SAML settings in Celonis Process Management Web

To configure an Identity Provider please navigate to the respective storage (system administration, storage collection or Storage), open the system settings and select the option " SAML settings". An Identity Provider which is configured here is valid for all underlying storages – so in the case of the system administration it is valid for the complete application and in the case of the a storage collection it is valid for all storage contained in that collection. For the Identity Provider the settings have to be adjusted here.

Figure 27. Identity Provider

We need the following information from the Identity Provider

Enter the Entity ID and SSO Service URL in the respective entry fields and upload the meta data XML.

1)For authentication in Celonis Process Management Web via SAML it is recommended to use the HTTPS binding. For an administrative access for Ploetz + Zeller it is necessary to set up another HTTPS binding for Port 4430. The following bindings should be configured in the IIS:

Figure 28. Bindings

Web.config – base configuration: Only Celonis Process Management Web 5.2/5.3/5.4: In the file Web.config, which can be found in the Celonis Process Management Web master folder, the following setting for SAML has to be activated because it is commented out by default:

\<add key="SymbioAuthenticationMode" value="SAML" /\>

Only Celonis Process Management Web 5.5-1807: For an administrative access for Ploetz + Zeller via port 4430 the PZAdminLogin setting in the file Web.config, which can be found in the Celonis Process Management Web master folder, needs to be set from „false" to „true":

\<add key="SAML.PZAdminLogin" value="true" /\>

Furthermore, it can be defined in the Web.config which user group from the Active Directory should have Administrator rights in Celonis Process Management Web (by default):

\<add key="Automation.AdminUsers" value="SymbioCloudAdmins" /\>

Now the administrative access via https://sample.symbioweb.com/_sysadmin/_admin should be possible. If not, please check: Adjust firewall settings and create rule for 80, 443, 4430. If, after the first login, the browser does not relay to Celonis Process Management Web automatically, please call up the page (https://sample.symbioweb.com/_sysadmin/_admin) again.

When the respective settings have been adjusted on the side of the Identity Provider , the website is available via the HTTPS-Standard-Binding of Celonis Process Management Web via this Identity Provider.

Login with a user who is a member of the administrator group Celonis Process Management CloudAdmins or alternatively with a user from the administrator group configured in step 4.

If you have already created other Celonis Process Management groups in your Active Directory those will be created and synchronized with the first login.

When an Active Directory user first logs onto Celonis Process Management Web he will be added with the role „Viewer" if he is not a member of the administrator group (i.e. Celonis Process Management CloudAdmins). If a user needs more rights, the Celonis Process Management Administrator has to add the respective user role for this user, for example, the role „Author" for Editor rights.