Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Configure Lightweight Directory Access Protocol (LDAP) settings.
Lightweight Directory Access Protocol (LDAP) is a platform protocol used for directory services authentication.
LDAP provides the communication language that your server uses to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with your company entity on the network.
The LDAP settings ensure your company users log on by authenticating directly into an LDAP server and then enable synchronization with LDAP to update user information. Configure LDAP settings for the following purposes:
Synchronize users in your organization as ProcessMaker users.
Authenticate the server source.
Configure how users and groups synchronize.
Log on to ProcessMaker Platform using your LDAP credentials to have a unified login.
Keep using your LDAP credentials after synchronization even if you change a user password in LDAP.
LDAP uses Distinguished Names (DN) to identify users, groups, and other types of entities. The DN describes entities starting from the specific and moving to the general in the hierarchy of entities. In LDAP and Active Directory, which is Microsoft's extension of LDAP, Distinguished Names are constructed hierarchically using the following components.
Other naming attributes described in RFC 2253, such as o= for organization name and c= for country/region name, are not used in Active Directory, although they are recognized by LDAP.
For more information how to construct DNs, see this LDAP guide.
Display all LDAP settings in one location. This makes it easy to manage these settings.
Follow these steps to view all LDAP settings to synchronize users in your organization:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
From the Settings panel on the left, expand the Log-in & Auth section.
Select LDAP to view the following details:
Setting: The Setting column displays the LDAP Setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Follow the next steps to search for a setting:
In the Search setting, enter the Setting name to filter settings.
Click the Logs button to view LDAP logs. For more information, see View LDAP Logs.
Configure the following LDAP settings as necessary:
Enable directory synchronization between ProcessMaker and your LDAP server. If not enabled, ProcessMaker Platform does not synchronize with your LDAP server.
In your LDAP Settings, click the Enabled toggle key. This is a required setting to use LDAP with ProcessMaker Platform.
Set at which interval to synchronize with your LDAP server. Consider that when setting this interval, the more users, groups, and/or departments your LDAP server contains, the more time ProcessMaker Platform requires to synchronize your LDAP server.
Follow these steps to set how often to synchronize between your LDAP server and ProcessMaker Platform:
In the Quantity setting, enter how many times to synchronize for each configured frequency. 1 is the default setting.
In the Frequency setting, select the frequency in which to synchronize from the following options:
Minutes (default setting)
Hours
Days
Click Save.
Follow these steps to select to which LDAP server type ProcessMaker Platform connects to synchronize:
Select to which LDAP server type ProcessMaker Platform connects to synchronize:
Active Directory (default setting)
Click Save.
Follow these steps to enter the LDAP server address and port to which ProcessMaker Platform synchronizes:
Enter the IP address or hostname for the LDAP server to which ProcessMaker Platform synchronizes.
Click Save.
Enter the port number the LDAP server uses. By default, LDAP uses port 389. If unsure, use one of the following commands depending on your LDAP server's operating system:
Linux/UNIX: netstat -l
and netstat -lnp
Windows: netstat -a
and netstat -ab
commands
Click Save.
If your LDAP server uses a Transport Security Layer (TLS) certificate, enable TLS to connect to the LDAP authentication source.
In your LDAP Settings, enable the TLS toggle key. The following message displays: The setting was updated.
Enter the Distinguished Name (DN) from the Base object to connect the LDAP server. In most cases, the DN are the domain components (DC) of the DN. For example, the Base DN for processmaker.com
is dc=processmaker,dc=com
. For more information how to construct DNs, see this LDAP guide.
Follow these steps to enter the domain components (DC) for the base Distinguished Name (DN):
Enter each DC of the Base DN following the guidelines above.
Click Save.
Follow these steps to enter the credentials to connect to the LDAP server:
Enter the username to log on to the LDAP server.
Click Save.
Enter the password to log on to the LDAP server.
Click Save. The following message displays: The setting was updated.
Select which LDAP groups and departments to synchronize as ProcessMaker Platform groups. During synchronization, the following occurs:
ProcessMaker Platform groups that do not exist are created.
If a selected LDAP group or department contains no LDAP users, then a corresponding ProcessMaker Platform group is not created if it does not already exist.
ProcessMaker Platform users that exist synchronize from your LDAP server and are placed into the groups corresponding with your selected LDAP server group(s) or department(s).
ProcessMaker Platform users that do not already exist but exist in your selected LDAP group(s) or department(s) are created.
Follow these steps to select which LDAP groups or departments to synchronize as ProcessMaker Platform groups:
Enable the toggle key for each LDAP group to synchronize as ProcessMaker Platform groups.
Click Save.
Enable the toggle key for each LDAP department to synchronize as ProcessMaker Platform groups.
Click Save.
Enter the LDAP object class that identifies users. Objects that match the object class synchronize with users that exist in your ProcessMaker Platform instance. During synchronization the following occurs:
LDAP groups that contain LDAP users and match the entered LDAP object class synchronize.
LDAP groups that do not contain LDAP users do not synchronize, regardless if they match the entered LDAP object class.
Follow these steps to enter the LDAP object class that identifies users:
Enter the LDAP object class that identifies users. Follow these guidelines depending on which LDAP server type your LDAP server uses:
Active Directory: Enter samaccountname
.
Open LDAP: Enter uid
.
If unsure which object class to use: Enter *
. Synchronization is slower because all object classes are evaluated.
Click Save.
Enter the LDAP object class that identifies groups. Objects that match the object class synchronize with groups that exist in your ProcessMaker Platform instance. ProcessMaker Platform groups that do not already exist are created from your LDAP server.
Follow these steps to enter the LDAP object class that identifies groups:
Enter the LDAP object class that identifies groups.
Click Save.
Map how ProcessMaker Platform user properties correspond with synchronized LDAP attributes. See _user
Magic Variable for ProcessMaker Platform user properties.
Consider the following examples.
Follow these steps to map how ProcessMaker Platform user properties correspond with LDAP attributes:
Follow these guidelines to map a ProcessMaker Platform user properties to an LDAP attribute:
Click the +Add button. A new row displays the existing mapped user properties.
In the ProcessMaker Property setting, enter the ProcessMaker Platform user property to which to map the LDAP attribute.
In the LDAP Attribute setting, enter the LDAP attribute from which to map to the ProcessMaker Platform user property.
Click Save.
Display LDAP logs of LDAP user, group and/or department that have currently synchronized.
Follow these steps to view LDAP logs:
View your LDAP Settings. The LDAP tab displays.
Click the Logs button. The Logs page displays all the LDAP synchronization logs.
The Logs page displays the following information in tabular format about LDAP logs:
ID: The ID column displays the log ID used to identify this synchronization log.
Tag: The Tag column displays the synchronization type among LDAP Users, Groups, or Departments.
Service: The Service column displays LDAP as the service type the log applies.
Message: The Message column displays the synchronization status, the number of updated records, and the number of new registers after synchronization occurs.
Created: The created column displays the date and time when synchronization occurred.
Configure a log on option.
Login settings ensure a secure and reliable user log-on authentication experience.
As an administrator, you can configure the following:
Password policies
Two-factor authentication
As an administrator, you can do the following:
Configure how to receive the two-authentication factor.
Block a user's access after a specified number of incorrect login attempts to protect user accounts from unauthorized access and potential security breaches.
Require that the user's account password be reset if it was blocked.
Follow these steps to view the Log-In Options tab settings:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
From the Settings panel on the left, expand the Log-in & Auth section.
Select Log-In Options to view the following details:
Setting: The Setting column displays the Log-In Options Setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Configure the following Log-In Options tab settings as necessary:
Enable users to change their passwords.
Follow these steps to enable a user to change their password:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Password Set By User toggle key. The following message displays: The setting was updated. When this setting is enabled, users are able to change their passwords when editing their user profile.
If this setting is toggled off, users won't have the option to update their password while editing their user profile.
Note: This setting applies to all users except Super Admins. Users with Super Admin permissions will always have the ability to change passwords.
Enable at least one numeric character for user passwords.
Follow these steps to enable numeric characters:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Numeric Characters toggle key. The following message displays: The setting was updated.
Enable at least one uppercase character for user passwords.
Follow these steps to enable uppercase characters:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Uppercase Characters toggle key. The following message displays: The setting was updated.
Enable at least one special character for user passwords.
Follow these steps to enable special characters:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Special Characters toggle key. The following message displays: The setting was updated.
Set the maximum length of password characters.
Follow these steps to set the maximum length:
View the Log-In Options tab settings. The Log-In Options tab displays.
In the setting, enter a maximum number of characters for the password.
Click Save. The following message displays: The setting was updated.
Set the minimum length of password characters.
Follow these steps to set the minimum length:
View the Log-In Options tab settings. The Log-In Options tab displays.
In the setting, enter a maximum number of characters for the password.
Click Save. The following message displays: The setting was updated.
Set in how many days the password expires.
Follow these steps to set the password expiration:
View the Log-In Options tab settings. The Log-In Options tab displays.
In the setting, enter several days when the password expires.
Click Save. The following message displays: The setting was updated.
Set the number of consecutive unsuccessful login attempts before blocking the login action momentarily.
Follow these steps to set the password expiration:
View the Log-In Options tab settings. The Log-In Options tab displays.
In the setting, enter a number of consecutive unsuccessful login attempts before blocking the login action momentarily.
Click Save. The following message displays: The setting was updated.
Enhance login security by enabling two-step authentication for user verification.
Two-step authentication must also be enabled in group-level settings.
SSO and Two-Step Authentication
If SSO is enabled, the Two-Step Authentication setting is bypassed for SSO users, allowing them to log in without it.
Non-SSO users must still enter two-step verification codes to log in.
Follow these steps to set up two-step authentication:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Require Two Step Authentication toggle key. The following message displays: The setting was updated.
Next, select a Two Step Authentication Method.
Choose an authentication method for sending two-step verification codes.
Follow these steps to set a two-step authentication method:
View the Log-In Options tab settings. The Log-In Options tab displays.
Select one or more authentication methods as follows:
Select By email to send the code to your account email. An email address must be configured in user properties.
Select By message to phone number to send the code to your account phone number. A phone number must be configured in user properties.
Select Authenticator App to send the code to an authenticator app such as Google Authenticator.
Click Save. The following message displays: The setting was updated.
Configure System for Cross-domain Identity Management (SCIM) settings that are available to all users.
The SCIM specification is designed to more easily manage user identities in cloud-based applications. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models.
Click the Admin option from the top menu. The Users page displays.
From the Settings panel on the left, expand the Log-in & Auth section.
Select SCIM to view the following details:
Setting: The Setting column displays the SCIM Setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Enable the SCIM toggle key in the Configuration column. The SCIM base URL displays beside the SCIM Base URL setting to copy into clipboard for inclusion into your SCIM provider's settings. The SCIM base URL is set for your ProcessMaker Platform instance as a redirected URL that cannot be edited.
Obtain a bearer token for your user account and copy it into your SCIM provider's settings.
Click the Settings icon from the left sidebar to view all settings.
Click the Search icon or press enter to view LDAP settings that match your entered text.
Click the Edit icon to change a setting. For more information on different LDAP configurations, see Configure LDAP Settings.
Click the Copy to Clipboard icon to copy the value of a setting.
Click the Clear icon to clear the value of a setting.
In your LDAP Settings, click the Edit icon for the Synchronization Schedule setting. The Synchronization Schedule screen displays.
In your LDAP Settings, click the Edit icon for the Type setting. The Type screen displays.
In your LDAP Settings, click the Edit icon for the Server Address setting. The Server Address screen displays.
In your LDAP Settings, click the Edit icon for the Server Port setting. The Server Port screen displays.
In your LDAP Settings, click the Edit icon for the Base DN setting. The Base DN screen displays.
In your LDAP Settings, click the Edit icon for the Username setting. The Username screen displays.
In your LDAP Settings, click the Edit icon for the Password setting. The Password screen displays.
In your LDAP Settings, click the Edit icon for the Groups to Import setting. The Groups To Import screen displays the LDAP groups on your LDAP server. If your LDAP server contains no LDAP groups, this screen displays no groups with which to synchronize.
In your LDAP Settings, click the Edit icon for the Departments To Import setting. The Departments To Import screen displays the LDAP departments. If your LDAP server contains no LDAP departments, this screen displays no departments with which to synchronize.
In your LDAP Settings, click the Edit icon for the User Class Identifier setting. The User Class Identifier screen displays.
In your LDAP Settings, click the Edit icon for the Group Class Identifier setting. The Group Class Identifier screen displays.
In your LDAP Settings, click the Edit icon for the Variable Map setting. The Variable Map screen displays.
Optionally, click the Delete icon to delete a mapped ProcessMaker Platform user property.
Click the Settings icon from the left sidebar to view all settings.
Click the Search icon or press enter to view Log-In Options settings that match your entered text.
Click the Edit icon for the Maximum Length setting. The Maximum Length screen displays.
Click the Edit icon for the Minimum Length setting. The Minimum Length screen displays.
Click the Edit icon for the Password Expiration setting. The Password expiration screen displays.
Click the Edit icon for the Login Failed setting. The Login failed screen displays.
Click the Edit icon for the Two Step Authentication Method setting. The Two Step Authentication Method screen displays.
, is an open standard to automate user provisioning. The SCIM specification is designed to more easily manage user identities in cloud-based applications, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. SCIM settings provide additional profile settings available to all user accounts.
As a cloud-based technology, ProcessMaker developed SCIM so users' identities can be created either directly in a tool like or imported from external systems like HR software or . Since SCIM is a standard, user data is stored following a consistent protocol and can communicate across different apps.
The SCIM base URL is set by default in ProcessMaker after the . Copy the SCIM base URL to the SCIM provider's settings to synchronize user identities via SCIM. The SCIM base URL is set for your ProcessMaker instance as a redirected URL that cannot be edited.
In addition to the SCIM Base URL, a bearer token is also required to access ProcessMaker's SCIM endpoints. Follow the instructions for to obtain a bearer token for your user account and copy it to your SCIM provider's settings. This user account must also have the user permissions detailed in the section.
Your user account or group membership must have the "" permission to enable SCIM settings unless your user account has the Make this user a Super Admin setting selected.
Users category:
Groups category:
See / or ask your Administrator for assistance.
Follow these steps to enable the setting:
Ensure that you are to ProcessMaker Platform.
Click the Settings icon from the left sidebar to view all settings.
Click the Copy to Clipboard icon to copy the URL for inclusion into your SCIM provider's settings.
Both the Edit icon and the Delete icon are deactivated in SCIM. The SCIM base URL is set for your ProcessMaker Platform instance as a redirected URL that cannot be edited.
Component and Abbreviation
Usage
Example
domain components (DC)
Enter each DC as read left to right, each separated by a comma without spacing between each.
dc=acme,dc=com
organizational units (OU)
Enter each OU, each separated by a comma without spacing between each.
ou=managers,ou=regionalbranch
common names (CN)
Enter each CN, each separated by a comma without spacing between each.
cn=Louis Canera,cn=John Doe
ProcessMaker User Property
User Property Function
Mapped LDAP Attribute
FirstName
User's first name
Name
UserName
User's user name
SameAccountName
Configure SSO settings for Atlassian.
The following information is required to configure SSO with Atlassian:
Client ID
Client Secret
To generate or locate this information, refer to the Atlassian Developer Guide.
See an example in the following video showing how to configure Atlassian SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 3 minutes; contains narration
Configure the following Atlassian SSO settings as necessary:
From the list of SSO identity providers, enable the Atlassian option. The SSO - Atlassian panel displays.
Enter your Atlassian client ID, and then click Save.
Enter your Atlassian client secret, and then click Save
Configure a Session Control.
Password and Login settings ensure a secure and reliable user log-on authentication experience.
As an administrator, you can configure the following:
Restrict open sessions for users/company
As a participant, you can do the following:
The platform automatically logs out that user's session after some time of inactivity to protect data from unauthorized access.
Follow these steps to view the Session Control settings:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
From the Settings panel on the left, expand the Log-in & Auth section.
Select Session Control to view the following details:
Setting: The Setting column displays the Session Control setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Configure the following Session Control tab settings as necessary:
Set the IP address restriction policy when a user logs on or attempts to log on again using the same user account.
Follow these steps to set the IP restriction policy:
View your Session Control settings. The Session Control tab displays.
Select the IP restriction as follows:
Disabled: Disable this setting. The user may log on from a different IP address than that used by the current session. This is the default setting.
Block duplicate session: Block any attempt to start another session by the same user on another IP address.
Kill existing session: End the active session.
Click Save. The following message displays: The setting was updated.
Set the device restriction made from user's login.
Follow these steps to set the device restriction:
View your Session Control settings. The Session Control tab displays.
Select device restriction as follows:
Disabled: Disable this setting. The user may log on from multiple devices. This is the default setting.
Block duplicate session: Block any attempt to start another session by the same user on another device.
Kill existing session: End any active sessions that the user has on other devices at the moment the new session starts. Keep the current session on the current device.
Click Save. The following message displays: The setting was updated.
Set the session inactivity in minutes.
Follow these steps to set the session inactivity:
View your Session Control settings. The Session Control tab displays.
In the setting, enter the number of minutes to wait for a session's inactivity. 180 is set by default.
Click Save. The following message displays: The setting was updated.
Configure Single Sign-On (SSO) settings.
Single Sign-On (SSO) allows a user to sign on with one set of credentials to log on to ProcessMaker. This increases security and provides a better user experience for customers, employees, and partners by reducing the number of required accounts/passwords.
As a prerequisite to enable SSO, the Administrator must implement an Identity Provider. If you use a centralized user system, such as Microsoft or Google, you already have access to an Identity Provider.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
To use one or more Identity Providers, view SSO settings, and then enable the toggle key for the Identity provider(s). Doing so adds a new Settings tab to configure that specific Identity Provider. ProcessMaker Platform supports the following Identity Providers:
Display all SSO settings in one location. This makes it easy to manage these settings.
Follow these steps to view all SSO settings to synchronize users in your organization:
Ensure that you are logged on to ProcessMaker.
Click the Admin option from the top menu. The Users page displays.
From the Settings panel on the left, expand the Log-in & Auth section.
Select SSO to view the following details:
Setting: The Setting column displays the SSO Setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
Configure the following SSO settings as necessary:
Enable to display settings to log on using user credentials. When disabled, settings only display SSO log on options.
Follow these steps to enable display settings for standard log on:
​View your SSO settings. The SSO tab displays.
Enable the Allow Standard Login toggle key. The following message displays: The setting was updated.
Enable whether SSO users should automatically register the first time that they log on.
Follow these steps to enable automatic registration:
​View your SSO settings. The SSO tab displays.
Enable the Automatic Registration toggle key. The following message displays: The setting was updated.
Specify which permissions to assign new users that are created via SSO:
Follow these steps to specify which user permissions to assign new users created via SSO:
View your SSO settings. The SSO tab displays.
Enable permissions as necessary. See Permission Descriptions for Users and Groups for descriptions.
Click Save. The following message displays: The setting was updated.
Select to which groups to assign users created via SSO.
Follow these steps to select to which groups to assign users created via SSO:
​View your SSO settings. The SSO tab displays.
Enable groups as necessary.
Click Save. The following message displays: The setting was updated.
Copy to clipboard a JSON-formatted object of all assigned permissions and groups for users created via SSO.
Follow these steps to copy the permissions and groups for SSO users:
​View your SSO settings. The SSO tab displays.
Select a default SSO integration to allow users be automatically redirected to the IDP Single Sign On log on page instead of displaying the normal Login page. When the user goes to the log on page, that user is redirected to the selected provider.
Follow these steps to enable default SSO Integration:
​View your SSO settings. The SSO tab displays.
Select an SSO identity provider among:
Select the ProcessMaker SSO login option if you do not want an SSO identity provider as the default log on. This option ensures LDAP users to verify accounts in ProcessMaker Platform. This option also helps to log on as an administrator while fixing SSO problems.
Click Save. The following message displays: The setting was updated.
Select whether detailed SSO errors should be displayed. It is recommended to disable the debug mode in production servers.
Follow these steps to enable automatic registration:
View your SSO settings. The SSO tab displays.
Switch on the Debug Mode toggle key. The following message displays: The setting was updated.
Select whether to enable single sign-on via SSO identity providers to log on as necessary. The SSO identity provider options display on the log on screen.
​View your SSO settings. The SSO tab displays.
Configure SSO settings for Auth0.
The following information is required to configure SSO with Auth0:
Client ID
Client Secret
Domain
To generate or locate this information, contact your Auth0 identity provider.
See an example in the following video showing how to configure Auth0 SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Auth0 SSO settings as necessary:
From the list of SSO identity providers, select the Auth0 option. The SSO - Auth0 panel displays.
Enter your Auth0 client ID, and then click Save.
Enter your Atlassian client secret, and then click Save.
Enter your Auth0 domain, and then click Save.
Configure SSO settings for GitHub.
The following information is required to configure SSO with GitHub:
Client ID
Client Secret
See an example in the following video showing how to configure GitHub SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following GitHub SSO settings as necessary:
From the list of SSO identity providers, select the GitHub option. The SSO - GitHub panel displays.
Enter your GitHub client ID, and then click Save.
Enter your GitHub client secret, and then click Save
Configure SSO settings for Facebook.
The following information is required to configure SSO with Facebook:
App ID
App Secret
See an example in the following video showing how to configure Facebook SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Facebook SSO settings as necessary:
From the list of SSO identity providers, select the Facebook option. The SSO - Facebook panel displays.
Enter your Facebook App ID, and then click Save.
Enter your Facebook app secret, and then click Save
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Atlassian developer console.
Click the Settings icon from the left sidebar to view all settings.
Click the Edit icon for the IP Restriction setting. The IP restriction screen displays.
Click the Edit icon for the Device restriction setting. The Device restriction screen displays.
Click the Edit icon for the Session Inactivity setting. The Session Inactivity screen displays.
Click the Settings icon from the left sidebar to view all settings.
Click the Search icon or press enter to view SSO settings that match your entered text.
Click the Edit icon for the New User Default Config setting. The New User Default Config screen with the Permissions tab displays.
Select a collapsed permission category to expand the view of individual permissions within that category. Otherwise, select an expanded permission category to collapse that category.
Click the Edit icon for the New User Default Config setting. The New User Default Config screen with the Permissions tab displays.
Click the Groups tab. All available groups display.
Click the Copy to Clipboard icon for the New User Default Config setting. The following message displays: The setting was copied to your clipboard.
Click the Edit icon for the Default SSO Login setting. The Default SSO Login screen with the SSO identity providers displays.
See the permissions or ask your Administrator for assistance.
​.
Use the copy icon to copy the URL from the Callback URL setting, and then provide it to your Auth0 identity provider.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Click the Edit icon for the Domain setting. The Domain screen displays.
See the permissions or ask your Administrator for assistance.
To generate or locate your GitHub client ID and client secret, refer to .
​.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your GitHub application settings.
See the permissions or ask your Administrator for assistance.
To generate or locate your Facebook app ID and app secret, refer to .
​.
Click the Edit icon for the App ID setting. The App ID screen displays.
Click the Edit icon for the App Secret setting. The App Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Facebook for Developers app.
Configure SSO settings for Google.
The following information is required to configure SSO with Google:
Client ID
Client Secret
To generate or locate your Google client ID and client secret, refer to Authentication overview - Google Cloud.
See an example in the following video showing how to configure Google SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Google SSO settings as necessary:
From the list of SSO identity providers, select the Google option. The SSO - Google panel displays.
Enter your Google client ID, and then click Save.
Enter your Google client secret, and then click Save
Configure SSO settings for Keycloak.
The following information is required to configure SSO with Keycloak:
Base URL
Client ID
Client Secret
Realm
To generate or locate this information, refer to Keycloak Server Administration.
See an example in the following video showing how to configure Keycloak SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 3 minutes; contains narration
Configure the following Keycloak SSO settings as necessary:
From the list of SSO identity providers, select the Keycloak option. The SSO - Keycloak panel displays.
Enter your Keycloak base URL, and then click Save.
Enter your Keycloak client ID, and then click Save.
Enter your Keycloak client secret, and then click Save.
Enter your Keycloak realm, and then click Save.
Configure SSO settings for Microsoft.
The following information is required to configure SSO with Microsoft:
Client ID
Client Secret
See an example in the following video showing how to configure Microsoft SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Microsoft SSO settings as necessary:
From the list of SSO identity providers, select the Microsoft option. The SSO - Microsoft panel displays.
Enter your Microsoft client ID, and then click Save.
Enter your Microsoft client secret, and then click Save
Configure SSO settings for SAML.
The following information is required to configure SSO with SAML:
SSO endpoint
SSO identifier
SLO endpoint
Encryption type
Authentication context
Public certificate
Name ID format
To generate or locate this information, contact your SAML identity provider.
See an example in the following video showing how to configure SAML SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 6 minutes; contains narration
Note: The video demonstrates the procedure to configure SAML SSO using obsolete settings. The written form of this procedure uses the current settings.
Configure the following SAML SSO settings as necessary:
From the list of SSO identity providers, select the SAML option. The SSO - SAML tab displays.
Enter the identity provider URL from which ProcessMaker retrieves the authentication response and validates it when establishing the SSO session. Your identity provider provides this URL.
Enter the URL that references the SAML XML file for your identity provider (IdP). Your identity provider provides this URL.
Enter the logout URL provided by your identity provider.
From the list of encryption types, select the encryption type your identity provider uses.
Use the Authentication Context toggle to indicate whether to send authentication context in the authorization request or not.
Enter the identity provider's certificate fingerprint by pasting it into this setting. Your identity provider provides this certificate. Ensure to include the -----BEGIN CERTIFICATE----- header. ProcessMaker retrieves the authentication response and validates it using the identity provider's certificate fingerprint.
Click the browse button and then select the file containing your SAML certificate, if one is available from your identity provider.
Click the browse button and then select the file containing your SAML key, if one is available from your identity provider.
Click the Add button. An empty row displays.
In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
In the SAML Attribute setting field, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
Click Save. The following message displays: The setting was updated.
Click the Add button. An empty row displays.
In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
In the SAML Attribute setting, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
Click Save. The following message displays: The setting was updated.
Enter the name identifier format supported by your SAML identity provider.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Google Web application settings.
Click the Edit icon for the Base URL setting. The Base URL screen displays.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Click the Edit icon for the Realm setting. The Realm screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Keycloak Admin Console.
See the permissions or ask your Administrator for assistance.
To generate or locate your Microsoft client ID and client secret, refer to .
​.
Click the Edit icon for the Client ID setting. The Client ID screen displays.
Click the Edit icon for the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Microsoft application settings.
See the permissions or ask your Administrator for assistance.
. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
.
.
Use the copy icon to copy the URL from the ACS Url setting, and then provide it to your SAML identity provider.
Use the copy icon to copy the URL from the Entity ID (Metadata) setting, and then provide it to your SAML identity provider.
Use the copy icon to copy the URL from the Single Logout URL setting, and then provide it to your SAML identity provider.
Click the Edit icon for the SSO Endpoint setting. The SSO Endpoint screen displays.
Click the Edit icon for the SSO Identifier setting. The SSO Identifier screen displays.
Click the Edit icon for the SLO Endpoint setting. The SLO Endpoint screen displays.
Click the Edit icon for the Encryption Type setting. The Encryption Type screen displays.
Click the Edit icon for the Public Certificate setting. The Public Certificate screen displays.
Click the Edit icon for the File crt setting. The File crt screen displays.
Click the Edit icon for the File key setting. The File key screen displays.
Click the Edit icon for the User Matching setting. The User Matching screen displays.
Optionally, click the Delete icon to delete a mapped ProcessMaker user property.
Click the Edit icon for the Variable Map setting. The Variable Map screen displays.
Optionally, click the Delete icon to delete a mapped ProcessMaker user property, .
Click the Edit icon for the Name ID Format setting. The Name ID Format screen displays.