Single sign-on using SAML

You need an administrator account to use this function.

With SAP Signavio Process Manager version 14.6, administrators don't need SAP Signavio support anymore to configure single sign-on.

If you had already set up SSO with SAML for older versions, you must update both the IdP and the SP configuration for security reasons.

To update your configuration, follow the steps in section Configure your IdP.

Single sign-on (SSO) is an authentication method. When SSO is set up, users can access different applications by logging in with only one account. SAP Signavio supports SSO authentication using the Security Assertion Markup Language (SAML), both for the SaaS and the on-premises solution.

SAML is a standard to exchange authentication and authorization data between a service provider (SP) and an identity provider (IdP). SAP Signavio supports IdP-initiated authentication and SP initiated authentication.

SAP Signavio acts as an SP and agrees to trust an IdP to authenticate users. When a user wants to access SAP Signavio, SAP Signavio sends an authentication request to the IdP. The identity provider validates the user and generates an authentication assertion that allows the user to log in to the workspace with their credentials.

For more information, see Enable SSO using SAML.

Just-in-time provisioning

When SSO using SAML is enabled, you can specify that users automatically get an account when they access SAP Signavio for the first time. This is called just-in-time (JIT) provisioning and allows users not to have to register with SAP Signavio themselves.

For JIT provisioning to work, the following conditions must be met:

  • A user must be authenticated successfully with the IdP.
  • The response from the IdP contains the mandatory attributes. Read more in section Configure your IdP.
  • At least 1 unassigned license for SAP Signavio Process Collaboration Hub is available.

With JIT provisioning enabled, the following happens:

  • When a user logs in for the first time, a new account is automatically created.
  • When a user logs in who already has a SAP Signavio account and an IdP name ID, any IdP change on their first name, last name, and email address will be automatically updated in the SAP Signavio user management.

The authentication assertion sent by the IdP can contain information on licenses and user group assignments, and the following applies:

  • A user receives a license that is specified in the IdP response, given that such a license is available in the workspace.
  • A user is assigned to all groups that are specified in the IdP response, given that these user groups exist. User groups that don't exist are ignored.
  • If a user is assigned to a user group that isn't included in the IdP response, the user is removed from this group.

When JIT provisioning is disabled, only users with an existing account can access the workspace. Other users will receive an error message. Read more on user management in section Manage users and groups.

Set up SSO using SAML

To set up SSO using SAML, you must configure the IdP and enable SSO for your workspace. Then, you can invite users.

All steps are described in detail in the following sections.

Configure your IdP

You can configure all third-party IdPs that support SAML 2.0, for example:

  • ADFS 2.0/3.0
  • Okta
  • OneLogin

For the configuration, the SP and the IdP must exchange metadata files.

We recommend to use an IdP with multi-factor authentication enabled, particularly for administrator accounts.

Follow these steps:

  1. In the explorer, click Setup > Manage SAP Signavio Process Collaboration Hub authentication.

    The configuration dialog opens.

  2. Select SAML 2.0 based authentication from the drop-down list.

    The configuration dialog opens.

  3. Download the IdP metadata file. To do so, click the link Download the SAML service provider metadata in the lower dialog area.

  4. Upload this file to your IdP or configure your IdP manually with the information from the file.

In your IdP configuration, set the SAML response attributes as follows:

Attribute Mandatory Description
Name ID yes It's the primary identifier, must be unique, and doesn't change. For example, use the internal employee ID.
email yes Email address of a user
first_name yes First name of a user
last_name yes Last name of a user
signavio_licenses_v1 no

The name of the license that you want to assign to a user, for example "Enterprise Plus Edition", "Enterprise Edition" "Classic Edition", "Collaboration Hub", or "Workflow".

When you assign more than one license, use a comma separated list. Example: "Enterprise Plus Edition,Workflow"

Ensure that there is no space between license names. Spaces within license names are valid.
signavio_groups_v1 no

The names of the groups that you want to assign to a user.

The following 5 characters can't be used in group names:

"<>'&

When you assign more than one group, use a comma separated list. Example: "modeling users,admins"

Ensure that there is no space between group names. Spaces within group names are valid.
If your IdP is Azure, you need to use the following attributes for licenses and groups:
signavio_licenses_v1_azure no

The name of the license that you want to assign to a user, for example "Enterprise Plus Edition", "Enterprise Edition" "Classic Edition", "Collaboration Hub", or "Workflow".

When you assign more than one license, use a comma separated list. Example: "Enterprise Plus Edition,Workflow"

Ensure that there is no space between license names. Spaces within license names are valid.
signavio_groups_v1_azure no

The names of the groups that you want to assign to a user.

The following 5 characters can't be used in group names:

"<>'&

When you assign more than one group, use a comma separated list. Example: "modeling users,admins"

Ensure that there is no space between group names. Spaces within group names are valid.

IdP configuration is complete. You can continue with enabling SSO for your workspace. Read more in the next section Enable SSO using SAML.

<Subject>
    <NameID>ID12345</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="ONELOGIN_6f26b11b-b290-4d2c-b79d-c46010fe686c" NotOnOrAfter="2020-10-23T11:49:29.291Z" Recipient="https://editor.signavio.com/api/v2/saml/v2/tenant/a41f284f4e8841b2c7f5e2af78663c0f/login"/>
    </SubjectConfirmation>
</Subject>
<Conditions NotBefore="2019-10-23T11:44:29.258Z" NotOnOrAfter="2019-10-23T12:44:29.258Z">
    <AudienceRestriction>
        <Audience>https://editor.signavio.com/api/v2/saml/v2/tenant/a41f284f4e8841b2c7f5e2af78663c0f/metadata</Audience>
    </AudienceRestriction>
</Conditions>
<AttributeStatement>
    <Attribute Name="signavio_licenses_v1">
        <AttributeValue>Enterprise Plus Edition</AttributeValue>
        <AttributeValue>Workflow</AttributeValue>
    </Attribute>
    <Attribute Name="email">
        <AttributeValue>john.doe@signavio.com</AttributeValue>
    </Attribute>
    <Attribute Name="first_name">
        <AttributeValue>John</AttributeValue>
    </Attribute>
    <Attribute Name="last_name">
        <AttributeValue>Doe</AttributeValue>
    </Attribute>
    <Attribute Name="signavio_groups_v1">
        <AttributeValue>Employees</AttributeValue>
        <AttributeValue>Sales</AttributeValue>
        <AttributeValue>Process owners</AttributeValue>
    </Attribute>
</AttributeStatement>

Enable SSO using SAML

Before you start, you need the configuration metadata from your IdP. Read more in the previous section Configure your IdP.

Follow these steps:

  1. In the explorer, click Setup > Manage SAP Signavio Process Collaboration Hub authentication.

    The configuration dialog opens.

  2. Select SAML 2.0 based authentication from the drop-down list.

    The configuration dialog opens.

  3. To enable IdP-initiated authentication, select Enable SAML 2.0 authentication.

    IdP-initiated authentication means that a user who logs in to the IdP must select SAP Signavio, and is then redirected to your workspace and logged in.

  4. With SP-initiated authentication, a user who is logged out from SAP Signavio and tries to access your workspace, is redirected to the IdP, must log in to the IdP, and is then directed back to SAP Signavio and logged in.

    To additionally enable SP-initiated authentication, select Allow service provider initiated authentication.

  5. For SP-initiated authentication, the initial request sent by the SP to the IdP can be signed with a certificate. If the authentication request is signed, the IdP has additional means to verify that the request was sent by the SP.

    To enable signing the authentication request, select Sign authentication request.

  6. To enable just-in-time provisioning using SAML, select Create new user accounts automatically.

  7. Paste the configuration metadata provided by your IdP to the field XML Metadata.

  8. Confirm with Save settings and close the dialog.

Hint on links in invitation emails

SAP Signavio Process Manager users can send invitations emails to internal and external stakeholders.

If single sign-on is enabled but not enforced in your workspace, these invitations emails contain 2 web links:

  • Access using single sign-on (requires a company email account)

    The following applies:

    • Users who are logged in to their company system are directly directed to SAP Signavio Process Collaboration Hub.

    • Logged out users need to enter their company credentials to log in.

    • New users need to register with their company email and get a SAP Signavio account.

  • Access as a guest (you will be asked to register with your name and email address)

    The following applies:

    • Users with a guest account log in with their guest account credentials.

    • New users need to register.

Read more on the invitation features of SAP Signavio Process Manager in section Inviting stakeholders to comment on a diagram.

Invite new users by email

If SP-initiated authentication and JIT provisioning is enabled, you can invite users to your workspace by sending them an email.

Follow these steps:

  1. Get the workspace link:

    • Share a link to any content within your workspace, for example by copying the URL from your browser address bar.

    • Create a link to the workspace by adding the workspace ID as an URL parameter, for example https://editor.signavio.com/p/hub?t=<WORKSPACE_ID>

  2. Paste the link to an email and send it to the users you want to log in with SSO using SAML.

Enforce SSO to disable login with credentials

When SSO is enforced for your workspace, users can't log in using their SAP Signavio credentials. All users have to log in through the IdP.

If SP-initiated authentication is enabled, users are logged in when clicking a link to any content within your workspace, for example a published diagram in SAP Signavio Process Collaboration Hub, or a link that includes the workspace ID as an URL parameter.

When SSO is configured but not enforced for your workspace, the following applies:

  • Users can log in through the IdP.
  • Users can also log in by entering their email and password on the SAP Signavio login page.
  • If SP-initiated authentication is enabled, a logged out user is always redirected to the IdP when clicking a link to content in your workspace.

When you've set up enforced SSO, make sure SSO is working before logging out from your workspace. Otherwise all users, including you, won't be able to access the workspace. To test the SSO configuration, log out and log in again with another user account.

In case of problems, please contact our SAP Signavio service experts on the SAP ONE Support Launchpad so they can disable this option for you.

To enforce SSO, follow these steps:

  1. In the explorer, click Setup > Edit security configuration.

    The configuration dialog opens.

  2. In the Password policies section, enable Enforce SSO login.

  3. Confirm with Save.

Next steps

Manage access rights

Manage security settings