3243476 - SAML/SSO Options for the Signavio Suite

What possibilities do we have to successfully establish the SAML integration with our Process Manager workspace (and possibly also the linked workflow organization)?

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

We currently offer the following integration options:

Option 1 - basic integration

In this case, the integration can be set up without the help of Signavio Customer Support. First, the federationmetadata.xml of Signavio (https://documentation.signavio.com/suite/en-us/Content/process-manager/userguide/workspace-admin/manage-users/enable-sso.htm#ConfigureyourIdP) must be uploaded to the SAML server (IDP) and your AD attributes must be mapped accordingly:

IDP provided attribute	Signavio attribute
A unique attribute whose value does not occur more than once (e.g. Employee number)	Name ID
E-Mail Addresses	email
Given Name	first_name
Surname	last_name

Once everything has been created within the IDP, you need to upload the federationmetadata from your IDP to your Signavio workspace (https://documentation.signavio.com/suite/en-us/Content/process-manager/userguide/workspace-admin/manage-users/enable-sso.htm#EnableSSOusingSAML). As a last step, please define possible read permissions (https://documentation.signavio.com/suite/en-us/Content/process-manager/userguide/workspace-admin/manage-users/enable-sso.htm#granting-access-rights-for-users-that-log-into-collaboration-hub) for the colleagues or activate the checkbox that every SAML user has access to all published diagrams.

With this option, NO direct SSO to the Explorer would be possible. The modelers would have the following two options to get into the Explorer:

• manual login via the Signavio login page

• SSO login to the Collaboration Hub and then click on the name in the upper right corner and on "Log in as Modeler".

Below are instructions for four sample IDPs:

• ADFS: 3242305 - SaaS: Configuring SSO with Microsoft Active Directory Federation Services (ADFS)
• Azure AD: 3242880 - SaaS: Configuring SSO with Azure AD
• Okta: 
• Google: 3242376 - Configuring SSO with Google

---

Option 2 - Automatic account creation for read-only users.

This option requires option 1 as a prerequisite. In this case, any user who is not yet in the workspace and accesses the collaboration hub via the SAML authentication would automatically receive a hub license. With this option enabled, users can be managed within the "Manage users & access rights"-dialog and can be added to groups. The user also has the possibility to mark diagrams as favorite and would receive updates for those.
With this option enabled we recommend that you create a default group (e.g. Hub). If the checkbox for the default group is activated, the new accounts will be added directly to this group automatically and also get the permissions of this group. If an employee leaves the company, the account has to be deleted manually.

This option can be activated in the "Manage Collaboration Hub authentication"-window:

---

Option 3 - Automatic license assignment for new users.

In order to use this option, option 2 must be enabled. The difference between this and option 2 is that a license (e.g. Enterprise, Collaboration Hub) is supplied to the new user by using an additional attribute. Revoking a license from the IDP server is not possible with this option and also the deletion of a user isn't possible. The account has to be deleted manually from Signavio.

To assign the licenses with the SAML-integration, you have to send us another attribute with the name "signavio_licenses_v1". The possible values for the corresponding licenses would be as follows:

• Enterprise Plus Edition
• Enterprise Edition
• Classic Edition
• Collaboration Hub
• Workflow (if the Workflow licenses are managed via the new User Management)

(If no free license is available, the system would ignore this attribute and assign a Collaboration Hub license to the user)

---

Option 4 - Automatic group assignment.

In order to use this option, option 2 must be enabled. This option allows SAML integration to perform group assignment for all users in the workspace, meaning that SAML integration can add users to specific groups using another attribute "signavio_groups_v1". If the user is in a group that is no longer transmitted via SAML integration, the user will be removed from this group. The administrator group is the only group that cannot be managed via the SAML interface.

If the group that is assigned via the attribute does not exist in the Signavio workspace, the system ignores it.

---

Option 5 - Disable manual login, Enforce SSO (login only via SAML integration).

With this option, registered users can no longer log in to Signavio manually via the Signavio login page. If this is attempted, a message will appear indicating that the login has been deactivated. Accordingly, the login to the workspace (Hub or Explorer) only works via SAML links.

This option can be activated in the "Edit security configuration"-window:

---

The support of Signavio Customer Support is required for the following SAML/SSO configuration:

Option 6 - Integration where modelers are logged in automatically.

The registered users in the workspace would be logged in directly. The advantage would be that an SSO login to every folder in the Explorer would be possible. If option 2 was activated, it is already automatically activated.

---

Option 7 - SAML Integration of the Workflow organization.

In order to use this option, option 2 or 6 must be enabled. Furthermore, all users who are present in the workflow also require an account in the Process Manager (e.g. Hub license or the Workflow license in the new user management). This is necessary because the Workflow Accelerator does not establish a new position of trust between the system and your SAML server. If a SAML request was triggered at the Workflow Accelerator, the user will be forwarded to the Process Manager and only then to your SAML server. Because of this connection, the Process Manager account is mandatory. A direct connection from the Workflow Accelerator to your SAML server is not possible.

KBA , BPI-SIG-CA-SEC-SAM , SAML 2.0 for SAP Signavio , How To

SAP Signavio Process Manager all versions ; Signavio Process Manager all versions