Access rights via single sign-on with SAML 2.0

In this chapter you learn how to enable Collaboration Hub and Process Manager access via single sign-on with SAML 2.0.

Note

This feature is available for Software-as-a-Service workspaces only.

Signavio supports single sign-on via selected SAML (Security Assertion Markup Language) SSO services. For example, if you enable Google SAML SSO, your users can use their Google account to access Collaboration Hub and the Editor.

User identities need to comply with the SAML 2.0 User ID regular expression to access Collaboration Hub. Modeling users need to have an active user account in your Signavio workspace in addition.

Signavio supports identity provider-initiated SSO via HTTP Posts requests and service provider-initiated SSO when accessing specific resources in Collaboration Hub. This means that authorized users are automatically authenticated.

Supported SAML SSO services are:

Important

At the initial set up of SAML all previously published diagrams have to be republished so that authorized users have access to them.

Activating SAML-based authentication in the Explorer

This section describes how you can enable SAML single sign-on for Hub users and modelers. The activation of SAML-based authentication allows your users to generate links to share diagrams in Collaboration Hub with other users, even if the target users who open the link are currently not authenticated.

Hint

Previously, it was only possible to configure SAML-based authentication through the Signavio support team. Workspace administrators can do this now. The configuration made by the support team still applies and can be changed as needed.

To activate single sign-on via SAML 2.0 for your workspace, proceed as follows:

  1. Click under Setup the Manage Collaboration Hub authentication entry. The corresponding dialog opens.
'Collaboration Hub authentication** dialog.
  1. First, select Collaboration Hub authentication method SAML 2.0 based authentication from the dropdown-menu.

Note

To have access to all published process diagrams, you need a SAML 2.0 configuration with valid SAML 2.0 XML metadata.

  1. Activate the checkbox Enable SAML 2.0 authentication.
  2. If needed, you can activate the Allow service provider initiated authentication option.
  3. Now enter your XML metadata in the field provided for this purpose.
  4. Optionally, you can specify a logout URL. The user is then redirected to this site after a successful logout. If no URL is specified, the user is redirected automatically to the login page.
  5. Click Create/Update and then close the dialog.

Note

If required, you can ask the Signavio Support Team to set the AuthnRequest Service URL for the integration’s IdP.

Configuration of Microsoft Active Directory Federation Services (ADFS)

After you have activated the SAML-based authentication in the Explorer, more configurations for the Active Directory Federation Services (ADFS) are necessary. This is described in the following section.

Hint

Please note that the described configuration is tailored to Microsoft ADFS and may differ from the configuration of your system.

  1. First create a new Relying party.
  2. Import Process Manager metadata.

Process Manager metadata

<md:EntityDescriptor ID="Sc56b5abe-07ea-471b-ac77-a956f170769e" entityID="editor.signavio.com" xmlns:ns2="http://www.w3.org/2001/04/xmlenc#" xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <KeyInfo>
                <KeyName>editor.signavio.com</KeyName>
                <X509Data>
                    <X509Certificate>MIIEwzCCA6ugAwIBAgIQBowxJiDqnI/KgqB5ahz1lDANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHU1NMLmNvbTEUMBIGA1UECxMLd3d3LnNz bC5jb20xFjAUBgNVBAMTDVNTTC5jb20gRFYgQ0EwHhcNMTYxMDIxMDAwMDAwWhcNMTkxMDIxMjM1OTU5WjBcMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0 ZWQxHjAcBgNVBAsTFUVzc2VudGlhbFNTTCBXaWxkY2FyZDEXMBUGA1UEAwwOKi5zaWduYXZpby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHKfv8 B13/yj50LKKIJyCdBlIlDX4YSn1rvtoSTm1bJj7EhJ0qVTeJt8Ep9spndD2mKmqJpCCgZqBFNaNvF3Gc8zryp3/c/ZVfMDMXsiIQLRCn9tq1l/JxFzgPf/rQBS3VMmvh 5OYOkdtpPfTrcgeg0yatQ1tM9sJAT0vA07gDcmoEJYTfYsJVFzoGWWGTRb+Lk2BqyLg8VzCezIPrn2pu9HHv4DbKq3gm08q+vgJ1nyjk2xVbnDJ1kjNegMfHYfjqCak7 mHiGmw9lt3JOGtTd86d3qpxmSyqPnm4ze2ZaYWQRT8Env0vDbMQyuYKEbZIRmvYyKmLd4ngPsEwvKANXAgMBAAGjggGOMIIBijAfBgNVHSMEGDAWgBRGmv38UV58VFNS 4pnjszLvkxp/VjAdBgNVHQ4EFgQU1hDbTfekQzH3OM0WH+/cTnkrFyswDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlodHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEFBQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCcGA1UdEQQgMB6CDiouc2lnbmF2aW8uY29tggxzaWduYXZpby5jb20wDQYJKoZIhvcNAQEL BQADggEBAFUnAAlTt2Df9Quo8oHl/43sMZqyyVAj5TEyqroGiqGeFU6tkVGUZDqJV8wI9mQAERA4gsXPVhj827JZWkqPuVsw+ATXw/Qu3e4NlmjZHyuHA3lPYuvRqAFz RmjR3nLFH6jotjM4x/ZKxCA9qxdWAAt8JJDHZNkeAo3g1eDdkz9yIYrnf9t0UZ+YFLMgHzksPyUbVrWfAQvpMS+VJaQWcFLW+Azt+NpIAfSEQ5iy7TnAWo1a05wzOb7c kBejS5OdSDYZgsgmN9omQJitVb1tpmY5JWSTyH3qv4yA1Z82w85b4tvtltiNA+sDLjttcUtvQkET5WNw1qAf1eU4VLkgFhM=</X509Certificate>
                    </X509Data>
            </KeyInfo>
        </md:KeyDescriptor>
        <md:AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://editor.signavio.com/intralink/saml2endpoint"/>
        <md:AttributeConsumingService index="0" isDefault="true">
            <md:ServiceName xml:lang="en">Signavio</md:ServiceName>
            <md:RequestedAttribute isRequired="true" Name="first_name" />
            <md:RequestedAttribute isRequired="true" Name="last_name" />
            <md:RequestedAttribute isRequired="true" Name="email"/>
        </md:AttributeConsumingService>
    </md:SPSSODescriptor>
</md:EntityDescriptor>
  1. Create a new outgoing claim rule, which will send LDAP attributes as claims. For this purpose, map the following outgoing claim types to LDAP attributes:
  • recommended LDAP attribute: “E-Mail Addresses” - Name Id (from the drop-down menu)
  • recommended LDAP attribute: “E-Mail Addresses” - email
  • recommended LDAP attribute: “Given Name” - first_name
  • recommended LDAP attribute: “Surname” - last_name
Configure claim rule in ADFS.
  1. Once the configuration on both sides has been completed, you can test the SSO via this URL: https://<ADFS-SERVER>/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=editor.signavio.com.

Granting Collaboration Hub access rights based on SAML identities

After having activated SAML-based authentication for your workspace, you need to configure the access rights for your Collaboration Hub users.

Proceed as follows:

  1. Click under Setup the Manage users & access rights entry.
  2. Now, switch to the Read access tab. For each folder, you can define a list of users who are allowed to access the folder’s diagrams in Collaboration Hub.

Hint

Only through the activation of SAML-based authentication the Read access tab appears in the configuration dialogs.

  1. To add access rights for one or multiple users, select the corresponding folder and specify the user data in the input field in the bottom left area of the dialog. For each user, the list entry needs to have the structure email_address first_name last_name. For each user you add to the list, you need to create a new line.
  2. Then, click Add.
Configuration of SAML-based access rights.
  1. If you don’t want to specify folder-based permissions and grant full access to Collaboration Hub to all users, activate the check box General Access for all SAML users.