We want to use a Single-Sign-On authorization method for our SaaS Workflow organisation and if it is possible, how can we enable it?
The Workflow SSO doesn't need any additional configuration on your SAML-server, because this single-sign-on method will use the Process Manager SAML-connection.
Because of this, following options are necessary to activate the Workflow SSO:
- All workflow users need a Process Manager license (Hub-license would be enough)
- The Process Manager workspace has a configured SAML-connection to your SAML-server (e.g. ADFS, Azure AD, Okta)
- The checkbox "Allow service provider initiated authentication" (Setup - Manage Collaboration Hub authentication) in your Process Manager workspace is activated
- Get in contact with the Signavio Support (they can activate the Workflow SSO for you)
After the Signavio Support activated the Workflow SSO, following URLs will trigger the single-sign-on:
- https://<Signavio system>/<Org-Key>/cases/tasks
- https://<Signavio system>/<Org-Key>/cases/case/<Case-ID>
- https://<Signavio system>/<Org-Key>/cases/overview
- https://<Signavio system>/<Org-Key>/cases/processes
(Please change the parameter <Signavio system> to the correct Signavio URl, which you are using:
- EU-system (workflow.signavio.com)
- AU-system (workflow-au.signavio.com)
- US-system (workflow-us.signavio.com)
Additionally, change the parameter <Org-Key> to your Workflow organisation key (The organisation key is the number-ID / name directly after the domain name of the system (e.g. the org key for the URLwould be 57020c4762f8a009b3082416)
Following use case for the single-sign-on can exist:
The user gets an email that he/she is a candidate for a task. The user clicks on the link in the email and has no active Workflow session and because of that, the person only sees the login page. Within few a seconds the Workflow system recognizes the activated SSO connection in the background and redirects the user to the Process Manager. Also, this system identifies the SAML-connection and redirects the user to your SAML-server. After the successful authentication against your Active Directory, the user will automatically returns back to the origin page (Workflow task).
The Workflow SSO uses process manager account so there is no additional configuration of your SAML-Server necessary.
KBA , BPI-SIG-CA-SEC-SAM , SAML 2.0 for SAP Signavio , How To