Overview
Bizagi supports integration with Identity and Access Management systems (i.e, Identity Managers or Identity Providers) which are SAML 2.0 compliant, such as Microsoft ADFS.
This section is a step-by-step guide to configuring in ADFS and in Bizagi to have an integrated authentication in Bizagi against ADFS.
For SAML 2.0, the your Identity Provider must be set up to support HTTPS.
Before You Start
To configure ADFS supporting SAML 2.0, you need:
An installed and fully configured and supported version of ADFS.
Bizagi supports ADFS version 3.0 or 4.0.
If you want to use a different version which supports SAML 2.0, check with our support team before proceeding.
To configure your Identity Provider you must follow these steps:
1. Generate certificates to sign assertions (mandatory)
The following explains how to generate the security certificate from the Customer Portal:
|
You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints). |
Create Authentication Certificates
You can generate security certificates for the Authentication Protocols within the Customer Portal. This feature allows you to create and configure a new certificate or upload an existing one in the Customer Portal. To setup the Single Sing On and access the Customer Portal, sign on to your account role as a Company Administrator. This user role can this user can create users in the company user's pool, and manage users in all the company subscriptions. For additional information about Managing Customer Portal and roles refer to:
•Accessing the first time to an Enterprise subscription
•Configure an IdP using SAML in the Customer Portal
To create a security certificate inside the Customer Portal follow these steps:
1.Select the Settings icon located in the left panel menu.
2.A panel expands from the left with all the security related topics. Select the Authentication certificates option.
3.Inside this section, there is a list of certificates with details like Name, Description, Expiration date, Owner and Creation date and its creation source. In the top right corner, select the Add certificate button.
4.The Add new authentication certificate window opens for you to create the new security certificate and you must fill out the five different required fields:
a.Display Name.
b.Description.
c.Either select the Generate (to create a new certificate) or Upload (to upload a existing certificate) option for the toggle button.
d.Expiration date.
e.Certificate password.
When opting for the Generate option, specify the Expiration date and assign a Certificate password. In the case of selecting the Upload option, it is mandatory to upload digital certificate files in either PFX or P12 format. Subsequently, choose the type of algorithm to implement—either SHA256 or SHA1. Finally, enter the password associated with the certificate.
5.After all the required fields have been entered, click Save in the top right corner.
After the certificate is created a message will appear in the right bottom corner indicating it has successfully been saved.
To manage the generated security certificate in the Customer Portal refer to the Managing Authentication Certificates documentation.
2. Configure your IdP in the Customer Portal
After you configure the application in Azure AD, now you must access the Bizagi Customer Portal and register the Identity Provider. Follow the steps in Configure a SAML 2.0 IdP in the Customer Portal.
3. Configure Bizagi as Service Provider in ADFS
Do this in the admin options in ADFS.
3.1. In your ADFS server, open the administration console.
3.2. Launch the creation of a relying party trust.
Right-click Relying party trust to display the options menu, and select the configuration wizard:
Select Claims aware and Click Start.
3.3. Select the data source.
To configure the relying party, select the Import data about the relying party from a file option and browse for the metadata file generated by Bizagi. After you configure the identity provider in Bizagi's Customer Portal, you must generate the metadata file. Refer to Download the metadata file.
Click Next when done.
3.4. Enter a unique name.
Give a display name to this configuration, for your convenience.
Click Next when done.
3.5 Configure the Issuance Authorization rules by choosing the Permit all users to access this relying party option.
You see a summary of the information to set for this relying party trust, including the information that came from Bizagi's metadata file.
You may click Next when done.
You may also check (in the Advanced view) that the algorithm set for this use (either SHA1 or SHA256), matches the one configured in Bizagi.
3.6 Create the Claim rules for this trust by selecting the Configure claims issuance policy for this application.
This way, upon trust creation you immediately create a claim rule and finish the configuration.
Then click Close.
3.7. Right click the Party Trust created and click Edit Claim Issuance Policy.
Define a new claim rule by clicking Add Rule.
Make sure you can send UPN, Email address and Name as information within the claim that is passed into the Customer Portal.
For instance, you can create a new claim rule by choosing the Send LDAP Attributes as Claims template:
Click Next.
Configure the rule by giving it a name, and explicitly including:
•Attribute store: Attribute Directory.
•Mapping of LDAP attributes to outgoing claim types, including:
oUser-Principal-Name mapped to the UPN
oEmail-Addresses mapped to the E-mail Address.
|
Bizagi considers the following priority in the assertions: 1. UPN 2. Email
Both UPN and Email Address must be in email format: [name]@[provider].[domain]. For example john.smith@mycompany.com. |
For the UPN claim type make sure that the email is defined as the user name.
Click Finish.
You should have a registered claim rule for your specific relying party configuration.
Once you have verified this is correct, click OK.
Set the Secure Hash Algorithm in ADFS 3
If you are using ADFS 3 make sure that the Secure Hash Algorithm is SHA-256. To change that, right-click the client created previously and select properties. Click the Advanced tab and select SHA-256 as the Secure Hash Algorithm.
Additional step for self-signed certificates
If you have issued and installed a self-signed certificate for your ADFS for signing and encrypting purposes, you will need to perform the following:
1.Access your ADFS server and open a PowerShell console.
2.Enter the following command:
Get-AdfsRelyingPartyTrust -Identifier [relying_party_trust] | Set-AdfsRelyingPartyTrust
-SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None
Replace [relying_party_trust] accordingly to the unique name given at the configuration above (when you register Bizagi's relying party trust).
To test your configuration we recommend that all users log out and opening a new tab using incognito mode, or use a different browser. If the configuration with a new IdP fails, you can restore the authentication protocol.
Troubleshooting
In case the authenticator fails, you can review:
•Troubleshooting SAML message exchanges
Last Updated 7/14/2023 2:05:54 PM