SAP Knowledge Base Article - Public

3242305 - SaaS: Configuring SSO with Microsoft Active Directory Federation Services (ADFS)

Symptom


We want to configure the SAML-integration with our ADFS. Which instructions do we have to follow?




Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Resolution


  1. Add a new Relying Party Trust
  2. Import Process Manager metadata. Please choose your correct system platform: (Replace the placeholder <workspace ID> with the workspace ID of your tenant. You can find the workspace ID in the Process Manager Explorer > Help > Workspace information. Alternatively, you can download the metadata directly from the Process Manager Explorer under Setup > SAP Signavio Collaboration Hub Authentication > Download the SAML service provider metadata.)
    1. EMEA-System: https://editor.signavio.com/api/v2/saml/v2/tenant/<workspace ID>/metadata
    2. AU-System: https://app-au.signavio.com/api/v2/saml/v2/tenant/<workspace ID>/metadata
    3. US-System: https://app-us.signavio.com/api/v2/saml/v2/tenant/<workspace ID>/metadata

  3. Create a new outgoing claim rule, which will send LDAP attributes as claims. For this purpose, map the following outgoing claim types to LDAP attribute.

    LDAP-AttributeOutgoing Claim TypeGiven Name
    Given Namefirst_name
    Surnamelast_name
    E-Mail Addressesemail
    SAM-Account-NameName ID (from the drop-down menu


  4. As described in our user manual, please add the SAML metadata from your ADFS to the metadata field in the Process Manager.
  5. Please note that your request must be signed in ADFS with "Sign authentication request". You can find more information about this here.
  6. Once the configuration on both sides has been completed, you can test the SSO via this URL (Please choose the appropriate infrastructure for your link)
    1. EMEA-System: https://<ADFS-SERVER>/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://editor.signavio.com/api/v2/saml/v2/tenant/<workspace ID>/metadata

    2. AU-System: https://<ADFS-SERVER>/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://app-au.signavio.com/api/v2/saml/v2/tenant/<workspace ID>/metadata

    3. US-System: https://<ADFS-SERVER>/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://app-us.signavio.com/api/v2/saml/v2/tenant/<workspace ID>/metadata



Keywords

KBA , BPI-SIG-CA-SEC-SAM , SAML 2.0 for SAP Signavio , How To

Product

SAP Signavio Process Manager all versions ; Signavio Process Manager all versions

Attachments

APAC_metadata.xml
EMEA_metadata.xml
US_metadata.xml