Celonis Process Management SSO

Worked Example: Celonis Process Management & AD FS

The Microsoft ActiveDirectory Federation Services provide a SAML 2.0 Identity Provider (IdP) implementation which is backed by a company domain's Active Directory. The following example describes setting up Celonis Process Management as a Service Provider (SP) in and for AD FS.

AD FS and IdP will be used interchangeably. The same holds true for Celonis Process Management and SP.

Preparation of Active Directory

With respect to "User & Rights Management Considerations", start by creating appropriate UNIVERSAL (or at least global) user groups in ActiveDirectory (AD). AD FS will not transmit AD local user groups as group claims. Depending on your requirements you may have different user groups to create. The following is just an example.

• CPMViewers will be able to browse the Celonis Process Management database;
• CPMAuthors will be able to edit parts of the Celonis Process Management database;
• CPMApprovers will be allowed to approve elements in the release cycle;
• CPMAnalysts will be able to run analysis extensions in the Celonis Process Management database;
• CPMArchitects will be able to manage the architecture of elements in the Celonis Process Management database;
• CPMAdmins will be able to administer the Celonis Process Management database (e.g. setting up user groups and permission sets);
• CPMViewers_HR will be able to browse HR processes;
• CPMAuthors_HR will be able to edit HR processes;
• CPMApprovers_HR will be able to approve HR processes;
• CPMArchitects_HR will be able to manage HR architecture tasks.

Next, assign users to these user groups.

Configuration of Celonis Process Management in AD FS

Before actually creating Celonis Process Management, as a relying parts trust in AD FS, decide which EntityID you will give to Celonis Process Management and under which URL Celonis Process Management will be available. For this example we use the following values:

• Celonis Process Management EntityID: urn:cpm.example.com:adfs-example
• Celonis Process Management URL: https://processes.example.com/cpm-test/

In this case, Celonis Process Management is available via a virtual subdirectory "/cpm-test/" and not directly on the subdomain root level.

Configure Relying Party Trust

Open the AD FS Management App and right-click on "AD FS/Trust Relationships/Relying Party Trusts". Then select "Add Relying Party Trust..." and choose "Enter data about the relying party manually":

• Display name: Celonis Process Management Test
• Choose AD FS profile (not 1.0 nor 1.1)
• Don't configure a certificate
• Enable support for the SAML 2.0 WebSSO protocol
• Relying party SAML 2.0 SSO service URL: https://processes.example.com/cpm-test/
• Relying party trust identifier: urn:cpm.example.com:adfs-example
• Don't configure multi-factor authentication settings
• Permit all users to access this relying party

Make sure that the configured Endpoints are POST and that Advanced is set to "SHA-256 secure hash algorithm".

Configure Claim Rules

Add the following claim rules:

1. Group Membership:
   • Send Claims Using a Custom Rule
   • Claim rule name: Group Membership
   • Custom rule:
     Copy

     Copied

     c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

2. Group Filter:
   • Send Claims Using a Custom Rule
   • Claim rule name: Group Filter
   • Custom rule:
     Copy

     Copied

     c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)cpm"]
     => issue(claim = c);

3. Basic Attributes:
   • Send LDAP Attributes as Claims
   • Claim rule name: Basic Attributes
   • Attribute Store: Active Directory
   • User-Principal-Name → UPN
   • Surname → Surname
   • Given-Name → Given Name
   • E-Mail-Addresses → E-Mail-Address

Configuration of AD FS in Celonis Process Management

Download the Metadata XML file from your AD FS. If your AD FS resides on https://fs.example.com then the metadata should be available at https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml

The medatata file is a text file containing XML that you can read using Notepad/Editor.

Usually this file starts with the tag which has an "entityID" attribute whose value is the IdP EntityID we need to configure Celonis Process Management.

Near the end you will find the elements, look for the one with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", its "Location" attribute value will be needed to configure Celonis Process Management.

Here are the values from the example metadata XML file:

• entityID: http://cadc05.example.com/adfs/services/trust
• Location: https://fs.example.com/adfs/ls/

Setting up a new SAML Authentication Provider in Celonis Process Management

Log in as an administrator to the database or collection for which you want to activate SAML login. For this example we will set up SAML login for database "GreenField" in collection "Testing", the corresponding URL is https://processes.example.com/cpm-test/Testing/GreenField/editor/1033/

Switch to the Admin section and there to Authentication Providers. Make sure that the root node is set to "Use local" and then add a new SAML Authentication Provider with the ID set to "ADFS". Select it and adjust its details:

• Translate (if you wish) - the ID stays "ADFS"
  • English: SSO Login
  • German: SSO Anmeldung
• Standard role: Viewer
• Group management: Yes
• Celonis Process Management EntityID: urn:cpm.example.com:adfs-example
• Celonis Process Management Host URL: https://processes.example.com/cpm-test/
• IdP EntityID: http://cadc05.example.com/adfs/services/trust
• IdP Metadata: (upload the XML file or link to it, see below)
• IdP SSO service URL: https://fs.example.com/adfs/ls/
• Enabled: Yes
• Visible: Yes

Hint

You can hide a specific login, e.g. for external non-AD users, by switching "Visible" from Yes to No. You can still reach the site by using the auth provider login explicitely.

Example: https://processes.example.com/Collection/Storage/viewer/1033/Auth/Custom/SamlLegacy where "SamlLegacy" is your SamlAuthProviderId in Celonis Process Management.

Celonis Process Management on Premise

If your Celonis Process Management web server can reach your AD FS server, consider adding the Metadata XML file as a URL (see above) instead of downloading it from AD FS and then uploading it to Celonis Process Management. This way changes to the metadata (e.g. a new certficate) don't require manual updates to Celonis Process Management.

Celonis Process Management in Cloud

Don't add the Metadata XML file as an URL. The cloud server will likely not have access to the AD FS server which runs on your internal network. Celonis Process Management won't be able to access the metadata and therefore will fail on every SAML login attempt.

Configure SAML User Groups and Permission Sets

The new provider is now live and can be used. Currently all new users logging in via SAML are made Viewers. You need to set up user groups and permission sets for details rights management:

1. Switch to the Admin area of your database/collection.
2. Select Permission Sets and then create the following sets:
   • CPMViewers: ShowElement, OpenElement
   • CPMAuthors: ShowElement, OpenElement, EditElement, NewElement, DeleteElement
   • CPMApprovers: ShowElement, OpenElement, ApproveElement
   • CPMViewers_HR: ShowElement, OpenElement
   • CPMAuthors_HR: ShowElement, OpenElement, EditElement, NewElement, DeleteElement
   • CPMApprovers_HR: ShowElement, OpenElement, ApproveElement
3. Switch back to the Admin area.
4. Select User Groups and then create the following SAML user groups and assign them the listed permission sets / application roles:
   • CPMViewers: CelonisProcessManagementViewers / Viewer
   • CelonisProcessManagementAuthors: CPMAuthors / Author
   • CPMApprovers: CPMApprovers / Approver
   • CPMAnalysts: CPMAuthors / Analyst
   • CPMArchitects: CPMAuthors, CPMApprovers / Architect
   • CPMAdmins: CPMAuthors, CPMApprovers, CPMApprovers_HR / Administrator
   • CPMViewers HR: CPMViewers HR / Viewer
   • CPMAuthors HR: CPMAuthors HR / Author
   • CPMApprovers HR: CPMApprovers HR / Approver
   • CPMArchitects H: CPMAuthors HR, CPMApprovers_HR / Approver

Finally, you can set up permissions for your processes and repositories.

Now a user logging in via SAML will receive all rights based on their AD group membership.

For example:

• A user who is not a member of any Celonis Process Management user group will be assigned no permission sets, no user groups, and the default role of Viewer.
• A user who is a member of CPMAdmins and CPMAuthors will get the following assignments:
  • SAML user groups: CPMAuthors, CPMAdmins
  • Permission sets: CPMAuthors, CPMApprovers, CPMApprovers_HR
  • Role: Administrator