Skip to main content
Skip table of contents

SAML Setup Steps for Cloud Customers

What is SAML2?

SAML stands for Security Assertion Markup Language and is used to provide Single-Sign-On (SSO) services to end users. It is used as a data exchange format between Service Providers (web applications that require their users to be authenticated) and Identity Providers (web applications that provide the required authentication). The iGrafx Platform acts as a Service Provider (SP) in this scenario, while your Azure AD, ADFS server or Okta instance acts as an Identity Provider (IDP).

Basic SAML authentication flow

How to set up SAML authentication for your Cloud Platform



The configuration of 3rd party software i.e. Operating Systems, Databases, Application Server, etc., in the context of this documentation is for illustration purposes only. iGrafx doesn't imply that the provided examples are the best or only way of configuration for the described scenario. Nor can we guarantee that it is the best option for performance and security. You apply the instructions at your own risk, please consult an expert of the 3rd party software if you are not sure.

Microsoft Azure Active Directory

  1. Add the following enterprise application to your Azure Active Directory: https://azuremarketplace.microsoft.com/marketplace/apps/aad.igrafxplatform?tab=Overview
  2. Follow the tutorial: https://docs.microsoft.com/azure/active-directory/saas-apps/igrafx-platform-tutorial
  3. Ensure your Unique User Identifier is set to the mail attribute in your integration (see below screenshot)


  4. Provide the metadata URL by going to Administration -> User Management -> SAML, and click UPDATE IDENTITY PROVIDER METADATA and follow the options for a metadata URL.
  5. On the same page, change your NameID policy to Email
  6. Verify your SAML SSO flow works by going to the Login page of your Process Design application and clicking Sign in via SSO 

Note: The enterprise application for SCIM needs to be registered separately for now as user provisioning is not supported yet.

Microsoft ADFS Server

  1. Receive the spring_saml_metadata.xml file from the iGrafx Team
  2. In AD FS 2.0 Management Console (in Control Panel - Administrative Tools) select "Add Relying Party Trust". Note: you may need to install Active Directory Federation Services.

  3. Select "Import data about the relying party from a file" and select the spring_saml_metadata.xml file you just downloaded. Click Next

  4. The wizard may complain that some content of the metadata is not supported. You can safely ignore this warning

  5. Enter a Display name and click Next
  6. Leave "I do not want to configure multi-factor authentication settings for this relying party trust at this time" checked and click Next
  7. Leave "Permit all users to access this relying party" checked and click Next
  8. On the "Ready to Add Trust" make sure that the tab "endpoints" contains multiple endpoint values. If not, verify that your metadata was generated with HTTPS protocol URLs

  9. Leave "Open the Edit Claim Rules dialog" checkbox checked and finish the wizard

  10. Select "Add Rule", choose "Send LDAP Attributes as Claims" and press Next

  11. Add NameID as "Claim rule name", choose "Active Directory" as Attribute store, choose "mail" as LDAP Attribute and "Name ID" as "Outgoing claim type", finish the wizard and confirm the claim rules window

  12. Download your Identity Provider metadata from https://YOUR_ADFS_SERVER/FederationMetadata/2007-06/FederationMetadata.xml.

  13. Provide the metadata file by going to Administration -> User Management -> SAML, and click UPDATE IDENTITY PROVIDER METADATA and follow the options for a metadata file.
  14. On the same page, make sure your NameID policy is unspecified, unless you have a custom policy in place.
  15. Verify your SAML SSO flow works by going to the Login page of your Process Design application and clicking Sign in via SSO 

Okta

  1. Go to Administration -> User Management -> SAML and click DOWNLOAD SERVICE PROVIDER METADATA 
  2. With the file on your hard disk, log in to Okta as an administrator, select Admin, select Applications and click Create New App

  3. From the list of supported protocols select SAML 2.0 and press Create

  4. Define app name (e.g. iGrafx) and optionally define app image and press Next

  5. Configure SAML with the following settings:

    SettingValue
    Single Sign on URLhttps://SUBDOMAIN.igrafxcloud.com/saml/SSO (use the subdomain that is matching your cloud instance)
    Audience URI (SP Entity ID)Enter the value from the <md:EntityDescriptor entityID="???"> attribute of the spring_saml_metadata.xml file you downloaded in step 1
    Relay StateLeave blank
    Name ID formatE-Mail
    Application usernameSelect any of the available options, depending on your requirements.
    IMPORTANT: Make sure that the selected usernames will map to login names that will exist in your iGrafx Platform
  6. Finish your Okta application creation
  7. Optional: Open your application configuration and go to the people page to configure custom username mappings
  8. Go to the Sign On tab in your Okta application configuration page and download the Okta Identity Provider metadata by clicking on the Identity Provider metadata link.
  9. Provide the metadata URL by going to Administration -> User Management -> SAML, and click UPDATE IDENTITY PROVIDER METADATA and follow the options for a metadata URL.
  10. Optional: On the same page, change your NameID policy to Email
  11. Verify your SAML SSO flow works by going to the Login page of your Process Design application and clicking Sign in via SSO 

Other Identity Providers

Identity providers like Ping Identity, Centrify, Auth0, HP IceWall, and others are not covered on this page but are also supported, as long as they support the SAML2 standard.
Please refer to your Identity Provider's manual and use the functionality under Administration -> User Management -> SAML  to set up your SAML Identity Provider with the Process Design application. Then Verify your SAML SSO flow works by going to the Login page of your Process Design application and clicking Sign in via SSO 

Make sure you are using a valid email address as your Unique User Identifier/NameID, or a cloud integration will not be possible.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.