Summary: Ziflow supports Secure Assertion Markup Language (SAML), which allows you to provide single sign-on to your users. The benefit of Single Sign-on (SSO) is that your users will be able to sign in to Ziflow by using your organization's default authentication system, such as Active Directory.

Where is this feature located: As an Administrator, you can configure SSO in the Settings menu.

Configuring SAML for your account:

  1. SSO type: list of supported SSO solutions: SAML 2.0 & Custom Social Connection

  2. Sign in URL: this is the URL Ziflow will invoke to redirect users to your Identity Provider.

  3. X509 Signing Certificate: Identity Provider public key encoded in PEM or CER format

  4. Sign out URL: this is the URL Ziflow will return your users to after logging out.

  5. Binding protocol: The HTTP binding supported by the identity provider

  6. Enable/disable: Once enabled, your users will sign in using your organization's authentication system

    Once you've entered the information, we'll provide the required information you need for your Identity Provider:

  7. Callback URL: the target where the SAML response will be sent to

  8. Settings: if required the “audience” information is provided

  9. Backdoor SSO URL: log in using this URL in case of issues with the SAML connection.

Additional information:

  • If a user accesses Ziflow through the default log-in page and tries to sign in, they will automatically be redirected to your account's personalized Ziflow sign-in page. Therefore, when SSO is enabled, logging in through your account's ZIflow sub-domain/domain is recommended.

  • ATTRIBUTE userName must be an email, if it doesn't work, please try user-name or user_name.

  • Single Sign-on (SSO) is available on the Enterprise Edition.

Please proceed with the following instructions:

  1. SSO configuration for Okta

  2. SSO configuration for Azure

  3. SSO configuration for G-Suite

  4. SSO configuration for OneLogin

  5. SSO with Custom Social Connection


Set up Single Sign-On (SSO) for G Suite

Summary: Here’s a step-by-step guide on how to configure SSO for your Ziflow account by creating a SAML app in Google Suite. It’s a convenient option if you use G Suite and haven’t implemented SSO yet.

With this method, you can configure basic SSO authentication without using a third-party service.

Configuring Google

  1. Sign in to https://admin.google.com/ with your G Suite account (please note that you need to be an administrator in your Google account).

  2. In the menu, select Apps > Web and Mobile apps -> Add app -> Add custom SAML app

  3. Enter app name and upload app avatar

  4. Copy SSO URL and download a certificate

  5. Open Ziflow SSO settings (https://<yoursubdomain>.ziflow.io/#/settings/sso) and copy two values:
    - Callback URL
    - Entity ID

    2021-07-08_09h56_39

  6. Enter values copied from Ziflow into your SSO G Suite configuration.

    entity ID

  7. Add the following attribute mapping:

    mapping

  8. Turn on the Ziflow SSO service and add needed users/groups to the Ziflow SSO app:

Configuring Ziflow

  1. Open Ziflow SSO configuration (https://<yoursubdomain>.ziflow.io/#/settings/sso).

  2. Enter copied SSO URL from Google (paragraph nr 4) into Sign In URL and SignOut URL fields:

  3. Upload downloaded certificate and turn on SSO:

At this point, both Google and Ziflow are configured, and users who are added on both sides should be able to authenticate with their corporate credentials. You can test this by going to https://<yoursubdomain>.ziflow.io/#/login and entering your email address. If SSO is configured correctly, you'll be redirected to the SSO login page, and after authenticating, you should be logged in to Ziflow:


sso

Set up Single Sign-On (SSO) for OneLogin

Summary: Here’s a step-by-step guide on how to configure SSO for your Ziflow account by creating a SAML Connector app in OneLogin.

  1. Add SAML Custom Connector from the Applications tab.


  2. To generate the Callback URL on the Ziflow side, you may need to enter any website address e.g. https://www.google.com/ into the Sign-in URL & Sign-Out URL fields (these fields will be updated with correct data later on).


    Copy Ziflow Callback URL to: ACS (Consumer) URL, ACS (Consumer) URL Validator & Login URL.


  3. Copy the audience from the Ziflow Settings in configuration for SSO; only copy the value “urn:auth0….” into the “Audience (EntityID)” field on OneLogin.


  4. Change SAML initiator to Service Provider.

  5. Setup the "email" parameter and ensure to flag Include in the SAML assertion checkbox. Next, set the "email" parameter to the Email value.

  6. Navigate to the Users tab in One Login. Setup a User on OneLogin (default values are ok). Please note that the email must match the user on Ziflow logging in. Apply to the application you just set up.

  7. Copy SAML 2.0 endpoint URL and download PEM x509 certificate (from view details).

  8. Fill in copied OneLogin URL to Ziflow Sign-in URL and Sign-Out URL, also upload the downloaded certificate from the last step and turn on SSO.

  9. Try signing into Ziflow. Email configured on the OneLogin side should be recognized by Ziflow, and the application should ask for OneLogin credentials.


SSO with custom Social Connection

Select Custom Social Connection type from the SSO field since the default value is set to SAML 2.0. Once this is done, you can start setting up the connection itself:

  1. Client ID - enter the client's ID to allow Ziflow to establish a secure connection.

  2. Secret ID - enter a copied secret ID from your client's configuration.

  3. Authorization URL - URL that starts the authorization process and asks the user for a username/password.

  4. Token URL - URL that allows Ziflow to get the token for the user using the response we receive from the user authorizing.

  5. Fetch user profile script - script that requests user information (email, first name, last name and local userId). Here's a standard script:

    ATTRIBUTE userName must be an email, if it doesn't work, please try user-name or user_name

    //Start script 
    function(accessToken, ctx, cb) {
    //make GET REST call to get user information request.get({
    url: 'https://ziflow.auth0.com/userinfo',
    headers: {
    'Accept': 'application/json',
    authorization: 'Bearer ' + accessToken

    //Using accessToken granted from /token endpoint
    }
    }, function(err, resp, body) {
    var profile = {};

    //If there's an error we leave the script
    if (err) return cb(err);
    if (resp.statusCode !== 200) return cb(new Error(resp));

    //Convert the response into JSON for easy parsing
    var abResponse = JSON.parse(body);

    //Convert your profile into these fields, important all fields are filled
    var profile = {
    user_id: abResponse.id,
    username: abResponse.username,
    given_name: abResponse.forename,
    family_name: abResponse.surname,
    email: abResponse.email, };

    //Callback with the new profile cb(null, profile);
    });
    }

  6. Single Sign-On - on-off switch for enabling/disabling SSO as an authentication method.

Did this answer your question?