Links

SAML Settings

Configure SSO settings for SAML.

Configure SSO SAML Settings

The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.

Notice to ProcessMaker Administrators

Enhance ProcessMaker security for your ProcessMaker instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
To configure SSO with SAML, the following information is needed:
  • SSO endpoint
  • SSO identifier
  • SLO endpoint
  • Encryption type
  • Authentication context
  • Public certificate
  • Name ID format
To generate or locate this information, contact your SAML identity provider.
See an example in the following video showing how to configure SAML SSO settings.
  • Intended audience: System administrators and Process designers
  • Viewing time: 6 minutes; contains narration
  • Note: The video demonstrates the procedure to configure SAML SSO using obsolete settings. The written form of this procedure uses the current settings.
SAML SSO configuration
Configure the following SAML SSO settings as necessary:
  1. 1.
    ​Configure your SSO Settings. From the list of SSO identity providers, select the SAML option. The SSO - SAML tab displays.
  2. 2.
    Use the copy icon
    to copy the URL from the ACS Url setting, and then provide it to your SAML identity provider.
  3. 3.
    Use the copy icon
    to copy the URL from the Entity ID (Metadata) setting, and then provide it to your SAML identity provider.
  4. 4.
    Use the copy icon
    to copy the URL from the Single Logout URL setting, and then provide it to your SAML identity provider.
  5. 5.
    Click the Edit icon
    for the SSO Endpoint setting. The SSO Endpoint screen displays.
  6. 6.
    Enter the identity provider URL from which ProcessMaker retrieves the authentication response and validates it when establishing the SSO session. Your identity provider provides this URL.
  7. 7.
    Click the Edit icon
    for the SSO Identifier setting. The SSO Identifier screen displays.
  8. 8.
    Enter the URL that references the SAML XML file for your identity provider (IdP). Your identity provider provides this URL.
  9. 9.
    Click the Edit icon
    for the SLO Endpoint setting. The SLO Endpoint screen displays.
  10. 10.
    Enter the logout URL provided by your identity provider.
  11. 11.
    Click the Edit icon
    for the Encryption Type setting. The Encryption Type screen displays.
  12. 12.
    From the list of encryption types, select the encryption type your identity provider uses.
  13. 13.
    Use the Authentication Context toggle to indicate whether to send authentication context in the authorization request or not.
  14. 14.
    Click the Edit icon
    for the Public Certificate setting. The Public Certificate screen displays.
  15. 15.
    Enter the identity provider's certificate fingerprint by pasting it into this setting. Your identity provider provides this certificate. Ensure to include the -----BEGIN CERTIFICATE----- header. ProcessMaker retrieves the authentication response and validates it using the identity provider's certificate fingerprint.
  16. 16.
    Click the Edit icon
    for the File crt setting. The File crt screen displays.
  17. 17.
    Click the browse button and then select the file containing your SAML certificate, if one is available from your identity provider.
  18. 18.
    Click the Edit icon
    for the File key setting. The File key screen displays.
  19. 19.
    Click the browse button and then select the file containing your SAML key, if one is available from your identity provider.
  20. 20.
    Click the Edit icon
    for the User Matching setting. The User Matching screen displays.
  21. 21.
    Click the Add button. An empty row displays.
  22. 22.
    In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
  23. 23.
    In the SAML Attribute setting field, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
  24. 24.
    Optionally, click the Delete icon
    to delete a mapped ProcessMaker user property.
  25. 25.
    Click Save. The following message displays: The setting was updated.
  26. 26.
    Click the Edit icon
    for the Variable Map setting. The Variable Map screen displays.
  27. 27.
    Click the Add button. An empty row displays.
  28. 28.
    In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
  29. 29.
    In the SAML Attribute setting, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
  30. 30.
    Optionally, click the Delete icon
    to delete a mapped ProcessMaker user property, .
  31. 31.
    Click Save. The following message displays: The setting was updated.
  32. 32.
    Click the Edit icon
    for the Name ID Format setting. The Name ID Format screen displays.
  33. 33.
    Enter the name identifier format supported by your SAML identity provider.