Summary: Ziflow supports Secure Assertion Markup Language (SAML), which allows you to provide single sign-on to your users. The benefit of Single Sign-on (SSO) is that your users can sign in to Ziflow by using your organization's default authentication system, such as Active Directory.

Where is this feature located: As an Administrator, you can configure SSO in the Settings menu.

Configuring SAML for your account:

Configuring SAML for your Ziflow account

SSO type: list of supported SSO solutions: SAML 2.0 & Custom Social Connection.
Sign in URL: this is the URL Ziflow will invoke to redirect users to your Identity Provider.
X509 Signing Certificate: Identity Provider public key encoded in PEM or CER format.
Sign out URL: this is the URL Ziflow will return your users to after logging out.
Binding protocol: The HTTP binding is supported by the identity provider.
Email mapping: this is the attribute of the user email address in your SSO provider. The default option provides the claim URI for the 'emailaddress' attribute. You can also choose the custom domain mapping option to provide your own attribute mapping.
Enable/disable: Once enabled, your users will sign in using your organization's authentication system.

Once you've entered the information, we'll provide the required information you need for your Identity Provider:
1. Callback URL: the target to which the SAML response will be sent to. This URL is sometimes called an ACS (Assertion Consumer Service).
2. Settings: if required, the “audience” information is provided.
3. Backdoor SSO URL: log in using this URL in case of issues with the SAML connection.

Additional information:

If a user accesses Ziflow through the default log-in page and tries to sign in, they will automatically be redirected to your account's personalized Ziflow sign-in page. Therefore, when SSO is enabled, logging in through your account's ZIflow sub-domain/domain is recommended.
When invited to an SSO-enabled account, users no longer need to provide their Ziflow system password for account verification. The verification process is automated in the background, making it easier for users to join SSO-enabled tenants.

If the SSO is enabled in your account, users will see an SSO button on the first authentication screen.
ATTRIBUTE userName must be an email, if it doesn't work, please try user-name or user_name.
If you require an entity ID attribute to generate an SSO certificate, please copy the ID at the end of your Callback (ACS) URL.

Single Sign-on (SSO) is available in the Enterprise Edition.

Please proceed with the following instructions:

SSO configuration for Okta
SSO configuration for Azure
SSO configuration for G-Suite
SSO configuration for OneLogin
SSO with Custom Social Connection

Set up Single Sign-On (SSO) for G Suite

Summary: Here’s a step-by-step guide on configuring SSO for your Ziflow account by creating a SAML app in Google Suite. It’s a convenient option if you use G Suite and haven’t implemented SSO yet.

With this method, you can configure basic SSO authentication without using a third-party service.

Configuring Google

Sign in to https://admin.google.com/ with your G Suite account (please note that you need to be an administrator in your Google account).
In the menu, select Apps > Web and Mobile apps -> Add app -> Add custom SAML app.
Enter the app name and upload the app avatar.
Copy the SSO URL and download a certificate.
Open Ziflow SSO settings (https://<yoursubdomain>.ziflow.io/#/settings/sso) and copy two values:
- Callback URL
- Entity ID
Enter values copied from Ziflow into your SSO G Suite configuration.
Add the following attribute mapping:
Turn on the Ziflow SSO service and add needed users/groups to the Ziflow SSO app:

Configuring Ziflow

Open Ziflow SSO configuration (https://<yoursubdomain>.ziflow.io/#/settings/sso).
Enter copied SSO URL from Google (paragraph nr 4) into Sign In URL and SignOut URL fields:
Upload the downloaded certificate and turn on SSO:

At this point, both Google and Ziflow are configured, and users who are added on both sides should be able to authenticate with their corporate credentials. You can test this by going to https://<yoursubdomain>.ziflow.io/#/login and entering your email address. If SSO is configured correctly, you'll be redirected to the SSO login page, and after authenticating, you should be logged in to Ziflow:

Set up Single Sign-On (SSO) for OneLogin

Summary: Here’s a step-by-step guide on configuring SSO for your Ziflow account by creating a SAML Connector app in OneLogin.

Add SAML Custom Connector from the Applications tab.
To generate the Callback URL on the Ziflow side, you may need to enter any website address e.g. https://www.google.com/ into the Sign-in URL & Sign-Out URL fields (these fields will be updated with correct data later on).

Copy Ziflow Callback URL to: ACS (Consumer) URL, ACS (Consumer) URL Validator & Login URL.
Copy the audience from the Ziflow Settings in the configuration for SSO; only copy the value “urn:auth0….” into the “Audience (EntityID)” field on OneLogin.
Change SAML initiator to Service Provider.
Set up the "email" parameter and ensure to flag Include in the SAML assertion checkbox. Next, set the "email" parameter to the Email value.
Navigate to the Users tab in One Login. Set up a User on OneLogin (default values are okay). Please note that the email must match the user on Ziflow logging in. Apply to the application you just set up.
Copy SAML 2.0 endpoint URL and download PEM x509 certificate (from view details).
Fill in the copied OneLogin URL to the Ziflow Sign-in URL and Sign-Out URL also upload the downloaded certificate from the last step, and turn on SSO.
Try signing into Ziflow. Email configured on the OneLogin side should be recognized by Ziflow, and the application should ask for OneLogin credentials.

SSO with custom Social Connection

Select Custom Social Connection type from the SSO field since the default value is set to SAML 2.0. Once this is done, you can start setting up the connection itself:

Client ID - enter the client's ID to allow Ziflow to establish a secure connection.
Secret ID - enter a copied secret ID from your client's configuration.
Authorization URL - URL that starts the authorization process and asks the user for a username/password.
Token URL - URL that allows Ziflow to get the token for the user using the response we receive from the user authorizing.

Fetch user profile script - script that requests user information (email, first name, last name, and local userId). Here's a standard script:

ATTRIBUTE userName must be an email, if it doesn't work, please try user-name or user_name

//Start script 
function(accessToken, ctx, cb) {
  //make GET REST call to get user information request.get({
    url: 'https://ziflow.auth0.com/userinfo', 
        headers: {
       'Accept': 'application/json', 
        authorization: 'Bearer ' + accessToken 

//Using accessToken granted from /token endpoint
 }
 }, function(err, resp, body) {
    var profile = {}; 

   //If there's an error we leave the script 
     if (err) return cb(err);
     if (resp.statusCode !== 200) return cb(new Error(resp)); 

//Convert the response into JSON for easy parsing
     var abResponse = JSON.parse(body); 

//Convert your profile into these fields, important all fields are filled 
    var profile = {
    user_id: abResponse.id,
    username: abResponse.username,
    given_name: abResponse.forename,
    family_name: abResponse.surname,
    email: abResponse.email, };

 //Callback with the new profile cb(null, profile);
 });
}

Single Sign-On - on-off switch for enabling/disabling SSO as an authentication method.

SCIM provisioning with Okta

Two-Factor Authentication (2FA) for Ziflow