SAML: Requirements for the Identity Provider

Active Directory (AD) link via SAML 2.0

The following chapter explains the synchronization of Active Directory users and groups. Synchronized users are not shown a login dialogue.

In Celonis Process Management Web Active Directory user can be linked via SAML 2.0 so they can log onto Celonis Process Management Web with their Windows user accounts without having to set up users manually in the Celonis Process Management Web user settings.

For the configuration settings in Celonis Process Management Web als well as in the Active Directory Federation Services on your Ative Directory-Server have to be adjusted.

The identity provider makes it possible for Celonis Process Management users to log in with authentication information provided by the identity provide:

Celonis Process Management is the Service Provider here.
Identity Provider can be Active Directory Federation Services, for example.
Celonis Process Management authenticates against the identity provider via the browser, so identity provider and Celonis Process Management Web cannot access each other.

Communication takes place via the browser, which has access to both networks.

The following picture shows the authentication process:

Figure 26. SAML

Claims

The following information is needed:

`Title`	`Definition of content`	`Necessary`	`Claim Type`
Name	Name of user	Yes	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
UPN	Attributes of clear content	Yes	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Last Name	Last name of user	Yes	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
First Name	First name of user	Yes	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
E-Mail	E-Mail address of user	Yes	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Group	Group claims (One Claim with type per group, only necessary for assigning administrators)	Optional	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/group
Office Address	Office address of user	No	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress
Office ZIP	Office ZIP of user	No	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
Office Country	Office country of user	No	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
Private Telephone number	Private telephone number of user	No	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone
Business Telephone number	Business telephone number of user	No	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Date of birth	Date of birth of user	No	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth

With access to Celonis Process Management Web

If you already have access to Celonis Process Management Web you can download the meta data directly in Celonis Process Management Web.

If your storage address is https://sample.symbioweb.com/storagecollection/storage please call up the following URL

https://sample.symbioweb.com/storagecollection/storage/Master/viewer/1031/Public/ServiceProviderFederationMetadata, in order to get the meta data for Celonis Process Management Web as Service Provider.

Without access to Celonis Process Management Web

In this case the XML file withe meta data for Celonis Process Management Web has to be generated as follows

\<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://symbioworld.com/web"\>

\<!-- insert ds:Signature element --\>

    \<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"\>
        \<md:KeyDescriptor use="signing"\>
            \<ds:KeyInfo\>
                \<ds:X509Data\>
                    \<ds:X509Certificate\>                   MIIFFTCCA/2gAwIBAgIMD4M0XYx9yvHdeWJkMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTAwLgYDVQQDEydHbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gU0hBMjU2IC0gRzIwHhcNMTYwNjEwMTIwOTA2WhcNMTgwNzEzMTQxMDEzWjCBjzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UEBxMIQXNjaGhlaW0xHTAbBgNVBAoTFFBsb2V0eiArIFplbGxlciBHbWJIMR0wGwYDVQQDExRQbG9ldHogKyBaZWxsZXIgR21iSDEeMBwGCSqGSIb3DQEJARYPaW5mb0BwLXVuZC16LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukQ+V/tNuElc0qWEaiMEedhTJmx7VsBs6/st74vnbhntK0XxW3oiBMoPDGZkcXHKCiVAIBfNNQvxeSTcZpzUcwf5r1lor8lXoAQTrJNArxe69nLKkjva2+3Ugfo0JgT+C9G197GuJFdqOYW58QMiO2i2TeenCVffotkNm1uPSLtISz3nYW3D1W1hGpTn/90u89vRedT/mVNfB3kvS6HBRFbakA1UvFdEjlnGbN/AhjgEx97v5LquictZy+xUpQ2OuOF6f5ZYuCFa3t4vEfOMOSTNEqNQYrvbJp9Uh5mDlv1L2uRRIRhy38XgN5824mSvVJMbzmLeA6MpQQ+YSC+hnwIDAQABo4IBozCCAZ8wDgYDVR0PAQH/BAQDAgeAMIGQBggrBgEFBQcBAQSBgzCBgDBEBggrBgEFBQcwAoY4aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Njb2Rlc2lnbnNoYTJnMi5jcnQwOAYIKwYBBQUHMAGGLGh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc2NvZGVzaWduc2hhMmcyMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3MvZ3Njb2Rlc2lnbnNoYTJnMi5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFKE6dalLVKEktsj83r4Dw359M0d3MB8GA1UdIwQYMBaAFBlKuFrkTTGlFOVe7C+jHPqAjDJrMA0GCSqGSIb3DQEBCwUAA4IBAQA7Tc3y8IcUafCa8kH6ZRe3lqAuwFKX4AH16JKgobktIS8VOZMol0F6mLEyIjOcOOuZik3eeJm9yhCNeBgWMujI5H0tXp7g4LfpY6PNUUs9naFL0HPeVtDb6ECRtj7PfhOIS9b3qsLFTf0Orx63Gl7zW4/H0NbaN4oyW0cydfuyfYVYk1l8SPuXFs+EJC2u9ilLNk8L7Z1yNE7xEVQvYb1UPvUGP5InNf28/xL0WWIuNO7Ez22FF6ABKtsM7V5eAhLpJM6TWk3NUpGshSmi/Ai4DHlJfHSxJl3xapTJ+w8VV5ZIWaqAQD5uapu1472FJy9HyvOPxzhPtGTZtp7NWHrM
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        \<md:AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sample.symbioweb.com" /\>;
    \<md:SPSSODescriptor\>
    \<md:Organization\>
        \<md:OrganizationName xml:lang="de"\>Ploetz + Zeller GmbH</md:OrganizationName>
        \<md:OrganizationDisplayName xml:lang="de"\>Ploetz + Zeller GmbH</md:OrganizationDisplayName>
        \<md:OrganizationURL xml:lang="de"\>http://www.p-und-z.de</md:OrganizationURL>
    </md:Organization>
    \<md:ContactPerson contactType="other"\>
        \<md:SurName\>Ploetz + Zeller Administrator</md:SurName>
        \<md:EmailAddress\>mailto:administrator@p-und-z.de</md:EmailAddress>
    </md:ContactPerson>;
</md:EntityDescriptor>;

AD FS: Active Directory Federation Services

You need to import the FederationMetadata.xml which you have downloaded or created yourself into your Active Directory Federation Services under trust relations to tell your AD FS to create a trust relation with us, http://symbioworld.com/web (Entity ID of Celonis Process Management).

Furthermore, rules for group membership and groups have to be set so Active Directory user groups (e.g. CelonisCloudAdmins, CelonisAuthors, CelonisArchitects) are created automatically in Celonis Process Management Web and can be used there.

Exemplary rule for group memberships

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] =< add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

Exemplary rule for groups

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)symbio"] =< issue(claim = c);

This means only AD groups containing „symbio" as sub string are considered.

The sequence of the rules should look like this:

Pos.	Rule	Type	Claims
1	Group Memberships	Custom Rule	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
2	Groups	Custom Rule	c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)symbio"] => issue(claim = c);
3	Basic Claim Rule	Send LDAP Attributes as Claims
4	Office Address	Send LDAP Attributes as Claims