SSO integration

You can configure LDAP (Lightweight directory access protocol) and SAML2 (Security Assertion Markup Language) for authenticating IBM Process Mining. To learn more about the SSO integration for IBM Process Mining, see the following topics:

LDAP authentication

By configuring the LDAP authentication, the password is validated by an LDAP server instead of a local authentication.

For SaaS offerings, the LDAP configuration varies per the environment set up. Therefore, the LDAP configuration must be evaluated through a support ticket.

To enable the LDAP authentication, edit the authentication section in <PM_HOME>/etc/processmining.conf as in the following example:

authentication: {
	mode: "**ldap**", 	# ldap | basic | saml
	
	limiting: {
		enabled: false,
		maxFailures: 3,
		timeFrame: 600000
	}
	
	ldap: {
	  url: "ldap://<server>:<port>",
    type: "standard" # basic | query
    searchBase : "" # ou=quality,o=mycompany.com
    filter:"", # the attribute that represents the username, i.e. mail
    secure: false, # true if ldaps is required
    domain: "", # valid for Active Directory integration
    backupurl: "",# valid for Active Directory integration
    domainexclude: [],# valid for Active Directory integration
    domainRemove: false, # true if the username is stored with no domain
    adminpassword: "",
    testmode: false

	}
  bcrypt : true,
  maxInactiveIntervalInMinutes: 30,
},

When you introduce changes to the processmining.conf file, make sure you do it correctly. For more information, see the Configuration file editing guidelines section.

The following table contains the description of the different properties.

Property Description Values
url Sets the URL of the server in either LDAP or LDAPS protocol. <IP Address Format>
For example: ldap://172.16.1.19:389
Type Sets the server to run as either a basic function or query function. - basic (Default): typically used with LDAP systems like Microsoft Active Directory, authenticating to LDAP by user and password.
- query : More complex option that uses a query string defined by searchBase into the directory using an attribute as username that can be defined by the filter parameter (that is, the email)
searchBase Sets the server to use the given URLS depending on whether the type is basic or query. If the type is query, the system carries out this query to retrieve the account object.
If the type is basic, it is used to manage particular LDAP server requirements that need a query string as the username.		 <Search-base keys>
For example: ou=users,o=mycompany.com
- "empty" (Default)
filter Required if the type is query. Identifies the attribute used as username. <Username>
For example: mail
- "empty" (Default)
secure Enables secure functionality. Must be true if the server is LDAPS. - false (Default)
- true
domain Sets the Windows domain name used for web interface authentication. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <URL Format>
For example: mydomain.com
When concatenated with the given username "user1", the web interface authentication is run with "user1@mydomain.com"
- "empty" (Default)
Backupurl Sets the second domain controller URL for backup purposes. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <IP-Address Format>
For example: ldap://172.16.1.20,390
- "empty" (Default)
domainRemove Used when the LDAP server is implemented by systems like MS Active Directory.
Must be true if the user who is registered in LDAP contains the domain (for example, "user1@mydomain.com") but the user who is registered in Process Mining is not (for example, "user1")		 - false (Default)
- true
domainexclude Sets the Windows domain name to be excluded for a list of usernames. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <URL Format>
For example: mydomain.com
- "empty" (Default)
adminpassword The password for the maintenance account (the username “maintenance.admin”) that can be used for setup activities. For this account, the authentication is not run by LDAP.
If this property is filled in, the the user account “maintenance.admin” can log in with this password.		 <Password>
"empty" (Default)
testmode If this property is true, the password is not validated and the user is always authenticated
Default: false		 - false (Default)
- true
maxInactiveIntervalInMinutes The maximum interval of inactivity in minutes for the web session timeout. If you change this attribute value, the web session times out after the time you set in minutes. <Time in minutes>
- "empty" (Default)

The users must be manually added to the system in the Admin Console.

The following example shows an LDAP Authentication configuration scenario:

  1. Set up the application without LDAP.
  2. Add a user and assign administrator privileges to that user.
  3. Configure and enable the LDAP configurations.
  4. Manage more users with the created admin account.

Import certificate for Secured LDAP

If you use LDAP, you must import the server certificate that is published by your LDAP provider into the Java Virtual Machine (JVM). If you do not provide the certificate, the following error is displayed in the logs: javax.naming.CommunicationException: simple bind failed

To import your LDAP provider server certificate into JVM:

  1. Use the following keytool command of embedded Java Developement Kit (JDK) to trust the certificate in JVM:
cd /opt/processmining/jdk/linux/ibm-openjdk-semeru/bin
./keytool -import -keystore ../lib/security/cacerts -trustcacerts -alias "LdapCert" -file <PATH TO YOUR FILE>.pem
  1. Restart the PMWeb module.

Examples

Microsoft Active Directory

The following example shows how to configure a connection to a secure LDAP server exposed by Microsoft Active Directory:

ldap: {
    url: "ldaps://ldapsrv.mycompany.com:636", 
    type: "basic" 
    searchBase : "" 
    filter:"", 
    secure: true, 
    domain: "MYDOMAIN", 
    backupurl: "",
    domainexclude: [],
    adminpassword: "",
    testmode: false
  },

Generic LDAP server case 1

The following example shows a generic LDAP server case:

ldap: {
    url: "ldaps://ldap.intranet.group.eu:636", 
    type: "standard" 
    searchBase : "uid={USERNAME},ou=people,dc=group,dc=eu" 
    filter:"uid", 
    secure: true, 
    domain: "", 
    backupurl: "",
    domainexclude: [],
    adminpassword: "",
    testmode: false
  },

Generic LDAP server case 2

The following example shows another generic LDAP server case:

 ldap: {
    url: "ldaps://myserver.company.com:636" 
    type: "query" 
    searchBase: "ou=myorganization,o=company.com"
    filter: "mail", 
    secure: true, 
    domain: "", 
    backupurl: "",
    domainexclude: [],
    adminpassword: "",
    testmode: false
  },

SAML2 authentication

You can configure the SAML2 authentication only in a single tenant environment. You must secure IBM Process Mining with https by installing NGINX and the related configuration.

Verify that the value of the property is engine.defaults.signup.groupid.

Check that that value corresponds to the ID of your tenant. This value is visible in the Admin Console.

Activate SAML2 security

When you introduce changes to the processmining.conf file, make sure you do it correctly. For more information, see the Configuration file editing guidelines section.

To enable SAML2, do the following steps:

  1. Edit the profile section in <PM_HOME>/etc/processmining.conf

  2. Replace sso_none with sso_saml as shown:

      profiles: [
  "sso_saml", # sso_none | sso_saml
  ]

  3. Edit the authentication section in:

    <PM_HOME>/etc/processmining.conf:
authentication: {
  mode: "saml",  # ldap | basic | saml
}

Minimal configuration

To configure SAML2, you need the metadata (url ir xml file) from the IdP configuration. You can download the Identity provider metadata automatically from the application by using an URI or copying the xml file into a directory in the server. You must get the following data from the application to the IdP configuration:

  • Provider ID
  • Assertion consumer service URL
  • Service provider SSO URL

The default values are:

  • {sp.base.url}/saml2/service-provider-metadata/processmining
  • {sp.base.url}/login/saml2/sso/processmining
  • {sp.base.url}/login/saml2/sso/processmining

where sp.base.url is your application url.

You can use the following configuration to define idp.metadata and sp.base.url:

    saml: {
     idp.metadata : "https://my-idp-host/v1.0/saml/federations/saml20ip/metadata", 
     sp.base.url: "https://my-pm-hostname.com"
    }

The property idp.metadata can be filled with an URI, an absolute path, or a file name. If it is a file name, it is located on /<PM_HOME>/etc/saml/.

IdP configuration example using IBM Security Verify

sso SAML2 Configuration 1

sso SAML2 Configuration 2

sso SAML2 Configuration 3

Advanced configuration

You need to get the identity provider signing certificate from Idp.

The application provides the following data to the IdP:

  • Single logout url
  • Service provider signer certificate

Use the following configuration to define the data:

  saml: {
   
    idp.metadata : "federation_metadata.xml",
    
    # idp Signing Certificate
    idp.signing.certificate: "cic_certificate.cer"
    
   sp.signer.certificate: "_.mydomain.company.com.pem"
   sp.signer.privateKey: "star_mycompany.key"
    
   sp.base.url: "https://my-pm-hostname.com"
    
  }

Use provisioning

By default, the auto-provisioning is enabled. The user provisioning is automatically created if a user does not exist in the IBM Process Mining database.

IdP must send the following user properties to the application:

  • Email
  • Given name
  • Surname

You must configure a mapping between the name of the attributes that are present in the SAML2 request and the name that the IBM Process Mining application expects.

You can do the configuration in the provisioning section as shown in the following example:

    provisioning : {
    attributes : {
    email : "EmailAddress",
    firstName : "FirstName",
    lastName : "LastName",
    groups : "groups"
    },
    groupMapping: {
    owner : "",
    administrator : ""
    }
    }
  • You can obtain the user groups from IdP and map it to IBM Process Mining groups.
  • You can add one user each to the Administration group and the Owner group. However, if a user does not belong to a group, then IBM Process Mining gives only the basic user permission with the read-only access to that user.
  • You must configure a mapping between the name of the attributes that are present in the SAML2 request and the name that the IBM Process Mining application expects.

Use the following configuration for user provisioning:

    policy : {
  	autoActivate: true,  # if new sign-up accounts are activated without administrator review
  	selfProvisioning : true # if new user are created into databese
  },
  provisioning : {
  	attributes : {
  		email : "EmailAddress",
  		firstName : "FirstName", #http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  		lastName : "LastName",  #http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
		groups : "groups"
  	},
  	groupMapping: {
  		owner : "pm-owner-grp",
  		administrator : "pm-admin-grp"
  	}
  }

where pm-owner-grp and pm-admin-grp are the group defined on IdP side

SSO SAML2 Configuration 3

Log checks after startup

You get the following logs after startup:

 2023/05/18 09:17:44.531 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.filterChain (200) - ******************************************************
 2023/05/18 09:17:44.532 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.filterChain (201) - ********* Initializing SAML Security Context *********
 2023/05/18 09:17:45.871 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.relyingPartyRegistrations (99) - idp.metadata https://ibm-pm-dev01-gb.verify.ibm.com/v1.0/saml/federations/saml20ip/metadata
 2023/05/18 09:17:45.872 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.relyingPartyRegistrations (116) - Get metadata from uri
 2023/05/18 09:17:45.872 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.relyingPartyRegistrations (126) - entityId https://tst-rel-pkg.automationcloud.ibm.com/saml2/service-provider-metadata/processmining
 2023/05/18 09:17:45.872 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.relyingPartyRegistrations (135) - assertionConsumerServiceLocation https://tst-rel-pkg.automationcloud.ibm.com/login/saml2/sso/processmining
 2023/05/18 09:17:45.875 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.getLogOutCredential (181) - Logout with signer
 2023/05/18 09:17:45.875 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.getLogOutCredential (182) - Certificates  _.automationcloud.ibm.com.pem, PrivateKey star_automationcloud.key
 2023/05/18 09:17:45.876 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.getCertificateCredential (258) - Loading credential _.automationcloud.ibm.com.pem
 2023/05/18 09:17:45.877 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.getCertificateCredential (258) - Loading credential cic_certificate.cer