser. The token contains characteristics of the session, including the expiration time. Bizagi provides two options that can be configured in a token:

 

Access Tokens per Portal

Access Token Lifetime: The Access Token contains the permissions that a user has over a portal after they are authenticated. The Access Token Lifetime defines how long a user can have a valid active session. This time must be set as short-lived as possible, to prevent having compromised the access to a particular application.

 

Refresh Token Lifetime: The refresh token, on the other hand, is issued along with the access token, and it is responsible to request a new access token when the existing access token is expired. The Refresh Token lifetime is long-lived, and at least must be greater than the Access Token Lifetime.

 

Access the Customer Portal as a Company Administrator, click the Settings icon, and open the Sessions expiration time section.

 

customerportal_137

 

Click the Edit pencil icon on the right-hand side of each portal. You can edit the Access Token and Refresh Token lifetimes.

 

customerportal_138

 

note_pin

The Refresh Token must be greater than the Access Token, and it is usually significantly higher.

 

Single Sign-On Token

Single Sign-On (SSO) let users access multiple portals with one authentication instance. For example, you can sign in to the Customer Portal, and if you use the same browser, you can access other cloud-based portals, like Modeler or a Management Console Web. You can configure the SSO lifetime to define for how long a user can access other portals without providing authentication credentials again.

 

customerportal_139

 

Configuring Single Sign On with the corporate Identity Provider

You can set the authentication of all users in your cloud platform services using only your corporate identity provider.

 

Requirements

•You need two email accounts

oYour corporate email (e.g. John@mycompany.com)

oAn email with a different domain from your company domain (e.g. hotmail.com, or yahoo.com).

•Both users (for each email) must be Subscription Owner, to perform all the configurations.

 

To do so, follow these steps:

 

1.  Log in to the customer portal as the subscription owner. This user can later use the recovery option in case of any issue in the configuration. If you are not a subscription owner, you must ask the Company Administrator to add you. Refer to Manage Subscription Users.

2.  Add a new authenticator.

 

customerportal_117

 

For further information refer to Add an authenticator.

 

3. In the domains section include your corporate domain, for example, @mycompany.com.

 

MultipleAuth_2

 

4. Sign out the Customer Portal.

 

5. Make sure that there are not active sessions, and delete all cookies.

 

For Google Chrome.

For Mozilla.

For Edge.

 

6.  Sign in again to the Customer Portal as the Subscription Owner, using the domain configured in the previous step (@mycompany.com).

 

note_pin

If there are issues you can use the Recovery procedure. Make sure that the Subscription Owner activates the recovery procedure.

 

7. Deactivate the Bizagi Accounts authenticator. Open the authenticators' section in the Customer Portal, and deactivate the Bizagi authenticator that comes by default. So only your corporate identity provider works as the unique authenticator.

 

CustomerPortal_149

 

8. Once the Bizagi Accounts IdP is deactivated, click on the Edit option of that authenticator (Bizagi Accounts). In the domains option, deactivate the ALL DOMAINS switch, and register the second domain. If needed you can register a third domain.

 

MultipleAuth_3

 

9. After editing and saving the Bizagi Accounts authenticator, Activate it again.

 

10. Sign out the Customer Portal.

 

11. Sign In using the alternative domain (e.g. yahoo.com).

 

CustomerPortal_1

 

12. Access the authenticators' configuration again. And deactivate the NEW authenticator, associated with your corporate.

 

AzureAD_portal21

 

13. Edit the NEW authenticator, and activate the ALL DOMAINS option.

 

MultipleAuth_5

 

14. Activate the NEW authenticator.

 

15. Sign Out. Now your configuration is done. The next time, any user accessing any Bizagi Cloud-based portal, will be redirected to your corporate identity's provider log-in page.

 

AzureAD