Summary: Ziflow supports Secure Assertion Markup Language (SAML), which allows you to provide single sign-on to your users. The benefit of Single Sign-on (SSO) is that your users will be able to sign in to Ziflow by using your organization's default authentication system, such as Active Directory.

Where is this feature located: As an Administrator, you can configure SSO in the Settings menu.

Configuring SAML for your account:

  1. SSO type: list of supported SSO solutions: SAML 2.0 & Custom Social Connection

  2. Sign in URL: this is the URL Ziflow will invoke to redirect users to your Identity Provider.

  3. X509 Signing Certificate: Identity Provider public key encoded in PEM or CER format

  4. Sign out URL: this is the URL Ziflow will return your users to after logging out.

  5. Binding protocol: The HTTP binding supported by the identity provider

  6. Enable/disable: Once enabled, your users will sign in using your organization's authentication system

    Once you've entered the information, we'll provide the required information you need for your Identity Provider:

  7. Callback URL: the target where the SAML response will be sent to

  8. Settings: if required the “audience” information is provided

  9. Backdoor SSO URL: log in using this URL in case of issues with the SAML connection.

Additional information:

  • If a user accesses Ziflow through the default log-in page and tries to sign in, they will automatically be redirected to your account's personalized Ziflow sign-in page. Therefore, when SSO is enabled, logging in through your account's ZIflow sub-domain/domain is recommended.

  • Single Sign-on (SSO) is available on the Enterprise Edition

Please proceed with the following instructions:

  1. SSO configuration for Okta

  2. SSO configuration for Azure

  3. SSO configuration for G-Suite

  4. SSO configuration for OneLogin


Set up Single Sign-On (SSO) for G Suite

Summary: Here’s a step-by-step guide on how to configure SSO for your Ziflow account by creating a SAML app in Google Suite. It’s a convenient option if you use G Suite and haven’t implemented SSO yet.

With this method, you can configure basic SSO authentication without using a third-party service.

Configuring Google

  1. Sign in to https://admin.google.com/ with your G Suite account (please note that you need to be an administrator in your Google account).

  2. In the menu, select Apps > Web and Mobile apps -> Add app -> Add custom SAML app

  3. Enter app name and upload app avatar

  4. Copy SSO URL and download a certificate

  5. Open Ziflow SSO settings (https://<yoursubdomain>.ziflow.io/#/settings/sso) and copy two values:
    - Callback URL
    - Entity ID

    2021-07-08_09h56_39

  6. Enter values copied from Ziflow into your SSO G Suite configuration.

    entity ID

  7. Add following attribute mapping:

    mapping

  8. Turn on the Ziflow SSO service and add needed users/groups to the Ziflow SSO app:

Configuring Ziflow

  1. Open Ziflow SSO configuration (https://<yoursubdomain>.ziflow.io/#/settings/sso).

  2. Enter copied SSO URL from Google (paragraph nr 4) into Sign In URL and SignOut URL fields:

  3. Upload downloaded certificate and turn on SSO:

At this point, both Google and Ziflow are configured, and users who are added on both sides should be able to authenticate with their corporate credentials. You can test this by going to https://<yoursubdomain>.ziflow.io/#/login and entering your email address. If SSO is configured correctly, you'll be redirected to the SSO login page, and after authenticating, you should be logged in to Ziflow:


sso

Set up Single Sign-On (SSO) for OneLogin

Summary: Here’s a step-by-step guide on how to configure SSO for your Ziflow account by creating a SAML Connector app in OneLogin.

  1. Add SAML Custom Connector from the Applications tab.


  2. In order to generate the Callback URL on the Ziflow side, you may need to enter any website address eg. https://www.google.com/ into the Sign-in URL & Sign-Out URL fields (these fields will be updated with correct data later on).


    Copy Ziflow Callback URL to: ACS (Consumer) URL, ACS (Consumer) URL Validator & Login URL.


  3. Copy the audience from the Ziflow Settings in configuration for SSO, only copy the value “urn:auth0….” into the “Audience (EntityID)” field on OneLogin.


  4. Change SAML initiator to Service Provider.

  5. Setup the "email" parameter and ensure to flag Include in SAML assertion checkbox. Next, set the "email" parameter to the Email value.

  6. Navigate to the Users tab in One Login. Setup a User on OneLogin (default values are ok). Please note that the email must match the user on Ziflow logging in. Apply to the application you just set up.

  7. Copy SAML 2.0 endpoint URL and download PEM x509 certificate (from view details).

  8. Fill in copied OneLogin URL to Ziflow Sign-in URL and Sign-Out URL, also upload the downloaded certificate from the last step and turn on SSO.

  9. Try signing into Ziflow. Email configured on the OneLogin side should be recognized by Ziflow, and the application should ask for OneLogin credentials.

Did this answer your question?