Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Configure Single Sign-On (SSO) settings.
Single Sign-On (SSO) allows a user to sign on with one set of credentials to log on to ProcessMaker. This increases security and provides a better user experience for customers, employees, and partners by reducing the number of required accounts/passwords.
As a prerequisite to enable SSO, the Administrator must implement an Identity Provider. If you use a centralized user system, such as Microsoft or Google, you already have access to an Identity Provider.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
To use one or more Identity Providers, view SSO settings, and then enable the toggle key for the Identity provider(s). Doing so adds a new Settings tab to configure that specific Identity Provider. ProcessMaker Platform supports the following Identity Providers:
Display all SSO settings in one location. This makes it easy to manage these settings.
Follow these steps to view all SSO settings to synchronize users in your organization:
Ensure that you are logged on to ProcessMaker.
Click the Admin option from the top menu. The Users page displays.
From the Settings panel on the left, expand the Log-in & Auth section.
Select SSO to view the following details:
Setting: The Setting column displays the SSO Setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
Configure the following SSO settings as necessary:
Enable to display settings to log on using user credentials. When disabled, settings only display SSO log on options.
Follow these steps to enable display settings for standard log on:
View your SSO settings. The SSO tab displays.
Enable the Allow Standard Login toggle key. The following message displays: The setting was updated.
Enable whether SSO users should automatically register the first time that they log on.
Follow these steps to enable automatic registration:
View your SSO settings. The SSO tab displays.
Enable the Automatic Registration toggle key. The following message displays: The setting was updated.
Specify which permissions to assign new users that are created via SSO:
Follow these steps to specify which user permissions to assign new users created via SSO:
View your SSO settings. The SSO tab displays.
Enable permissions as necessary. See Permission Descriptions for Users and Groups for descriptions.
Click Save. The following message displays: The setting was updated.
Select to which groups to assign users created via SSO.
Follow these steps to select to which groups to assign users created via SSO:
View your SSO settings. The SSO tab displays.
Enable groups as necessary.
Click Save. The following message displays: The setting was updated.
Copy to clipboard a JSON-formatted object of all assigned permissions and groups for users created via SSO.
Follow these steps to copy the permissions and groups for SSO users:
View your SSO settings. The SSO tab displays.
Select a default SSO integration to allow users be automatically redirected to the IDP Single Sign On log on page instead of displaying the normal Login page. When the user goes to the log on page, that user is redirected to the selected provider.
Follow these steps to enable default SSO Integration:
View your SSO settings. The SSO tab displays.
Select an SSO identity provider among:
Select the ProcessMaker SSO login option if you do not want an SSO identity provider as the default log on. This option ensures LDAP users to verify accounts in ProcessMaker Platform. This option also helps to log on as an administrator while fixing SSO problems.
Click Save. The following message displays: The setting was updated.
Select whether detailed SSO errors should be displayed. It is recommended to disable the debug mode in production servers.
Follow these steps to enable automatic registration:
View your SSO settings. The SSO tab displays.
Switch on the Debug Mode toggle key. The following message displays: The setting was updated.
Select whether to enable single sign-on via SSO identity providers to log on as necessary. The SSO identity provider options display on the log on screen.
View your SSO settings. The SSO tab displays.
Configure SSO settings for Atlassian.
The following information is required to configure SSO with Atlassian:
Client ID
Client Secret
See an example in the following video showing how to configure Atlassian SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 3 minutes; contains narration
Configure the following Atlassian SSO settings as necessary:
From the list of SSO identity providers, enable the Atlassian option. The SSO - Atlassian panel displays.
Enter your Atlassian client ID, and then click Save.
Enter your Atlassian client secret, and then click Save
Click the Settings icon from the left sidebar to view all settings.
Click the Search icon or press enter to view SSO settings that match your entered text.
Click the Edit icon for the New User Default Config setting. The New User Default Config screen with the Permissions tab displays.
Select a collapsed permission category to expand the view of individual permissions within that category. Otherwise, select an expanded permission category to collapse that category.
Click the Edit icon for the New User Default Config setting. The New User Default Config screen with the Permissions tab displays.
Click the Groups tab. All available groups display.
Click the Copy to Clipboard icon for the New User Default Config setting. The following message displays: The setting was copied to your clipboard.
Click the Edit icon for the Default SSO Login setting. The Default SSO Login screen with the SSO identity providers displays.
See the permissions or ask your Administrator for assistance.
To generate or locate this information, refer to the .
.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Atlassian developer console.
Configure SSO settings for Auth0.
The following information is required to configure SSO with Auth0:
Client ID
Client Secret
Domain
To generate or locate this information, contact your Auth0 identity provider.
See an example in the following video showing how to configure Auth0 SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Auth0 SSO settings as necessary:
From the list of SSO identity providers, select the Auth0 option. The SSO - Auth0 panel displays.
Enter your Auth0 client ID, and then click Save.
Enter your Atlassian client secret, and then click Save.
Enter your Auth0 domain, and then click Save.
Configure SSO settings for Facebook.
The following information is required to configure SSO with Facebook:
App ID
App Secret
To generate or locate your Facebook app ID and app secret, refer to Facebook for Developers.
See an example in the following video showing how to configure Facebook SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Facebook SSO settings as necessary:
From the list of SSO identity providers, select the Facebook option. The SSO - Facebook panel displays.
Enter your Facebook App ID, and then click Save.
Enter your Facebook app secret, and then click Save
Configure SSO settings for GitHub.
The following information is required to configure SSO with GitHub:
Client ID
Client Secret
See an example in the following video showing how to configure GitHub SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following GitHub SSO settings as necessary:
From the list of SSO identity providers, select the GitHub option. The SSO - GitHub panel displays.
Enter your GitHub client ID, and then click Save.
Enter your GitHub client secret, and then click Save
Configure SSO settings for Keycloak.
The following information is required to configure SSO with Keycloak:
Base URL
Client ID
Client Secret
Realm
See an example in the following video showing how to configure Keycloak SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 3 minutes; contains narration
Configure the following Keycloak SSO settings as necessary:
From the list of SSO identity providers, select the Keycloak option. The SSO - Keycloak panel displays.
Enter your Keycloak base URL, and then click Save.
Enter your Keycloak client ID, and then click Save.
Enter your Keycloak client secret, and then click Save.
Enter your Keycloak realm, and then click Save.
Configure SSO settings for Microsoft.
The following information is required to configure SSO with Microsoft:
Client ID
Client Secret
See an example in the following video showing how to configure Microsoft SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Microsoft SSO settings as necessary:
From the list of SSO identity providers, select the Microsoft option. The SSO - Microsoft panel displays.
Enter your Microsoft client ID, and then click Save.
Enter your Microsoft client secret, and then click Save
Configure SSO settings for SAML.
The following information is required to configure SSO with SAML:
SSO endpoint
SSO identifier
SLO endpoint
Encryption type
Authentication context
Public certificate
Name ID format
To generate or locate this information, contact your SAML identity provider.
See an example in the following video showing how to configure SAML SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 6 minutes; contains narration
Note: The video demonstrates the procedure to configure SAML SSO using obsolete settings. The written form of this procedure uses the current settings.
Configure the following SAML SSO settings as necessary:
From the list of SSO identity providers, select the SAML option. The SSO - SAML tab displays.
Enter the identity provider URL from which ProcessMaker retrieves the authentication response and validates it when establishing the SSO session. Your identity provider provides this URL.
Enter the URL that references the SAML XML file for your identity provider (IdP). Your identity provider provides this URL.
Enter the logout URL provided by your identity provider.
From the list of encryption types, select the encryption type your identity provider uses.
Use the Authentication Context toggle to indicate whether to send authentication context in the authorization request or not.
Enter the identity provider's certificate fingerprint by pasting it into this setting. Your identity provider provides this certificate. Ensure to include the -----BEGIN CERTIFICATE----- header. ProcessMaker retrieves the authentication response and validates it using the identity provider's certificate fingerprint.
Click the browse button and then select the file containing your SAML certificate, if one is available from your identity provider.
Click the browse button and then select the file containing your SAML key, if one is available from your identity provider.
Click the Add button. An empty row displays.
In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
In the SAML Attribute setting field, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
Click Save. The following message displays: The setting was updated.
Click the Add button. An empty row displays.
In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
In the SAML Attribute setting, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
Click Save. The following message displays: The setting was updated.
Enter the name identifier format supported by your SAML identity provider.
Use the copy icon to copy the URL from the Callback URL setting, and then provide it to your Auth0 identity provider.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Click the Edit icon for the Domain setting. The Domain screen displays.
Click the Edit icon for the App ID setting. The App ID screen displays.
Click the Edit icon for the App Secret setting. The App Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Facebook for Developers app.
See the permissions or ask your Administrator for assistance.
To generate or locate your GitHub client ID and client secret, refer to .
.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your GitHub application settings.
See the permissions or ask your Administrator for assistance.
To generate or locate this information, refer to .
.
Click the Edit icon for the Base URL setting. The Base URL screen displays.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Click the Edit icon for the Realm setting. The Realm screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Keycloak Admin Console.
See the permissions or ask your Administrator for assistance.
To generate or locate your Microsoft client ID and client secret, refer to .
.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Microsoft application settings.
See the permissions or ask your Administrator for assistance.
. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
.
.
Use the copy icon to copy the URL from the ACS Url setting, and then provide it to your SAML identity provider.
Use the copy icon to copy the URL from the Entity ID (Metadata) setting, and then provide it to your SAML identity provider.
Use the copy icon to copy the URL from the Single Logout URL setting, and then provide it to your SAML identity provider.
Click the Edit icon for the SSO Endpoint setting. The SSO Endpoint screen displays.
Click the Edit icon for the SSO Identifier setting. The SSO Identifier screen displays.
Click the Edit icon for the SLO Endpoint setting. The SLO Endpoint screen displays.
Click the Edit icon for the Encryption Type setting. The Encryption Type screen displays.
Click the Edit icon for the Public Certificate setting. The Public Certificate screen displays.
Click the Edit icon for the File crt setting. The File crt screen displays.
Click the Edit icon for the File key setting. The File key screen displays.
Click the Edit icon for the User Matching setting. The User Matching screen displays.
Optionally, click the Delete icon to delete a mapped ProcessMaker user property.
Click the Edit icon for the Variable Map setting. The Variable Map screen displays.
Optionally, click the Delete icon to delete a mapped ProcessMaker user property, .
Click the Edit icon for the Name ID Format setting. The Name ID Format screen displays.
Configure SSO settings for Google.
The following information is required to configure SSO with Google:
Client ID
Client Secret
To generate or locate your Google client ID and client secret, refer to Authentication overview - Google Cloud.
See an example in the following video showing how to configure Google SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Google SSO settings as necessary:
From the list of SSO identity providers, select the Google option. The SSO - Google panel displays.
Enter your Google client ID, and then click Save.
Enter your Google client secret, and then click Save
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Google Web application settings.