Enabling single sign-on via SAML¶
Single sign-on (SSO) is a mechanism whereby a single user authentication and authorization permits access to all systems where a user has access permission, without the need to enter multiple passwords.
Security Assertion Markup Language (SAML) is a standard used for single sign-on (SSO) that enables authentication and authorization between a service provider (SP) and an identity provider (IdP). The service provider (e.g., Signavio) agrees to trust the identity provider to authenticate users. In return, the identity provider generates an authentication assertion indicating that a user has been authenticated.
Signavio distinguishes between an IdP initiated authentication and an SP initiated authentication. When using IdP initiated authentication, users have to initially log in at their identity provider for authentication. Following this they can access a service provider by navigating from the IdP to the SP, e.g., via a link or an internal application.
When using SP initiated authentication, users that want to access a SP service are redirected automatically to their IdP. They log in at the IdP, are authenticated, and are automatically redirected back to their service provider. Read more about IdP initiated versus SP initiated SSO.
SSO via SAML is available for SaaS workspaces only. It is not available for on-premise customers.
Only administrators have the rights to enable SSO via SAML for a workspace.
An example of using SSO for SAML
A workspace administrator enables SAML authentication (IdP or SP initiated) for a workspace, and sets up Google as an IdP in Signavio Process Manager. The administrator also sets up Signavio as a valid SP for the company’s Google organization account. The administrator might also set up a Google application that allows users to access this Signavio workspace more easily. Users can then log into this workspace either via the Google application or via username/password (unless disabled). Once logged in, users can share content either by copying the URL in the browser or via the sharing function. The link includes either the workspace or the specific diagram ID.
Users that are not logged in when trying to access the shared content will be redirected to the IdP (Google in this scenario) to ensure they are logged in with their Google account. Or they shall be prompted to do so. After successful authentication, users are automatically logged into their Signavio account and can access the content that was specifically shared with them.
There are two options available for using SAML for Signavio Process Manager and Signavio Collaboration Hub:
- Use SAML SSO and username/password
- Use SAML and enforce SSO (set up by Signavio Customer Support). The access via username/password will is not available anymore.
An alternative to SAML based authentication is the API license. You can purchase this license from your sales representative and have it enabled by Signavio Customer Support.
All IdP’s that implement SAML are supported, e.g.:
- Microsoft Active Directory Federation Services
- Microsoft Azure AD
- Google SSO
- SAP ID Service
In principle, take these steps to enable SSO via SAML:
Configuring SSO for an identity provider (IdP)¶
The first step in setting up SAML SSO, is to configure it from the identity provider side.
Regardless of your identity provider, you will need the appropriate service provider (Signavio) XML metadata - or parts of it - during configuration:
- Metadata for APAC (app-au.signavio.com):
APAC metadata download.
- Metadata for EMEA (editor.signavio.com):
EMEA metadata download.
- Metadata for US (app-us.signavio.com):
US metadata download.
If you require assistance, you may find articles in our knowledge base, if we have dealt with your particular IdP before:
Enabling SAML-based authentication¶
Click Setup > Manage Collaboration Hub authentication.
Select SAML 2.0 based authentication from the drop-down list box.
Select Enable SAML 2.0 authentication. If you choose this option, users will be authenticated via IdP (IdP initiated).
Optionally, you can select the option Allow service provider initiated authentication. If you choose this option, users will be authenticated via SP (SP initiated).
Copy and paste the XML metadata provided by your IdP into the field XML Metadata.
Optionally, you may specify a Logout URL. After a successful logout, the user will is redirected to the website which is defined in this field. If no URL is specified, the user is automatically redirected to the Signavio login page.
Confirm your selection by clicking Create/Update and close the dialog.
Granting access rights for users that log into Collaboration Hub¶
This only applies to workspaces where the provisioning feature is not applied. Read more about Using the auto provisioning feature.
After enabling SAML-based authentication for your workspace, you will need to configure access rights for Collaboration Hub users.
- Under Setup, click Manage users & access rights.
- Switch to the Read access tab. This tab is only available if SAML-based authentication was previously enabled.
In the Read access tab you can define a list of users who are allowed to access specific folders. If you don’t want to specify folder-based permissions and grant full access to all users of Collaboration Hub, select the checkbox General access for all SAML users and close the dialog.
To add folder-based rights for one or more users, select the corresponding folder and specify the user data in the input field in the bottom left area of the dialog. For each user, the list entry needs follow the structure
email_address first_name last_name. Create a new line for each user you add to the list.
Click Add and close the dialog.
Using the auto provisioning feature¶
The auto provisioning feature is currently only available upon request at Signavio Customer Support.
The auto provisioning feature ensures user accounts are created automatically without the need for registration. Auto provisioning requires single sign-on be enforced. You have to request SSO enforcement for your workspace from Signavio Customer Support.
Access rights for users that are automatically provisioned can be set via Setup > Manage users & access right in the User groups tab. Auto provisioned users have the rights granted to all default groups. These users can then be placed in other user groups to grant them wider access.
Additionally, when provisioning users from an external user management system via SAML, their first and last names are extracted from the SAML response attributes. New users are created from this information, while existing users are updated the next time they log in via SAML.
SAML response attributes to be set correctly in your IdP configuration: