Overview
Bizagi provides an Azure Enterprise Application that helps you to configure your Entra ID with SSO easily. This section explains you can configure the Enterprise Application.
Prerequisites
1.You need to register an account in the Work Portal using a url of this format: https://[environment]-[project]-[company_name].bizagi.com/. Make sure to include the type of environment, your project name, and your company name. Once you access the Work Portal, open the Admin option in the toolbar and a drop down menu will be displayed where you must select the option Users Management and then the Users option. This will open a window for creating a user account. Click the New Users button and then fill out the required fields.
2.In the Organizations tab make sure to move the Organizations component to the right by clicking the ">>" button and then click Save.
1. Generate certificates to sign assertions (mandatory)
The following explains how to generate the security certificate from the Customer Portal:
|
You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints). |
Create Authentication Certificates
You can generate security certificates for the Authentication Protocols within the Customer Portal. This feature allows you to create and configure a new certificate or upload an existing one in the Customer Portal. To setup the Single Sing On and access the Customer Portal, sign on to your account role as a Company Administrator. This user role can this user can create users in the company user's pool, and manage users in all the company subscriptions. For additional information about Managing Customer Portal and roles refer to:
To create a security certificate inside the Customer Portal follow these steps:
1.Select the Settings icon located in the left panel menu.
2.A panel expands from the left with all the security related topics. Select the Authentication certificates option.
3.Inside this section, there is a list of certificates with details like Name, Description, Expiration date, Owner and Creation date and its creation source. In the top right corner, select the Add certificate button.
4.The Add new authentication certificate window opens for you to create the new security certificate and you must fill out the five different required fields:
a.Display Name.
b.Description.
c.Either select the Generate (to create a new certificate) or Upload (to upload a existing certificate) option for the toggle button.
d.Expiration date.
e.Certificate password.
When you select the Generate option, set the Expiration date and assign a Certificate password. If you select the Upload option, you are required to upload digital certificates files in a PFX or a P12 format and then, select the type of algorithm to implement between SHA256 and SHA1. For last, enter the password from the certificate.
5.After all the required fields have been entered, click Save in the top right corner.
After the certificate is created a message will appear in the right bottom corner indicating it has successfully been saved.
To manage the generated security certificate in the Customer Portal refer to the Managing Authentication Certificates documentation.
Generate Bizagi Metadata
To generate the metadata in Bizagi you first need to setup the same account from the Work Portal in the Management Console explained in these steps:
1.To access the Management Console (MC) navigate to this format URL: https://manage-[environment]-[project]-[company_name].bizagi.com/. Make sure to customize it to the environment you are using, project name and your company name.
2.Once you access the MC, select the Environment option in the top-left side and then navigate to the Maintenance Window. Inside there click the Start maintenance button.
3.After the maintenance of the environment has been initialized, navigate the following path: Security option/Security/Authentication Tab (located in the upper side of the page) and fill out the following fields accordingly:
•In the Authentication Type field select: Federated Authentication.
•For the Sub Type field select: SAML v2.0.
4.Setup the following Federated Authentication parameters:
•Identity provider Metadata File Path: Paste URL metadata file from Azure. for every change click the Apply button.
•Idle sessions time-out: 20min is the default value.
•Organization name: Enter a descriptive name.
•Organization URL: Enter a descriptive URL.
•SAML Protocol Binding for SLO: Select Redirect option from the drop down menu.
•SAML Protocol Binding for SSO: Select Post option from the drop down menu.
•Service Provider URL: For this field input the same URL from the Customer Portal.
•Signature Certificate password: Enter the password of the .pfx file the user downloaded from the created certificate.
•Signing Algorithm: SHA256.
•Signing Certificate: This is where you upload the .pfx file generated in Azure. Bizagi will use the private key from this file to sign off the messages and the public key will go in it's metadata.
5.After setting up the parameters, restart the maintenance window by clicking Restart the environment to reflect changes in the work portal button located in the top of the page. This button will take you to the maintenance window where you must click the restart environment button.
6.To Download Bizagi's Metadata in a executable link refer to the following URL format: https://[environment]-[project]-[company_name].bizagi.com/saml2/metadata.xml
2. Configure your IdP in Bizagi
After you configure the application in Entra ID, now you must access the Bizagi Studio or the Management Console and register the Identity Provider. Follow the steps in Configure a SAML 2.0 IdP in Bizagi.
3. Download the Bizagi metadata file
After you configure the identity provider in Bizagi, you must generate the metadata file. Refer to Download the metadata file.
4. Configure the Enterprise Application in Entra ID
Do this in the admin options provided by Entra ID.
4.1 Access your Azure subscription with the Entra ID service using any of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
You will need to sign into Azure's portal at https://portal.azure.com.
4.2 Register the Enterprise Application
Open the Entra ID, and select the Enterprise Applications menu. Click New Application:
Search the Bizagi application and select it:
4.3 Define users that are going to be authenticated in Bizagi using Azure SSO
Define users that are going to be authenticated in Bizagi, using Azure SSO. Add them manually or with any predefined group on your Entra ID. Remember that users must be registered in Bizagi.
4.4 Configure the Single sign-on properties
Select the Single sign-on menu, and click the SAML option:
4.5 Set up the metadata file
Now you can upload the metadata file downloaded in the step 2.1.
Review and fill the rest of mandatory fields:
Sign on URL: is the Bizagi 's Work Portal URL, for example, https://[environment]-[project]-[company].bizagi.com
Reply URL: This is the destination in the SAML response: for example, https://[environment]-[project]-[company].bizagi.com/saml2/assertionConsumer
Identifier (Entity ID): It is the Bizagi 's Work Portal URL, for example, https://[environment]-[project]-[company].bizagi.com
Logout URL: It is the Bizagi's Work Portal logut URL, for example https://[environment]-[project]-[company].bizagi.com/saml2/logout
4.6 Verify or upload the certificate
You must include the SAML signing certificate. If the configuration does not have a certificate, click Add a certificate and upload the same certificate used in the Bizagi's configuration.
If the certificate is configured correctly, you can see its properties. Make sure its status is active.
4.7 Define the Unique User Identifier
To identify users when they are being authenticated by Bizagi, you need to define the a Unique Identifier. In Bizagi, unique identifiers for users are either email or the combination of domain and username. We recommend setting the email as the Unique Identifier. Click the edit icon in the User Attributes & Claims options:
Click the Unique Identifier:
Select the Email Address format, and user.mail as the Source Attribute:
Finally, copy the App Federation metadata URL:
|
The metadata URL must have the following format:
https://login.microsoftonline.com/[Tenant]/federationmetadata/2007-06/federationmetadata.xml?appid=[applicationID]
It is very important to make sure that the appid parameter is contained at the end of the URL. |
Once you have this file's URL, go back to Bizagi Studio or the Management Console and set it in this key:
|
In the management console, before modifying the authentication configurations, it is necessary to set the environment status as Maintenance from the maintenance window. After doing the desired modifications, remember to restart the environment to reflect the changes. |
Now when you run the Work Portal, Bizagi displays the IdP's log-in page and users can be authenticated with your IdP.
|
Remember to do this configuration in all your environments, or to deploy security configurations in your target environments, for example, test or production environments. |
Last Updated 12/10/2024 12:29:56 PM