Configure Azure AD using SAML 2.0

<< Click to Display Table of Contents >>

Navigation:  Manage platform users and authentication > Manage identity providers for Enterprise subscriptions > Single Sign On Setup > Cloud portals Authentication with SAML 2.0 > Examples with some Identity Providers >

Configure Azure AD using SAML 2.0

Overview

To integrate your cloud portals with your corporate Azure AD you need to carry out the configuration steps as described in this section.

Note that these are done only once, typically by an admin user of your Customer Portal having access to your Azure AD.

 

Once you have carried out these steps users sign in to any cloud-based service directly via your Azure AD, as described at Signing in the Bizagi Cloud Portals and Applications.

 

To configure your Identity Provider you must follow these steps:

 

1. Generate certificates to sign assertions (mandatory)

The following explains how to generate the security certificate from the Customer Portal:

 

note_pin

You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints).

 

Create Authentication Certificates

You can generate security certificates for the Authentication Protocols within the Customer Portal. This feature allows you to create and configure a new certificate or upload an existing one in the Customer Portal. To setup the Single Sing On and access the Customer Portal, sign on to your account role as a Company Administrator. This user role can this user can create users in the company user's pool, and manage users in all the company subscriptions. For additional information about Managing Customer Portal and roles refer to:

 

Accessing the first time to an Enterprise subscription

Studio Cloud Services

Configure an IdP using SAML in the Customer Portal

Manage company Users

 

To create a security certificate inside the Customer Portal follow these steps:

1.Select the Settings icon located in the left panel menu.

 

SettingsIcon01

 

2.A panel expands from the left with all the security related topics. Select the Authentication certificates option.

 

authcert01

 

3.Inside this section, there is a list of certificates with details like Name, Description, Expiration date, Owner and Creation date and its creation source. In the top right corner, select the Add certificate button.

 

authcert02

 

4.The Add new authentication certificate window opens for you to create the new security certificate and you must fill out the five different required fields:

a.Display Name.

b.Description.

c.Either select the Generate (to create a new certificate) or Upload (to upload a existing certificate) option for the toggle button.

d.Expiration date.

e.Certificate password.

 

When opting for the Generate option, specify the Expiration date and assign a Certificate password. In the case of selecting the Upload option, it is mandatory to upload digital certificate files in either PFX or P12 format. Subsequently, choose the type of algorithm to implement—either SHA256 or SHA1. Finally, enter the password associated with the certificate.

 

authcert03

 

5.After all the required fields have been entered, click Save in the top right corner.

 

authcert04

 

After the certificate is created a message will appear in the right bottom corner indicating it has successfully been saved.

 

authcert05

 

To manage the generated security certificate in the Customer Portal refer to the Managing Authentication Certificates documentation.

 

 

 

2. Configure the Enterprise Application in Azure AD

Do this in the admin options provided by Azure AD.

 

1.1 Log in to your Azure services with a user account with admin rights.

Access your Azure subscription with the Azure AD service using any of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

 

You will need to sign into Azure's portal at https://portal.azure.com.

 

AzureAD_portal01

 

1.2 Register the Enterprise Application

Open the Azure AD, and select the Enterprise Applications menu. Click New Application:

 

EnterpriseApp_01

 

Search the Bizagi application and select it:

 

EnterpriseApp_04

 

1.3 Define users that are going to be authenticated in Bizagi using Azure SSO

Define users that are going to be authenticated in Bizagi, using Azure SSO. Add them manually or with any predefined group on your Azure AD. Remember that users must be registered in Bizagi.

 

EnterpriseApp_05

 

1.4 Configure the Single sign-on properties

Select the Single sign-on menu, and click the SAML option:

 

EnterpriseApp_06

 

1.4.1 Set up basic SAML configuration

Register Bizagi's endpoints

 

Endpoints

Identifier (Entity ID):  It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com

Reply URL: This is the destination in the SAML response https://accounts-<companyname>.bizagi.com/saml2/assertionConsumer

Sign on URL: It is the Bizagi 's URL used for authentication, with the following format, https://accounts-<companyname>.bizagi.com

Logout URL: It is the Bizagi's cloud logut URL https://accounts-<companyname>.bizagi.com/saml2/logout

 

AzureAD_portal29

 

 

Review and fill the rest of mandatory fields:

 

AzureAD_portal18

 

1.5 Verify or upload the certificate

You must include the SAML signing certificate. If the configuration does not have a certificate, click Add a certificate and upload the same certificate used in the Bizagi's configuration.

 

AzureAD_portal27

 

If the certificate is configured correctly, you can see its properties. Make sure its status is active.

 

AzureAD_portal26

 

1.6 Define the Unique User Identifier

To identify users when they are being authenticated by Bizagi, you need to define the a Unique Identifier. In Bizagi, unique identifiers for users is the email. We recommend setting the email as the Unique Identifier. Click the edit icon in the User Attributes & Claims options:

 

AzureAD_portal24

 

Click the Unique Identifier:

 

EnterpriseApp_12

 

Select the Email Address format, and user.mail as the Source Attribute:

 

EnterpriseApp_13

 

1.7 Get the metadata URL

Finally, copy the App Federation metadata URL:

 

AzureAD_portal25

 

 

note_pin

The metadata URL must have the following format:

 

https://login.microsoftonline.com/<TenantID>/federationmetadata/2007-06/federationmetadata.xml?appid=<applicationID>

 

It is very important to make sure that the appid parameter is contained at the end of the URL.

 

3. Configure your IdP in the Customer Portal

After you configure the application in Azure AD, now you must access the Bizagi Customer Portal and register the Identity Provider. Follow the steps in Configure a SAML 2.0 IdP in the Customer Portal.

 

4. Upload the Bizagi metadata file in Azure AD's application

After you configure the identity provider in Bizagi's Customer Portal, you must generate the metadata file. Refer to Download the metadata file.

 

Then, access the enterprise application created previously, click the Single sign-on option, and then select Upload metadata file:

 

AzureAD_portal30

 

Review that all the configuration parameters are right and save.

 

Now you can test your single sign-on. To test your configuration we recommend that all users log out and opening a new tab using incognito mode, or use a different browser. If the configuration with a new IdP fails, you can restore the authentication protocol.

 

Troubleshooting

In case the authenticator fails, you can review:

Troubleshooting SAML message exchanges

SAML Error codes


Last Updated 12/10/2024 8:57:29 AM