Configure Single Sign-On (SSO) settings.
Loading...
Manage your SSO settings.
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Understand what SSO is and how its settings work in your server environment.
The Auth package must be installed.
Single Sign-On (SSO) allows a user to sign on with one set of credentials to log on to ProcessMaker. This increases security and provides a better user experience for customers, employees, and partners by reducing the number of required accounts/passwords.
As a prerequisite to enable SSO, the Administrator must implement an Identity Provider. If you use a centralized user system, such as Microsoft or Google, you already have access to an Identity Provider.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
To use one or more Identity Providers, view SSO settings, and then enable the toggle key for the Identity provider(s). Doing so adds a new Settings tab to configure that specific Identity Provider. ProcessMaker Platform supports the following Identity Providers:
Filter all SSO Settings in your server to find that one you need.
Use the Search function to filter all SSO settings from the SSO page based on your entered text.
The Auth package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to search for an SSO setting unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to search for an SSO setting:
​View your SSO Settings. The SSO tab displays.
In the Search setting, enter the Setting name to filter by SSO setting name.
View all settings for the SSO authentication. View SSO settings like Atlassian, Auth0, Facebook, Github, Google, Keycloak, Microsoft, and SAML.
Display all SSO settings in one location. This makes it easy to manage these settings.
The Auth package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to view SSO settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view all SSO settings to synchronize users in your organization:
Ensure that you are logged on to ProcessMaker.
Click the Admin option from the top menu. The Users page displays.
Click the SSO tab. The SSO tab displays all SSO settings.
The SSO tab displays the following information in tabular format about SSO settings:
Setting: The Setting column displays the SSO setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Use the Search setting to filter SSO Settings that display.
Configure SSO settings for Atlassian.
The following information is required to configure SSO with Atlassian:
Client ID
Client Secret
See an example in the following video showing how to configure Atlassian SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 3 minutes; contains narration
Configure the following Atlassian SSO settings as necessary:
Enter your Atlassian client ID, and then click Save.
Enter your Atlassian client secret, and then click Save
Configure general information about an SSO Settings.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO settings unless your user account has the Make this user a Super Admin setting selected.
Enable to display settings to log on using user credentials. When disabled, settings only display SSO log on options.
Follow these steps to enable display settings for standard log on:
Enable the Allow Standard Login toggle key. The following message displays: The setting was updated.
Enable whether SSO users should automatically register the first time that they log on.
Follow these steps to enable automatic registration:
Enable the Automatic Registration toggle key. The following message displays: The setting was updated.
Follow these steps to specify which user permissions to assign new users created via SSO:
Click Save. The following message displays: The setting was updated.
Follow these steps to select to which groups to assign users created via SSO:
Enable groups as necessary.
Click Save. The following message displays: The setting was updated.
Select a default SSO integration to allow users be automatically redirected to the IDP Single Sign On log on page instead of displaying the normal Login page. When the user goes to the log on page, that user is redirected to the selected provider.
Follow these steps to enable default SSO Integration:
Select an SSO identity provider among:
Select the ProcessMaker SSO login option if you do not want an SSO identity provider as the default log on. This option ensures LDAP users to verify accounts in ProcessMaker Platform. This option also helps to log on as an administrator while fixing SSO problems.
Click Save. The following message displays: The setting was updated.
Follow these steps to enable automatic registration:
Switch on the Debug Mode toggle key. The following message displays: The setting was updated.
Enable any of the following SSO identity providers as necessary:
The following message displays: The setting was updated.
Click the Search iconor press enter. The SSO settings display that match your entered text.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Edit icon or switch on a toggle. See Configure SSO Settings.
The must be installed.
See the permissions or ask your Administrator for assistance.
To generate or locate this information, refer to the .
​. From the list of SSO identity providers, select the Atlassian option. The SSO - Atlassian tab displays.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Atlassian developer console.
The must be installed.
See the permissions or ask your Administrator for assistance.
. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
Configure the following settings as necessary:
.
. The SSO tab displays.
.
.
. The SSO tab displays.
.
Specify which permissions to assign new users that are created via :
.
. The SSO tab displays.
Click the Edit iconfor the New User Default Config setting. The New User Default Config screen with the Permissions tab displays.
Select a collapsed permission category to expand the view of individual permissions within that category. Otherwise, select an expanded permission category to collapse that category.
Enable permissions as necessary. See for descriptions.
.
Select to which groups to assign users created via .
.
. The SSO tab displays.
Click the Edit iconfor the New User Default Config setting. The New User Default Config screen with the Permissions tab displays.
Click the Groups tab. All available groups display.
.
Copy to clipboard a JSON-formatted object of all assigned permissions and groups for users created via .
.
Follow these steps to copy the permissions and groups for users:
. The SSO tab displays.
Click the Copy to Clipboard iconfor the New User Default Config setting. The following message displays: The setting was copied to your clipboard.
.
.
. The SSO tab displays.
Click the Edit iconfor the Default SSO Login setting. The Default SSO Login screen with the SSO identity providers displays.
.
Select whether detailed errors should be displayed. It is recommended to disable the debug mode in production servers.
.
. The SSO tab displays.
.
Select whether to enable single sign-on via identity providers to log on as necessary. The SSO identity provider options display on the screen.
.
. The SSO tab displays.
.
Configure SSO settings for Auth0.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The following information is required to configure SSO with Auth0:
Client ID
Client Secret
Domain
To generate or locate this information, contact your Auth0 identity provider.
See an example in the following video showing how to configure Auth0 SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Auth0 SSO settings as necessary:
​Configure your SSO Settings. From the list of SSO identity providers, select the Auth0 option. The SSO - Auth0 tab displays.
Enter your Auth0 client ID, and then click Save.
Enter your Atlassian client secret, and then click Save.
Enter your Auth0 domain, and then click Save.
Configure SSO settings for GitHub.
The following information is required to configure SSO with GitHub:
Client ID
Client Secret
See an example in the following video showing how to configure GitHub SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following GitHub SSO settings as necessary:
Enter your GitHub client ID, and then click Save.
Enter your GitHub client secret, and then click Save
Configure SSO settings for Facebook.
The following information is required to configure SSO with Facebook:
App ID
App Secret
See an example in the following video showing how to configure Facebook SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Facebook SSO settings as necessary:
Enter your Facebook App ID, and then click Save.
Enter your Facebook app secret, and then click Save
Use the copy icon to copy the URL from the Callback URL setting, and then provide it to your Auth0 identity provider.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Click the Edit iconfor the Domain setting. The Domain screen displays.
The must be installed.
See the permissions or ask your Administrator for assistance.
To generate or locate your GitHub client ID and client secret, refer to .
​. From the list of SSO identity providers, select the GitHub option. The SSO - GitHub tab displays.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your GitHub application settings.
The must be installed.
See the permissions or ask your Administrator for assistance.
To generate or locate your Facebook app ID and app secret, refer to .
​. From the list of SSO identity providers, select the Facebook option. The SSO - Facebook tab displays.
Click the Edit iconfor the App ID setting. The App ID screen displays.
Click the Edit iconfor the App Secret setting. The App Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Facebook for Developers app.
Configure SSO settings for Keycloak.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The following information is required to configure SSO with Keycloak:
Base URL
Client ID
Client Secret
Realm
To generate or locate this information, refer to Keycloak Server Administration.
See an example in the following video showing how to configure Keycloak SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 3 minutes; contains narration
Configure the following Keycloak SSO settings as necessary:
​Configure your SSO Settings. From the list of SSO identity providers, select the Keycloak option. The SSO - Keycloak tab displays.
Enter your Keycloak base URL, and then click Save.
Enter your Keycloak client ID, and then click Save.
Enter your Keycloak client secret, and then click Save.
Enter your Keycloak realm, and then click Save.
Configure SSO settings for Google.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The following information is required to configure SSO with Google:
Client ID
Client Secret
To generate or locate your Google client ID and client secret, refer to Authentication overview - Google Cloud.
See an example in the following video showing how to configure Google SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Google SSO settings as necessary:
​Configure your SSO Settings. From the list of SSO identity providers, select the Google option. The SSO - Google tab displays.
Enter your Google client ID, and then click Save.
Enter your Google client secret, and then click Save
Configure SSO settings for Microsoft.
The following information is required to configure SSO with Microsoft:
Client ID
Client Secret
See an example in the following video showing how to configure Microsoft SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Microsoft SSO settings as necessary:
Enter your Microsoft client ID, and then click Save.
Enter your Microsoft client secret, and then click Save
Click the Edit iconfor the Base URL setting. The Base URL screen displays.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Click the Edit iconfor the Realm setting. The Realm screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Keycloak Admin Console.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Google Web application settings.
The must be installed.
See the permissions or ask your Administrator for assistance.
To generate or locate your Microsoft client ID and client secret, refer to .
​. From the list of SSO identity providers, select the Microsoft option. The SSO - Microsoft tab displays.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Microsoft application settings.
Configure SSO settings for SAML.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
The following information is required to configure SSO with SAML:
SSO endpoint
SSO identifier
SLO endpoint
Encryption type
Authentication context
Public certificate
Name ID format
To generate or locate this information, contact your SAML identity provider.
See an example in the following video showing how to configure SAML SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 6 minutes; contains narration
Note: The video demonstrates the procedure to configure SAML SSO using obsolete settings. The written form of this procedure uses the current settings.
Configure the following SAML SSO settings as necessary:
​View your SSO Settings. From the list of SSO identity providers, select the SAML option. The SSO - SAML tab displays.
Click the SSO - SAML tab. The SSO - SAML settings display.
Enter the identity provider URL from which ProcessMaker retrieves the authentication response and validates it when establishing the SSO session. Your identity provider provides this URL.
Enter the URL that references the SAML XML file for your identity provider (IdP). Your identity provider provides this URL.
Enter the logout URL provided by your identity provider.
From the list of encryption types, select the encryption type your identity provider uses.
Use the Authentication Context toggle to indicate whether to send authentication context in the authorization request or not.
Enter the identity provider's certificate fingerprint by pasting it into this setting. Your identity provider provides this certificate. Ensure to include the -----BEGIN CERTIFICATE----- header. ProcessMaker retrieves the authentication response and validates it using the identity provider's certificate fingerprint.
Click the browse button and then select the file containing your SAML certificate, if one is available from your identity provider.
Click the browse button and then select the file containing your SAML key, if one is available from your identity provider.
Click the Add button. An empty row displays.
In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
In the SAML Attribute setting field, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
Click Save. The following message displays: The setting was updated.
Click the Add button. An empty row displays.
In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
In the SAML Attribute setting, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
Click Save. The following message displays: The setting was updated.
Enter the name identifier format supported by your SAML identity provider.
Use the copy icon to copy the URL from the ACS Url setting, and then provide it to your SAML identity provider.
Use the copy icon to copy the URL from the Entity ID (Metadata) setting, and then provide it to your SAML identity provider.
Use the copy icon to copy the URL from the Single Logout URL setting, and then provide it to your SAML identity provider.
Click the Edit iconfor the SSO Endpoint setting. The SSO Endpoint screen displays.
Click the Edit iconfor the SSO Identifier setting. The SSO Identifier screen displays.
Click the Edit iconfor the SLO Endpoint setting. The SLO Endpoint screen displays.
Click the Edit iconfor the Encryption Type setting. The Encryption Type screen displays.
Click the Edit iconfor the Public Certificate setting. The Public Certificate screen displays.
Click the Edit iconfor the File crt setting. The File crt screen displays.
Click the Edit iconfor the File key setting. The File key screen displays.
Click the Edit iconfor the User Matching setting. The User Matching screen displays.
Optionally, click the Delete iconto delete a mapped ProcessMaker user property.
Click the Edit iconfor the Variable Map setting. The Variable Map screen displays.
Optionally, click the Delete iconto delete a mapped ProcessMaker user property, .
Click the Edit iconfor the Name ID Format setting. The Name ID Format screen displays.
Copy an SSO configuration to the clipboard.
Copy to clipboard an SSO configuration to have this information in another environment or for testing purposes.
The Auth package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to copy a SSO setting unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to copy an SSO configuration:
​View your SSO Settings. The SSO tab displays.
Clear an SSO configuration to an empty value.
Clear an SSO configuration to an empty value.
Clearing an SSO configuration setting cannot be undone.
Follow these steps to clear an SSO configuration setting:
Click the Copy to Clipboard iconfor your SSO configuration. The following message displays: The setting was copied to your clipboard.
The must be installed.
See the permissions or ask your Administrator for assistance.
​. The SSO tab displays.
Click the Clear iconfor your SSO configuration setting. The following message displays: The setting was updated.