Integrate SAML with SSO for Process Discovery

With SSO enabled, users can securely sign in to Process Discovery with the same credentials used in other applications such as Microsoft 365 Outlook or Microsoft 365. Users are no longer required to create separate credentials to access Process Discovery and customer administrators can manage employee access control to Process Discovery as needed.

Single sign-on (SSO) with the Security Assertion Markup Language (SAML) v2.0 protocol requires the identity provider and the application or service provider (Process Discovery) to exchange authentication credentials with each other.

SAML integration overview

Use SAML v2.0 protocol to enable single sign-on in your Process Discovery tenant with your corporate identity provider.

These are prerequisites to enable SAML configuration in Process Discovery:
  • Set up SAML in Process Discovery and the identity the provider at the same time.
  • Refer to the identity provider's documentation for instructions on adding a SAML application, such as Process Discovery.
  • Ensure you add users in your directory in the source identity provider. Typically, a user directory should exist for your organization.

Required user details

Users must provide the following details to facilitate the SSO integration with your Process Discovery tenant:
  • Process Discovery tenant URL: URL used by customers to log into and access Process Discovery.
  • Process Discovery Admin account: email address of a Process Discovery admin that would be used for the SAML admin as well.
  • IDP Issuer: issuer URI from the IdP.
  • IDP Certificate (X.509 certificate): file representing the IDP certificate.
  • IDP Single Sign-On URL: sign-on URL from the IdP.
  • IDP Metadata URL: location of the IdP's metadata for automatic renewal of the signing certificate.
  • Required Process Discovery issuer as per request: the following will be added https://saml.fiq-process-intelligence.com/
After customer IdP SSO integration is created within Process Discovery, the following Service Provider (SP) details can be provided on request:
  • Single sign-on URL
  • Recipient URL
  • Destination URL
  • Audience restriction
  • Default relay state

Integration details

Once a customer tenant is successfully configured with SAML integration here are some important details to note:
  • This configuration will provide SSO integration via SAML for the Process Discovery web app. However, this does not include integration into Privacy Enhanced Gateway (PEG).
  • Any users created prior to the transition to SAML will need to be transitioned to SAML-enabled users. Customers are required to provide a list of these users when requesting for SAML integration.
  • All new user accounts will be automatically created with SAML integration.
  • Process Discovery does not support multiple IdPs per tenant.
  • Individual accounts can be reverted to traditional login accounts, which are non SAML enabled. The customer would need to create a support ticket with this request to start this process. The ticket must include these details:
    • Process Discovery tenant URL
    • List of user emails that should be reverted back to non-SAML logins.

FAQs

Following are FAQs for some common queries related to this topic:

What is SAML?
Security Assertion Markup Language (SAML) is an open standard for exchanging identity authentication data between an identity provider and an application or service provider such as Process Discovery.
What is SSO?
Single sign-on (SSO) is an identity authentication system that allows users to access multiple applications by using one set of credentials.
What are the three main entities involved in single sign-on?
Application or service provider: The application or service provider we want to enable with single sign-on. In this use case, our application or service provider is Process Discovery.
Identity Provider (IdP): An identity provider authenticates and manages the identities of users. Process Discovery supports all IdPs that support standard implementations of the SAML v2.0 specification.
A user: A person whose credentials are authenticated in the identity provider. The account credentials include an email address with a domain used in both the application and identity provider. For example, user.name@automationanywhere.com.
Which identity claims does Process Discovery require from the IdP?
First name
Last name
Email
Does Process Discovery support Single Log Out (SLO)?
SLO is not supported. We only support SP-initiated SSO.