/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
What possibilities do we have to successfully establish the SAML integration with our Process Manager workspace (and possibly also the linked workflow organization)?
Resolution
We currently offer the following integration options:
Option 1 - basic integration
In this case, the integration can be set up without the help of Signavio Customer Support. First, the federationmetadata.xml of Signavio (https://help.sap.com/docs/signavio-process-manager/workspace-admin-guide/enable-sso?q=enable-sso#configure-your-idp) must be uploaded to the SAML server (IDP) and your AD attributes must be mapped accordingly:
| IDP provided attribute | Signavio attribute |
|---|---|
| A unique attribute whose value does not occur more than once (e.g. Employee number) | Name ID |
| E-Mail Addresses | |
| Given Name | first_name |
| Surname | last_name |
Once everything has been created within the IDP, you need to upload the federationmetadata from your IDP to your Signavio workspace (https://help.sap.com/docs/signavio-process-manager/workspace-admin-guide/enable-sso).
Below are instructions for five sample IDPs:
- IAS: 3461963 - Configuring SSO with SAP IAS for SAP Signavio
- ADFS: 3242305 - SaaS: Configuring SSO with Microsoft Active Directory Federation Services (ADFS)
- Entra ID (old name: Azure AD): 3242880 - SaaS: Configuring SSO with Entra ID (old name: Azure AD)
- Okta: 3242301 - Configuring SSO with OKTA
- Google: 3242376 - Configuring SSO with Google
Option 2 - Automatic account creation for read-only users.
This option requires option 1 as a prerequisite. In this case, any user who is not yet in the workspace and accesses the collaboration hub via the SAML authentication would automatically receive a hub license. With this option enabled, users can be managed within the "Manage users & access rights"-dialog and can be added to groups. The user also has the possibility to mark diagrams as favorite and would receive updates for those.
With this option enabled we recommend that you create a default group (e.g. Hub). If the checkbox for the default group is activated, the new accounts will be added directly to this group automatically and also get the permissions of this group. If an employee leaves the company, the account has to be deleted manually.
This option can be activated in the "Manage SAP Signavio Process Collaboration Hub authentication"-window.
For that, please activate the checkbox "Create new user accounts automatically" in the respective window.
Option 3 - Automatic license assignment for new users.
In order to use this option, option 2 must be enabled. The difference between this and option 2 is that a license (e.g. Enterprise, Collaboration Hub) is supplied to the new user by using an additional attribute. Revoking a license from the IDP server is not possible with this option and also the deletion of a user isn't possible. The account has to be deleted manually from Signavio.
To assign the licenses with the SAML-integration, you have to send us another attribute with the name "signavio_licenses_v1". The possible values for the corresponding licenses would be as follows:
- Enterprise Plus Edition
- Collaboration Hub
- Workflow (if the Workflow licenses are managed via the new User Management)
(If no free license is available, the system would ignore this attribute and assign a Collaboration Hub license to the user)
Option 4 - Automatic group assignment.
In order to use this option, option 2 must be enabled. This option allows SAML integration to perform group assignment for all users in the workspace, meaning that SAML integration can add users to specific groups using another attribute "signavio_groups_v1". If the user is in a group that is no longer transmitted via SAML integration, the user will be removed from this group. The administrator group is the only group that cannot be managed via the SAML interface.
If there is any group not in the SAP Signavio workspace that is assigned via the attribute, the system will ignore the complete attribute parameter.
Option 5 - Disable manual login, Enforce SSO (login only via SAML integration).
With this option, registered users can no longer log in to Signavio manually via the Signavio login page. If this is attempted, a message will appear indicating that the login has been deactivated. Accordingly, the login to the workspace (Hub or Explorer) only works via SAML links.
This option can be activated in the "Edit security configuration"-window.
Keywords
KBA , BPI-SIG-CA-SEC-SAM , SAML 2.0 for SAP Signavio , How To
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)