Follow examples how to configure settings in ProcessMaker Platform.
Loading...
Loading...
Configure LDAP settings for Microsoft Active Directory.
The LDAP for Microsoft Active Directory configuration allows ProcessMaker Platform users to log on by authenticating directly into a Microsoft Active Directory server.
Consider the following:
For security reasons, do not use anonymous connections.
ProcessMaker Platform does not support sub-groups or sub-departments. Therefore, user groups cannot be organized hierarchically, and nested groups or departments cannot be created.
Follow these steps to configure LDAP for Microsoft Active Directory:
View your LDAP Settings. The LDAP tab displays.
Enable the Enabled toggle key to always synchronize your Active Directory whenever your hierarchy of entities changes to keep ProcessMaker Platform synchronized.
From the Synchronization Schedule setting, set at which interval to synchronize with your Active Directory server. Consider that when setting this interval, the more users, groups, and/or departments your Active Directory server contains, the more time ProcessMaker Platform requires to synchronize your Active Directory server. Follow these steps:
In the Quantity setting, enter how many times to synchronize for each configured frequency. 1 is the default setting.
In the Frequency setting, select the frequency in which to synchronize from the following options:
Minutes (default setting)
Hours
Days
Click Save. The following message displays: The setting was updated.
From the Type setting, select to which LDAP server type ProcessMaker Platform connects to synchronize as follows:
Select the Active Directory option.
Click Save. The following message displays: The setting was updated.
From the Server Address setting and the Server Port setting configure as follows:
Enter the Active Directory IP address or hostname to which ProcessMaker Platform synchronizes.
Click Save. The following message displays: The setting was updated.
Enter the port number the Active Directory server uses. By default, Active Directory uses port 389.
Click Save. The following message displays: The setting was updated.
Active Directory uses Transport Security Layer (TLS) to connect to the Authentication Source. Then enable the TLS toggle key. The following message displays: The setting was updated.
From the Certificate setting, upload the Active Directory certificate file that will be stored on ProcessMaker Platform. For more information about how to get your Active Directory certificate, see Obtain an Active Directory certificate.
Active Directory uses distinguished names (dn) to identify users, groups, and other types of entities.
The distinguished name describes entities starting from the specific and moving to the general in the hierarchy of entities. For example: cn=John Doe,ou=managers,ou=regionalbranch,dc=acme,dc=com
Then, configure distinguished names as follows:
Enter each DC of the Base DN following the guidelines above.
Click Save. The following message displays: The setting was updated.
Enter Active Directory credentials as follows:
Enter the username to log on to the Active Directory server.
Click Save. The following message displays: The setting was updated.
Enter the password to log on to the Active Directory server.
Click Save. The following message displays: The setting was updated.
Select which groups and departments to synchronize as ProcessMaker Platform groups. Ensure to have the correct previous settings to select groups and departments:
Enable the toggle key for each Active Directory group to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
Enable the toggle key for each Active Directory department to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
From the User Identifier setting, enter the Active Directory parameter used to identify users as follows:
Enter samaccountname
that identifies Active Directory users in ProcessMaker Platform. If unsure, enter *
. Synchronization is slower because all object classes are evaluated.
Click Save. The following message displays: The setting was updated.
From the Group Identifier setting, enter the Active Directory parameter used to identify groups as follows:
Enter cn
that identifies Active Directory groups in ProcessMaker Platform. If unsure, enter *
. Synchronization is slower because all object classes are evaluated.
Click Save. The following message displays: The setting was updated.
From the Variable Map setting, map ProcessMaker Platform user properties to Active Directory attributes as follows:
Follow these guidelines to map a ProcessMaker Platform user properties to an Active Directory attribute:
Click the +Add button. A new row displays the existing mapped user properties.
In the ProcessMaker Property setting, enter the ProcessMaker Platform user property to which to map the Active Directory attribute. Select the properties in the following order:
firstname
lastname
username
In the LDAP Attribute setting, enter the Active Directory attribute from which to map to the ProcessMaker Platform user property. Enter attributes in the following order:
givenname
sn
samaccountname
Click Save. The following message displays: The setting was updated.
From the Chunk Size For User Import setting, enter the number of users that will be imported simultaneously as follows:
Enter the number of users. It is recommended 500 as the maximum.
Click Save. The following message displays: The setting was updated.
Configure SSO SAML authentication using Microsoft Entra ID as the Identity Provider and integrating into PM Classic.
Configure ProcessMaker Platform and PM Classic to use SSO SAML authentication with the identity provider Microsoft Entra ID (Microsoft Azure Active Directory) as follows:
Configuration for PM Classic (needed only for PM Classic users)
It is recommended to create and configure an enterprise application in Microsoft Entra ID concurrently with configuring ProcessMaker Platform and PM Classic. This is because each configuration procedure requires values from the other.
The web browser must support third-party cookies.
Follow these steps to add an enterprise application in Microsoft Entra ID:
Log on to your Microsoft Azure account. The Welcome to Azure! window displays.
Click View in the Manage Microsoft Entra ID section. The Default Directory screen displays.
Click Enterprise Applications, then select the All Applications option. The Browse Microsoft Entra Gallery screen displays.
Click Create your own application. Create your own application screen displays on the right.
From the Create your own application screen:
In the What's the name of your app?, enter the application name.
Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Add.
On the sidebar, click Single sign-on. The Single sign-on screen displays.
Click the SAML option. The SAML-based Sign-on page displays.
From the Basic SAML Configuration section, click the Edit link. The Basic SAML Configuration page displays.
Pause this procedure, and then begin configuring the ProcessMaker Platform SAML authentication until the SSO - SAML settings display.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
Follow these steps to configure SAML SSO settings with Microsoft Entra ID as necessary:
​View your SSO Settings. From the list of SSO identity providers, enable the SAML option. The SSO - SAML tab displays.
Click the SSO - SAML tab. The SSO - SAML settings display.
In Microsft Azure, go to the Basic SAML Configuration.
Copy the ProcessMaker Platform settings from the SSO - SAML settings in step two to Microsoft Azure settings in step three as follows:
In Microsoft Azure, go to the Set up section and copy the following fields:
Login URL
Microsoft Entra Identifier
Logout URL
In ProcessMaker Platform, go to the following settings:
Copy Microsoft Azure settings described in step five as follows:
In the Encryption Type setting, select the encryption type set in your Microsoft Azure environment. For this example, leave the default value as RSA_SHA1.
In Microsoft Azure, go to the SAML Certificates section and download the Certificate (Base 64) file. Open the file, copy all the content including BEGIN/END certificate lines.
If Microsoft Azure requires, enter the identity provider's certificate fingerprint. Get this value from the SAML Certificates setting in step eight.
Match the variables of the User Matching and Variables Map fields with one of the following Microsoft Azure data according to your needs and attributes available:
The attributes retrieved from the Federation Metadata XML file.
The data in the Attributes and Claims sections.
In Microsoft Azure, do the following:
In the SAML Certificates section, download the Federation Metadata XML file.
Open the file.
In ProcessPlatform, click the Copy icon for the Name ID Format setting to copy this value in the Required claim setting when configuring Microsoft Azure. Otherwise, leave with the default value.
These settings are needed only if you are using PM Classic.
Follow the next steps to correctly run SAML integrated to PM Classic:
From the left menu, click System Settings.
Go to Admin > Users > SAML Auth. The SAML Configuration panel displays and the Service Provider tab displays by default. Click Service Provider to view this tab when it is not currently selected.
Copy the above values, and add them to new Microsoft Azure values in Basic SAML Configuration as follows:
Entity ID to Identifier (Entity ID)
Assertion Consumer Service to Reply URL (Assertion Consumer Service)
In PM Classic - SAML Configuration, click the Identity Provider tab. The interface to configure the identity provider displays.
From Microsoft Azure, in the Set up section, copy the following fields to the above Identity Provider section in PM Classic:
Login URL to Single Sign-On Service.
Microsoft Entra Identifier to Entity ID.
Logout URL to Single Logout Service.
In PM Classic - SAML Configuration, click the Configurations tab and go to the Field Matching section.
From Microsoft Azure, copy the Claim Name and then match it to the desired User Field in PM Classic Configurations section above. This should match the field that was configured in ProcessMaker Platform too.
In PM Classic - SAML Configuration in the Signature Algorithm dropdown, select the encryption type set in your Microsoft Azure environment that also matches with the one in ProcessMaker Platform. For this example, leave the default value as rsa-sha1.
In PM Classic - SAML Configuration, go to the Certificates section.
Click Upload New Certificate and upload the file in Certificate (Base 64) from the SAML Signing Certificate section in Microsoft Azure, which was downloaded when configuring ProcessMaker Platform.
After configuring ProcessMaker Platform and PM Classic, do the following:
Enable the SAML authentication in PM Classic by checking Enable SAML Authentication for this workspace?
Click Update Configuration.
To run correctly this process, it is necessary to enable the Allow third-party cookies in Chrome/Firefox web browsers or any other browser that will be used for ProcessMaker platform.
For this purpose, follow the next steps:
In Chrome, go to the customize menu and open the settings and search for block. Otherwise, open this URL chrome://settings/cookies?search=block
Set the General settings to Allow all cookies as follows:
Click the Edit iconfor the Synchronization Schedule setting. The Synchronization Schedule screen displays.
Click the Edit iconfor the Type setting. The Type screen displays.
Click the Edit iconfor the Server Address setting. The Server Address screen displays.
Click the Edit iconfor the Server Port setting. The Server Port screen displays.
Click the Edit iconfor the Base DN setting. The Base DN screen displays.
Click the Edit iconfor the Username setting. The Username screen displays.
Click the Edit iconfor the Password setting. The Password screen displays.
Click the Edit iconfor the Groups To Import setting. The Groups To Import screen displays the Active Directory groups on your Active Directory server. If your Active Directory server contains no Active Directory groups, this screen displays no groups with which to synchronize.
Click the Edit iconfor the Departments to Import setting. The Departments To Import screen displays the Active Directory departments on your Active Directory server. If your Active Directory server contains no Active Directory departments, this screen displays no departments with which to synchronize.
Click the Edit iconfor the User Identifier setting. The User Identifier screen displays.
Click the Edit iconfor the Group Identifier setting. The User Identifier screen displays.
Click the Edit iconfor the Variable Map setting. The Variable Map screen displays.
Click the Edit iconfor the Chunk Size For User Import setting. The Chunk Size For User Import screen displays.
Use the copy icon to copy the URL from the ACS Url setting, and then provide it to the Add reply URL setting.
Use the copy icon to copy the URL from the Entity ID (Metadata) setting, and then provide it to the Add identifier setting.
Use the copy icon to copy the URL from the Single Logout URL setting, and then provide it to the Logout Url (Optional) setting.
Click the Edit iconfor the SSO Endpoint setting. Enter the identity provider URL from which ProcessMaker retrieves the authentication response and validates it when establishing the SSO session. Get this value from the Login URL value of Microsoft Azure settings described in step five.
Click the Edit iconfor the SSO Identifier setting. Enter the URL that references the SAML XML file for your identity provider (IdP). Get this value from the Microsoft Entra Identifier value of Microsoft Azure settings described in step five.
Click the Edit iconfor the SLO Endpoint setting. Enter the logout URL. Get this value from the Logout URL value from the Microsoft Entra Identifier value of Microsoft Azure settings described in step five.
In ProcessMaker Platform, click the Edit iconfor the Public Certificate setting. The Public Certificate screen displays.
Click the Edit iconfor the Variable Map and the User Matching setting. In this case, the Variable Map screen displays default values.
as an Administrator.