Celonis Process Management SSO

Setting Up SAML-based SSO

SAML has to be set up on the Identity Provider (IdP) and the Service Provider (SP) in order to create the mutual trust relation.

Basic requirements

The following basic requirements must be fulfilled to consider SAML-based SSO at all:

• SAML 2.0-compliant IdP, Celonis Process Management supports the following Identity Providers (IdP):
  • Microsoft Active Directory Federation Services (MS ADFS)
  • Microsoft Azure Active Directory (MS AAD)
  • Ping Identity
  • OneLogin.com
  • Other Identity Providers might work because of SAML 2.0 but need to be treated as a separate project if out-of-the-box configuration does not work.
• IdP with SSO-REDIRECT endpoint
• IdP with ability to POST to an ACS endpoint
• IdP with SHA-256 signature support
• IdP Metadata XML file
  • a trustworthy (in respect to your organization) certificate contained in the Metadata file
• Celonis Process Management installed on a HTTPS/SSL/TLS binding
• IdP and Celonis Process Management reachable by browsers in the company networking scenario

Setting up the IdP

To set up the IdP you need to define Celonis Process Management as a relying party trust. The following information is required to do so:

• SP Entity ID: The unique ID/name of the SP
  • To be configured in newer Celonis Process Management versions - decide on an appropriate string beforehand, we suggest something like this: "urn:symbio.company.tld:an-additional-instance-id"
  • Predefined for older Celonis Process Management versions: " http://symbioworld.com/web "
• SSO-REDIRECT: Accept requests by Celonis Process Management at the SSO-REDIRECT endpoint
• ACS-POST: Send responses to the ACS endpoint of Celonis Process Management via POST
• Request Signing/Encryption: Celonis Process Management does not (normally) sign or encrypt requests
• Response Signing/Encryption: Celonis Process Management expects responses to be signed

The URL of Celonis Process Management is most likely needed during IdP configuration. Sometimes the ACS endpoint URL is also needed. This can be derived from the Celonis Process Management URL:

• Celonis Process Management URL example: https://symbio.company.tld
• Corresponding ACS URL: https://symbio.company.tld/AuthServices/Acs

If Celonis Process Management is mapped to a path, the path needs to be included:

• Celonis Process Management URL example with path: https://portal.company.tld/symbio/production
• Corresponding ACS URL with path: https://portal.company.tld/symbio/production/AuthServices/Acs

Never include database collections or databases in these URLs. The ACS endpoint is used by all databases and collections of a Celonis Process Management instance.

Note: Celonis Process Management only supports SP-initiated authentication. Remember this when setting up your IdP.

Transmitted Claims

Celonis Process Management expects the following claims:

• UPN (upn: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn )
• Last Name (surname: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname )
• First Name (givenname: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname )
• E-Mail (emailaddress: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress )

For rights management group claims should also be transmitted:

• Group (group: http://schemas.xmlsoap.org/claims/Group )

If your system cannot provide these claims, see Custom Claims Mapping below.

Setting up Celonis Process Management as the SP

The most important part to set up Celonis Process Management as the SP is the Metadata XML file of the IdP. Normally all other information can be derived from this file:

• SP Entity ID: The unique ID/name of the SP (see Setting up the IdP above).
  • Newer versions of Celonis Process Management allow and require you to define it yourself.
  • Older versions of Celonis Process Management have a predefined ID.
• IdP Entity ID: The unique ID/name of the IdP (can normally be found near the top of the Metadata XML).
• IdP Metadata XML file: You can choose to provide it in several ways with Celonis Process Management:
  • Upload: The file will be stored locally and no network requests are required to retrieve its contents. If the certificate for signing responses changes on the IdP you need to update the upload in Celonis Process Management.
  • URL: The file will not be stored locally; it will be cached temporarily to reduce network traffic. Certificate changes on the IdP do not require updates on the Celonis Process Management side. The Celonis Process Management instance must be able to access the Metadata URL of the IdP.
• IdP SSO Service URL: The SSO-REDIRECT endpoint URL of the IdP (can normally be found near the bottom of the Metadata XML).

Advanced Setup Topics

Explicit SP Host URL

In some scenarios Celonis Process Management might be accessed via another URL than the one on which the host Celonis Process Management is installed (e.g. when accessed via a proxy server). In such a case the host URL of Celonis Process Management needs to be adjusted for the SAML authentication flow so the IdP can direct the browser back to an address it can access (the proxy instead of Celonis Process Management's host).

In this scenario, provide a corresponding "SP Host URL" in Celonis Process Management's SAML configuration (only available in newer versions of Celonis Process Management).

Request Signing

Celonis Process Management supports request signing but does not use it by default. To enable request signing you need to provide a certificate to Celonis Process Management via its SAML configuration. This certificate must provided as a file which fulfills the following requirements:

• Base64-encoded PFX file
• containing the private key
• without password protection

Response Encryption

Celonis Process Management supports receiving encrypted responses but does not use it by default. To enable this feature the same certificate as for Request Signing (see above) is used.

The public key part of this certificate must be made available to the IdP to enable it to encrypt responses/tokens/claims for Celonis Process Management. You can retrieve it by requesting the Celonis Process Management Service Provider Metadata Endpoint for your configured authentication provider:

https://[symbio.company.tld]/[collection]/[storage]/viewer/[1033]/Auth/ServiceProviderFederationMetaData/[AuthProviderId]

Replace the square brackets with appropriate values.

Custom Claims Mapping

Some IdPs cannot provide the claims Celonis Process Management expects. To mitigate you can provide a Claims Mapping XML file. Celonis Process Management comes with a sample XML file in the data directory which provides a mapping that can easily be used with Azure AD.

Please contact your sales or partner contact person for help with setting up an individual claims mapping for your system.