Overview
To integrate your cloud portals with your corporate Okta you need to carry out the configuration steps as described in this section.
Note that these are done only once, typically by an admin user of your Customer Portal having access to your Okta.
Once you have carried out these steps users sign in to any cloud-based service directly via your Okta, as described at Signing in the Bizagi Cloud Portals and Applications.
To configure your Identity Provider you must follow these steps:
1. Generate certificates to sign assertions (mandatory)
The following explains how to generate the security certificate from the Customer Portal:
|
You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints). |
Create Authentication Certificates
You can generate security certificates for the Authentication Protocols within the Customer Portal. This feature allows you to create and configure a new certificate or upload an existing one in the Customer Portal. To setup the Single Sing On and access the Customer Portal, sign on to your account role as a Company Administrator. This user role can this user can create users in the company user's pool, and manage users in all the company subscriptions. For additional information about Managing Customer Portal and roles refer to:
•Accessing the first time to an Enterprise subscription
•Configure an IdP using SAML in the Customer Portal
To create a security certificate inside the Customer Portal follow these steps:
1.Select the Settings icon located in the left panel menu.
2.A panel expands from the left with all the security related topics. Select the Authentication certificates option.
3.Inside this section, there is a list of certificates with details like Name, Description, Expiration date, Owner and Creation date and its creation source. In the top right corner, select the Add certificate button.
4.The Add new authentication certificate window opens for you to create the new security certificate and you must fill out the five different required fields:
a.Display Name.
b.Description.
c.Either select the Generate (to create a new certificate) or Upload (to upload a existing certificate) option for the toggle button.
d.Expiration date.
e.Certificate password.
When opting for the Generate option, specify the Expiration date and assign a Certificate password. In the case of selecting the Upload option, it is mandatory to upload digital certificate files in either PFX or P12 format. Subsequently, choose the type of algorithm to implement—either SHA256 or SHA1. Finally, enter the password associated with the certificate.
5.After all the required fields have been entered, click Save in the top right corner.
After the certificate is created a message will appear in the right bottom corner indicating it has successfully been saved.
To manage the generated security certificate in the Customer Portal refer to the Managing Authentication Certificates documentation.
Managing authentication Certificates
You can manage the Authentication certificate by downloading or deleting it.
2. Register an authorized application in Okta
Open the Okta portal as an administrator, select the Applications section and create a new App Integration.
Select SAML 2.0:
Give a name to the application:
Configure the following parameters:
Endpoints
•Single sign on URL: This is the destination in the SAML response https://accounts-<companyname>.bizagi.com/saml2/assertionConsumer
•Use this for Recipient URL and Destination URL: activate this option.
•Audience URI (SP Entity ID): It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com
•Default RealyState: Leavi it Empty.
•Name ID format: EmailAddress
•Application username: Email
Now open the advanced settings and configure the following parameters:
•Response: Select Signed.
•Assertion Signature: Select Signed.
•Signature Algorithm: We recommend using RSA-SHA256. The same value must be configured in the Bizagi Customer Portal.
•Digest Algorithm: We recommend using RSA-SHA256.
•Assertion Encryption: Optional, if you select Encrypted you need a certificate.
•Encryption Algorithm: Select AES256-CBC if you activate Assertion Encryption.
•Key Transport Algorithm: Select RSA-1.5 if you activate Assertion Encryption.
•Encryption Certificate: upload your encryption certificate in cer o crt format, if you activate Assertion Encryption
•Enable Single Logout: Select Allow application to initiate Single Logout.
•Single Logout URL: It is the Bizagi's cloud logut URL https://accounts-<companyname>.bizagi.com/saml2/logout
•SP Issuer: It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com
•Signature Certificate: Upload a certificate in cer o crt format. The same certificate must be uploaded in the Bizagi Customer Portal.
•Authentication context class: Select PasswordProtectedTransport.
•Honor force authentication: Select Yes.
•SAML Issuer ID: Leave the default value.
Click Next, and then Finish.
Open the Assignments tab and select users or groups of users that are going to be authenticated using this application.
Finally, get the metadata URL. Open the Sign On tab and click Identity Provider Metadata.
Copy the URL in the browser tab opened. It has the following format:
https://[company].okta.com/app/[id]/sso/saml/metadata
3. Configure your IdP in the Customer Portal
After you configure the application in Okta, now you must access the Bizagi Customer Portal and register the Identity Provider. Follow the steps in Configure a SAML 2.0 IdP in the Customer Portal.
To test your configuration we recommend that all users log out and opening a new tab using incognito mode, or use a different browser. If the configuration with a new IdP fails, you can restore the authentication protocol.
Troubleshooting
In case the authenticator fails, you can review:
•Troubleshooting SAML message exchanges
Last Updated 6/14/2023 3:21:09 PM