Skip to end of metadata
Go to start of metadata

Problem:


What possibilities do we have to successfully establish the SAML integration with our Process Manager workspace (and possibly also the linked workflow organization)?

You can find the German version here.



Solution:



We currently offer the following integration options:

Option 1 - Easy integration where the read-only users are not logged in.

In this case, the integration can be set up without the help of Signavio Customer Support. First, the federationmetadata.xml of Signavio must be uploaded to the SAML server (IDP) and your AD attributes must be mapped accordingly:

IDP provided attributeSignavio attribute
A unique attribute whose value does not occur more than once
(e.g. Employee number)
Name ID
E-Mail Addressesemail
Given Namefirst_name
Surnamelast_name

Once everything has been created within the IDP, you need to upload the federationmetadata from your IDP to your workspace. As a last step please define possible read permissions for the colleagues or activate the checkbox that every SAML user has access to all published diagrams.

With this option NO direct SSO to the Explorer would be possible. The modelers would have the following two options to get into the Explorer:

  • manual login via the Signavio login page

  • SSO login to the Collaboration Hub and then click on the name in the upper right corner and on "Log in as Modeler".


Below are instructions for four sample IDPs:


Option 2 - Automatic account creation for read-only users. (optional)

This option requires option 1 as a prerequisite. In this case, any user who is not yet in the workspace and accesses the collaboration hub via the SAML authentication would automatically receive a hub license. With this option enabled, users can be managed within the "Manage users & access rights"-dialog and can be added to groups. The user also has the possibility to mark diagrams as favorite and would receive updates for those.
With this option enabled we recommend that you create a default group (e.g. Hub). If the checkbox for the default group is activated, the new accounts will be added directly to this group automatically and also get the permissions of this group. If an employee leaves the company, the account has to be deleted manually.

This option can be activated in the "Manage Collaboration Hub authentication"-window:



Option 3 - Automatic license assignment for new users. (optional)

In order to use this option, option 2 must be enabled.  The difference between this and option 2 is that a license (e.g. Enterprise, Collaboration Hub) is supplied to the new user by using an additional attribute. Revoking a license from the IDP server is not possible with this option and also the deletion of a user isn't possible. The account has to be deleted manually from Signavio.

To assign the licenses with the SAML-integration, you have to send us another attribute with the name "signavio_licenses_v1". The possible values for the corresponding licenses would be as follows:

  • Enterprise Plus Edition
  • Enterprise Edition
  • Classic Edition
  • Workflow (if the Workflow licenses are managed via the new User Management)

(If no free license is available, the system would ignore this attribute and assign a Collaboration Hub license to the user)



Option 4 - Automatic group assignment. (optional)

In order to use this option, option 2 must be enabled.  This option allows SAML integration to perform group assignment for all users in the workspace, meaning that SAML integration can add users to specific groups using another attribute "signavio_groups_v1". If the user is in a group that is no longer transmitted via SAML integration, the user will be removed from this group. The administrator group is the only group that cannot be managed via the SAML interface.

If the group that is assigned via the attribute does not exist in the Signavio workspace, the system ignores it.



Option 5 - Disable manual login, Enforce SSO (login only via SAML integration)(optional)

With this option, registered users can no longer log in to Signavio manually via the Signavio login page. If this is attempted, a message will appear indicating that the login has been deactivated. Accordingly, the login to the workspace (Hub or Explorer) only works via SAML links.

This option can be activated in the "Edit security configuration"-window:



The support of Signavio Customer Support is required for the extended SAML/SSO configuration. Additional options are available:

Option 6 - Integration where modelers are logged in automatically. (optional)

If option 2 was activated, it is already automatically activated. The registered users in the workspace would be logged in directly. The advantage would be that a SSO login to every folder in the Explorer would be possible.



Option 7 - SAML Integration of the Workflow organization(optional)

In order to use this option, option 2 or 5 must be enabled. Furthermore, all users who are present in the workflow also require an account in the Process Manager (e.g. Hub license or the Workflow license in the new user management). This is necessary because the Workflow Accelerator does not establish a new position of trust between the system and your SAML server. If a SAML request was triggered at the Workflow Accelerator, the user will be forwarded to the Process Manager and only then to your SAML server. Because of this connection, the Process Manager account is mandatory. A direct connection from the Workflow Accelerator to your SAML server is not possible.



(Status 13.10.2020)