Single sign-on using SAML

You need an administrator account to set up single sign-on for a workspace.

With Process Manager version 14.6, administrators don't need the Signavio support anymore to configure single sign-on.

If you have already set up SSO with SAML, you must update both the IdP and the SP configuration in the next few months for security reasons. Signavio will let you know how long you can keep the existing configuration.

To update your configuration, first, follow the steps in section Configure your IdP. Then, you must enable the new option Use the latest SAML 2.0 capabilities in the Signavio SSO settings as described in section Enable SSO using SAML.

Single sign-on (SSO) is an authentication method. When SSO is set up, users can access different applications by logging in with only one account. Signavio supports SSO authentication using the Security Assertion Markup Language (SAML), both for the SaaS and the on-premises solution.

SAML is a standard to exchange authentication and authorization data between a service provider (SP) and an identity provider (IdP). Signavio supports IdP-initiated authentication and SP initiated authentication.

Signavio acts as an SP and agrees to trust an IdP to authenticate users. When a user wants to access Signavio, Signavio sends an authentication request to the IdP. The identity provider validates the user and generates an authentication assertion that allows the user to log in to the workspace with their credentials.

Just-in-time provisioning

When SSO using SAML is enabled, you can specify that users automatically get an account when they access Signavio for the first time. This is called just-in-time (JIT) provisioning and allows users not to have to register with Signavio themselves.

For JIT provisioning to work, the following conditions must be met:

  • A user must be authenticated successfully with the IdP.
  • The response from the IdP contains the mandatory attributes. Read more in section Configure your IdP.
  • At least 1 unassigned license for Collaboration Hub is available.

With JIT provisioning enabled, the following happens:

  • When a user logs in for the first time, a new account is automatically created.
  • When a user logs in who already has a Signavio account and an IdP name ID, any IdP change on their first name, last name, and email address will be automatically updated in the Signavio user management.

The authentication assertion sent by the IdP can contain information on licenses and user group assignments, and the following applies:

  • A user receives a license that is specified in the IdP response, given that such a license is available in the workspace.
  • A user is assigned to all groups that are specified in the IdP response, given that these user groups exist. User groups that don't exist are ignored.
  • If a user is assigned to a Signavio user group that isn't included in the IdP response, the user is removed from this group.

When JIT provisioning is disabled, only users with an existing account can access the workspace. Other users will receive an error message. Read more on user management in section Manage users and groups.

Set up SSO using SAML

To set up SSO using SAML, you must configure the IdP and enable SSO for your workspace. Then, you can invite users.

All steps are described in detail in the following sections.

Configure your IdP

You can configure all third-party IdPs that support SAML 2.0, for example:

  • ADFS 2.0/3.0
  • Okta
  • OneLogin

For the configuration, the SP and the IdP must exchange metadata files.

Follow these steps:

  1. In the explorer, click Setup > Manage Collaboration Hub authentication.

    The configuration dialog opens.

  2. Select SAML 2.0 based authentication from the drop-down list.

    The configuration dialog opens.

  3. Download the IdP metadata file. To do so, click the link Download the SAML service provider metadata in the lower dialog area.

  4. Upload this file to your IdP or configure your IdP manually with the information from the file.

  5. In your IdP configuration, set the SAML response attributes as follows:

    Attribute Mandatory Description
    Name ID yes It's the primary identifier, must be unique, and doesn't change. For example, use the internal employee ID.
    email yes Email address of a user
    first_name yes First name of a user
    last_name yes Last name of a user
    signavio_licenses_v1 no The name of the license that you want to assign to a user, for example Enterprise Plus Edition.
    signavio_groups_v1 no The names of the groups that you want to assign to a user.

    IdP configuration is complete. You can continue with enabling SSO for your workspace. Read more in the next section Enable SSO using SAML.

Enable SSO using SAML

Before you start, you need the configuration metadata from your IdP. Read more in the previous section Configure your IdP.

Follow these steps:

  1. In the explorer, click Setup > Manage Collaboration Hub authentication.

    The configuration dialog opens.

  2. Select SAML 2.0 based authentication from the drop-down list.

    The configuration dialog opens.

  3. To enable IdP-initiated authentication, select Enable SAML 2.0 authentication.

    IdP-initiated authentication means that a user who logs in to the IdP must select Signavio, and is then redirected to your workspace and logged in.

  4. With SP-initiated authentication, a user who is logged out from Signavio and tries to access your workspace, is redirected to the IdP, must log in to the IdP, and is then directed back to Signavio and logged in.

    To additionally enable SP-initiated authentication, select Allow service provider initiated authentication.

  5. For SP-initiated authentication, the initial request sent by the SP to the IdP can be signed with a certificate. If the authentication request is signed, the IdP has additional means to verify that the request was sent by the SP.

    To enable signing the authentication request, select Sign authentication request.

  6. To enable just-in-time provisioning using SAML, select Create new user accounts automatically.

  7. If disabled, enable Use the latest SAML 2.0 capabilities.

    Latest SAML 2.0 capabilities ensure secure authentication and furthermore provide additional capabilities like assigning user groups and licenses when provisioning users.

    If you are configuring SSO for the first time, this option is enabled by default and you must keep it enabled in order to successfully enable SSO for your workspace.

    If you've already configured SSO in Process Manager version earlier than 14.6, you must first update your IdP configuration as described in section Configure your IdP and only then enable the option Use the latest SAML 2.0 capabilities manually.

    For convenience, it is automatically enabled once an IdP-initiated SSO is successfully executed using the updated IdP configuration.

  8. Paste the configuration metadata provided by your IdP to the field XML Metadata.

  9. Confirm with Save settings and close the dialog.

Invite new users via email

If SP-initiated authentication and JIT provisioning is enabled, you can invite users to your workspace by sending them an email.

Follow these steps:

  1. Get the workspace link:

    • Share a link to any content within your workspace, for example by copying the URL from your browser address bar.

    • Create a link to the workspace by adding the workspace ID as an URL parameter, for example https://editor.signavio.com/p/hub?t=<WORKSPACE_ID>

  2. Paste the link to an email and send it to the users you want to log in with SSO using SAML.

Enforce SSO to disable login via credentials

When SSO is enforced for your workspace, users can't log in using their Signavio credentials. All users have to log in through the IdP.

If SP-initiated authentication is enabled, users are logged in when clicking a link to any content within your workspace, for example a published diagram in Collaboration Hub, or a link that includes the workspace ID as an URL parameter.

When SSO is configured but not enforced for your workspace, the following applies:

  • Users can log in through the IdP.
  • Users can also log in by entering their email and password on the Signavio login page.
  • If SP-initiated authentication is enabled, a logged out user is always redirected to the IdP when clicking a link to content in your workspace.

When you've set up enforced SSO, make sure SSO is working before logging out from your workspace. Otherwise all users, including you, won't be able to access the workspace. To test the SSO configuration, log out and log in again with another user account.

In case of problems, please contact Signavio Support so they can disable this option for you.

To enforce SSO, follow these steps:

  1. In the explorer, click Setup > Edit security configuration.

    The configuration dialog opens.

  2. In the Password policies section, enable Enforce SSO login.

  3. Confirm with Save.

Next steps

Managing access rights

Manage security settings