Skip to main content

Celonis Product Documentation

Security Assertion Markup Language (SAML)

The protocol SAML is used by many customers of EMS to provide Single Sign-On functionality to their team members.

SAML JIT complements a SAML SSO setup with user provisioning and automated permission assignment via groups.

What is SAML?

Security Assertion Markup Language (SAML) is a solution for exchanging user security information between an SAML identity provider and a SAML service provider ( XMLbased) and a protocol for Single Sign On.

The user with a user agent (web browser) requests a web resource protected by a SAML service provider. The service provider, wishing to know the identity of the user, issues an authentication request to a SAML identity provider through the user agent. The identity provider is the one that provides the user credentials. The service provider trusts the user information from the identity provider to provide access to its services or resources.

17924137.png
How to set up SAML SSO with Celonis EMS

If you as a team admin wish to configure Single Sign-on (SAML) for your team, please perform the following steps:

35554665.png

Note

Please make sure that the SAML ID provider passes the attribute "email" to Celonis with the user's email address as a value. EMS will compare the value of the attribute "email" with the users in its user database. If this user exists (with the same email address) in the requesting team, EMS will grant him or her access after a successful login on the IdP side.

  1. Go to Team-Settings > Single Sign-On

  2. Click Add SSO Provider and choose SAML.

  3. Set a name for the connection

  4. Optional: Disable max. Authentication Life Time validation or set to a custom value

  5. Optional: Enable use of the default service provider (SP) entity identifier. Also, enable this if the SAML name identifier provided by your identity provider is not a valid URI (e.g. http:// is missing)

  6. Upload Metadata XML File

  7. Click Save. This will save the new configuration but not activate it immediately for the team.

Note

If you change any of these settings, you need to delete the profile and recreate it.

Activating a new SAML SSO provider

To activate a login provider click the radio button for the configuration you would like to activate. Once you activate the new login provider, all users with active sessions will be logged out and will have to re-authenticate using the new login method.

Currently, there is no possibility of test a new SAML configuration upfront before activating it.

Activation alert for SAML provider configuration
Acquiring Service Provider metadata

The SP metadata file for quick configuration on the IdP is available for download in the SAML configuration in Admin and Settings.

Warning

You can download the SP metadata file once the IdP metadata file is uploaded.

If your Identity Provider supports it, you can also use the metadata URL feature. By checking the relevant box, you are shown a public, secret link that you can use within your identity provider. Please see this video for a demonstration. This reduces maintenance efforts when the team certificates that are used to sign authorization requests are changed.

35554625.png

Maximum authentication lifetime validation

“Authentication Life Time” refers to the age of the sessions with the identity provider. If the session is older than the value of Authentication Life Time in the EMS SAML config, the user will have to re-authenticate with the IdP.

Some customers may wish to not evaluate the age of the session at all. These customers can disable the validation using the checkbox (EMS will then accept IdP sessions that are max. 10 years old).

The validation defaults to 8h.

If the IdP session is older, the login attempt will be rejected by EMS & the user will see an error message which explains that his session is too old.

17924142.png
Allow bypassing SSO

For some periods of time, it may become necessary to open the team to third parties who are not listed inside the Identity Provider or where it would take too long to list them there. For implementation projects, where external people work on the team, this can be the case.

For these cases, the OICD setup offers the possibility to allow logins via the usual <team>.<cluster>.celonis.cloud/ui/login route. This route allows logins to the team to anyone who is a member of the team and has set a password (user accounts created via LDAP sync do not have a password).

To enable, simply set the checkbox and save.

To disable, simply remove the checkbox and save.

Note

In case that the SSO connection breaks and you are "locked out" of your team, Celonis can help you.

31000147.png
Automated user provisioning via SAML JIT

On teams with many users, membership management by hand is impractical at best and introduces human error.

As a recommended alternative to the LDAP Sync Tool, memberships and groups on your team can be provisioned just-in-time (JIT) via SAML.

To make use of this feature, you need to do the following four steps:

  1. Have a group structure in place and ensure that your identity provider sends it as a claim attribute.

  2. On the SAML provider, select the JIT Configuration tab and tick Enable Just-In-Time (JIT) Provisioning.

  3. Fill in the SAML claim attribute names that are needed to populate the respective fields on a user (add them to the claim if they are not present yet):

    1. These attributes are used to fill in the user's data if he/she does not have an account yet

    2. The groups attribute is used to create groups and assign memberships (see below)

      This attribute must be formatted as a multi-value inside authe response to the EMS, similar to this:

      <Attribute Name="groups" ...>

      <AttributeValue xsi:type="xs:string" ...>groupB</AttributeValue>

      <AttributeValue xsi:type="xs:string" ...>groupA</AttributeValue>

      </Attribute>

  4. Click Save.

35554705.png
Certificate Management

Some IDPs are configured to only accept valid SP certificates. On the SAML settings tab labeledCertificate, you can configure the certificate issuer as well as an automatic regeneration of the certificate.

Self-signed certificates are not signed by any authority and valid for 2+ years.

Let's Encrypt certificates are signed by an authority and valid for 3 months.

User-provided are uploaded and managed by the team administrators. They are not regenerated.

To always have a valid certificate, you can renew the certificate automatically.

With this option, certificates will be renewed on the last Saturday morning before expiry.

Administrators will be notified about this at least a week before via email.

Warning

Without an update of the SP metadata on the IDP, certificate regeneration can cause you to get locked out of the team.

Thus, please make sure you have one of the two set up before the certificate gets updated:

  1. SP metadata updates inside the IDP via the SP metadata URL are working

  2. The SSO bypass via /ui/login is enabled for the duration of the maintenance

60362318.png
Setup SAML with specific identity providers
  • Microsoft Azure

    You will find more information on how to configure SAML with Microsoft Azure as an identity provider here.

  • OneLogin

    You will find more information on how to configure SAML with OneLogin as an identity provider here.

FAQs for SAML on Celonis EMS
  • What is the Relying Party Trust Identifier (entityID) of my Team? The entity ID is the team domain without "https": <team>.<realm>.celonis.cloud → e.g. testcompany.eu-1.celonis.cloud

  • What is the Relying Party Identity Provider Endpoint? The Relying Party Identity Provider Endpoint is https://<team>.<realm>.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client → e.g. https://testcompany.eu-1.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client

  • What is the Relying Party IdP Endpoint Logon Type? SAML Assertion Consumer

  • Does EMS support SAML logout functionality?

    No, EMS doesn’t support SAML logout functionality.

  • Does EMS support IdP initiated flows?

    No, EMS doesn’t support IdP initiated flows, only SP initiated flows.

  • How can a user log in via path /ui/login, if he never set any password for Celonis EMS ?

    For security reasons, this can only be done on a team where the user is a member and does not have SSO enabled

  • Which SAML version does EMS support?

    SAML 2.0

  • Which hash algorithm is used? SHA-256

  • Can a new SAML configuration be tested beforehand? Currently not, but you can access the team using your Celonis Login anytime if you configure it in the SSO setup by using this domain: https://<team>.<realm>.celonis.cloud/ui/login → e.g. https://testcompany.eu-1.celonis.cloud/ui/login

  • The user logs out from his SAML enabled EMS team, calls the team URL again - and is directly logged in to the team. Did the logout not work? Yes, the logout worked. However, after logout, when the user calls the team URL again, the EMS redirects to the IdP, which already has an active session from the user. Therefore, the user doesn’t need to re-authenticate with the IdP. The IdP immediately redirects to EMS and logs the user in.

  • Will SAML JIT remove users from groups that are not listed in the SAML claim ?

    SAML JIT will "take ownership" of groups that have the same name as groups that appear in the SAML claim of some users.

    For these groups, people will be removed depending on whether or not their SAML claim upon login lists that membership.

    Any group that has never appeared in any SAML claim will stay as-is, including all memberships.

  • Does the EMS sign authentication requests sent to the identity provider?

    Not by default. It can be turned on, however, by setting the WantAuthnRequestsSigned attribute inside the IDP metadata to true. In the following example, it is highlighted in bold

    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">