SSO integration

You can configure LDAP (Lightweight directory access protocol) and SAML2 (Security Assertion Markup Language) for authenticating IBM Process Mining. To learn more about the SSO integration for IBM Process Mining, see the following topics:

LDAP authentication

By configuring the LDAP authentication, the password is validated first by an LDAP server and then, if it fails, on the local authentication database.

For SaaS offerings, the LDAP configuration varies per the environment set up. Therefore, the LDAP configuration must be evaluated through a support ticket.

To enable the LDAP authentication, edit the authentication section in <PM_HOME>/etc/processmining.conf as in the following example:

authentication: {
	mode: "**ldap**", 	# ldap | basic | saml
	
	limiting: {
		enabled: false,
		maxFailures: 3,
		timeFrame: 600000
	}
	
	ldap: {
	  url: "ldap://<server>:<port>",
    type: "standard" # basic | query
    searchBase : "" # ou=quality,o=mycompany.com
    filter:"", # the attribute that represents the username, i.e. mail
    domain: "", # valid for Active Directory integration
    backupurl: "",# valid for Active Directory integration
    domainexclude: [],# valid for Active Directory integration
    domainRemove: false, # true if the username is stored with no domain

	}
  bcrypt : true,
  maxInactiveIntervalInMinutes: 30,
},

When you introduce changes to the processmining.conf file, make sure that you do it correctly. For more information, see Configuration file editing guidelines.

The following table contains the descriptions of the different properties.

Property Description Values
url Sets the URL of the server in either LDAP or LDAPS protocol. If the protocol is LDAP, it is required to add the certificate to the Java certificate store <IP Address Format>
For example: ldap://172.16.1.19:389
Type Sets the server to run as either a basic function or a query function. - basic (Default): typically used with LDAP systems like Microsoft Active Directory, authenticating to LDAP by user and password.
- query : More complex option that uses a query string that is defined by searchBase into the directory by using an attribute as username that can be defined by the filter parameter (that is, the email)
searchBase Sets the server to use the given URLS depending on whether the type is basic or query. If the type is query, the system carries out this query to retrieve the account object.
If the type is basic, it is used to manage particular LDAP server requirements that need a query string as the username.		 <Search-base keys>
For example: ou=users,o=mycompany.com
- "empty" (Default)
filter Required if the type is query. Identifies the attribute that is used as username. <Username>
For example: mail
- "empty" (Default)
domain Sets the Windows domain name that is used for web interface authentication. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <URL Format>
For example: mydomain.com
When concatenated with the given username "user1", the web interface authentication is run with "user1@mydomain.com"
- "empty" (Default)
Backupurl Sets the second domain controller URL for backup purposes. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <IP-Address Format>
For example: ldap://172.16.1.20,390
- "empty" (Default)
domainRemove Used when the LDAP server is implemented by systems like MS Active Directory.
Must be true if the user who is registered in LDAP contains the domain (for example, "user1@mydomain.com") but the user who is registered in Process Mining is not (for example, "user1")		 - false (Default)
- true
domainexclude Sets the Windows domain name to be excluded for a list of usernames. Typically used when the LDAP server is implemented by systems such as MS Active Directory. <URL Format>
For example: mydomain.com
- "empty" (Default)
maxInactiveIntervalInMinutes The maximum interval of inactivity in minutes for the web session timeout. If you change this attribute value, the web session times out after the time you set in minutes. <Time in minutes>
- "empty" (Default)

The users must be manually added to the system in the Admin Console.

The following example shows an LDAP Authentication configuration scenario:

  1. Set up the application without LDAP.
  2. Add a user and assign administrator privileges to that user.
  3. Configure and enable the LDAP configurations.
  4. Manage more users with the created admin account.

Import certificate for Secured LDAP

If you use LDAP, you must import the server certificate that is published by your LDAP provider into the Java Virtual Machine (JVM). If you do not provide the certificate, the following error is displayed in the logs: javax.naming.CommunicationException: simple bind failed

To import your LDAP provider server certificate into JVM:

  1. Use the following keytool command of the embedded Java Development Kit (JDK) to trust the certificate in JVM:
cd /opt/processmining/jdk/linux/ibm-openjdk-semeru/bin
./keytool -import -keystore ../lib/security/cacerts -trustcacerts -alias "LdapCert" -file <PATH TO YOUR FILE>.pem
  1. Restart the PMWeb module.

User provisioning for LDAP

By default, the auto-provisioning is enabled. The account is automatically created if a user does not exist in the IBM Process Mining database.

You can also make mappings between your organization user groups and groups in IBM Process Mining in the Administration page inside the IBM Process Mining application. For more information, see Managing groups - Details. If there are no changes made in the Administration page, then group mappings from this configuration file are used.

The following table contains descriptions of properties that are used in user provisioning:

Property Description Values
bindON Optional - use only if the server requires authentication. Default value: empty
Example: uid=admin,ou=system
bindPassword Optional - must be stored encrypted. Use only if the server requires authentication. Default value: empty
Example: SUD+qxiBriyRrChmw/Aykw=
userFilter Required - search query for the user. Default value: (&(emailAddress=%s)(objectclass=person))
Example: (&(mail=tester1@tester1.com)(objectclass=inetOrgPerson))
groupFilter Optional - if defined, obtain user groups from groupOfUniqueNames object. Otherwise, obtain the user's group from a different attribute. Default value: empty
Example: (&(cn=%s)(objectclass=groupOfUniqueNames))
groupMemberIDmap Optional - the attribute of the group object that stores the user DN. Default value: empty
Example: uniqueMember

IBM Process Mining obtains the following user properties from the LDAP server:

  • Email
  • First name
  • Last name

Configure the mapping and the corresponding property in the directory after each of the user properties.


 provisioning : {
  	attributes : {
  		username: "emailAddress" # sAMAccountName for ADFS, emailAddress for Ibm
  		email : "EmailAddress",
  		firstName : "givenname"
  		lastName : "sn", 
  		groups : "memberOf"
  	},
  	groupMapping: {
  		owner : "",
  		administrator : "myCompanyGroup"
  	}
  }

You can obtain the user groups from LDAP and map it to IBM Process Mining groups.

You can add one user each to the Administration group and the Owner group (Analytics user). However, if a user does not belong to a group, then IBM Process Mining can only grant the basic user permission with the read-only access (Business User).

The group can be obtained in two ways:

  • From a Person object attribute (that is, memberOf) - The property groupFilter must be empty
  • From a link relationship between a "group" object (that is, the attribute uniqueMember of an groupOfUniqueNames object) - The property groupFilter must be populated - The uniqueMember attribute must be the user's DN

Examples

Microsoft Active Directory

The following example shows how to configure a connection to a secure LDAP server exposed by Microsoft Active Directory:

ldap: {
    url: "ldaps://ldapsrv.mycompany.com:636", 
    type: "basic" 
    searchBase : "" 
    filter:"",  
    domain: "MYDOMAIN", 
    backupurl: "",
    domainexclude: [],
  },

Generic LDAP server case 1

The following example shows a generic LDAP server case:

ldap: {
    url: "ldaps://ldap.intranet.group.eu:636", 
    type: "standard" 
    searchBase : "uid={USERNAME},ou=people,dc=group,dc=eu" 
    filter:"uid", 
    domain: "", 
    backupurl: "",
    domainexclude: [],
  },

Generic LDAP server case 2

The following example shows another generic LDAP server case:

 ldap: {
    url: "ldaps://myserver.company.com:636" 
    type: "query" 
    searchBase: "ou=myorganization,o=company.com"
    filter: "mail", 
    domain: "", 
    backupurl: "",
    domainexclude: [],
  },

SAML2 authentication

You can configure the SAML2 authentication only in a single tenant environment. Secure IBM Process Mining with https by installing NGINX and the related configuration.

Verify that the value of the property is engine.defaults.signup.groupid.

Check that that value corresponds to the ID of your tenant. This value is visible in the Admin Console.

Activate SAML2 security

When you introduce changes to the processmining.conf file, make sure that you do it correctly. For more information, see Configuration file editing guidelines.

To enable SAML2, do the following steps:

  1. Edit the profile section in <PM_HOME>/etc/processmining.conf

  2. Replace sso_none with sso_saml as shown:

      profiles: [
  "sso_saml", # sso_none | sso_saml
  ]

  3. Edit the authentication section in:

    <PM_HOME>/etc/processmining.conf:
authentication: {
  mode: "saml",  # ldap | basic | saml
}

Minimal configuration

To configure SAML2, you need the metadata (url ir xml file) from the IdP configuration. You can download the Identity provider metadata automatically from the application by using an URI or copying the xml file into a directory in the server. You must get the following data from the application to the IdP configuration:

  • Provider ID
  • Assertion consumer service URL
  • Service provider SSO URL

The default values are:

  • {sp.base.url}/saml2/service-provider-metadata/processmining
  • {sp.base.url}/login/saml2/sso/processmining
  • {sp.base.url}/login/saml2/sso/processmining

where sp.base.url is your application url.

You can use the following configuration to define idp.metadata and sp.base.url:

    saml: {
     idp.metadata : "https://my-idp-host/v1.0/saml/federations/saml20ip/metadata", 
     sp.base.url: "https://my-pm-hostname.com"
    }

The property idp.metadata can be filled with an URI, an absolute path, or a file name. If it is a file name, it is located on /<PM_HOME>/etc/saml/.

IdP configuration example using IBM Security Verify

sso SAML2 Configuration 1

sso SAML2 Configuration 2

sso SAML2 Configuration 3

Advanced configuration

You need to get the identity provider signing certificate from IdP.

The application provides the following data to the IdP:

  • Single logout url
  • Service provider signer certificate

Use the following configuration to define the data:

  saml: {
   
    idp.metadata : "federation_metadata.xml",
    
    # idp Signing Certificate
    idp.signing.certificate: "cic_certificate.cer"
    
   sp.signer.certificate: "_.mydomain.company.com.pem"
   sp.signer.privateKey: "star_mycompany.key"
    
   sp.base.url: "https://my-pm-hostname.com"
    
  }

User provisioning for SAML2

By default, the auto-provisioning is enabled. The user provisioning is automatically created if a user does not exist in the IBM Process Mining database.

You can also make mappings between your organization user groups and groups in IBM Process Mining in the Administration page inside the IBM Process Mining application. For more information, see Managing groups - Details. If there are no changes that are made in the Administration page, then group mappings from this configuration file are used.

IdP must send the following user properties to the application:

  • Email
  • Given name
  • Surname

Configure a mapping between the name of the attributes that are present in the SAML2 request and the name that the IBM Process Mining application expects.

You can do the configuration in the provisioning section as shown in the following example:

    provisioning : {
      attributes : {
        email : "EmailAddress",
        firstName : "FirstName",
        lastName : "LastName",
        groups : "groups"
      },
      groupMapping: {
        owner : "",
        administrator : ""
      }
    }

You can obtain the user groups from IdP and map it to IBM Process Mining groups.

You can add one user each to the Administration group and the Owner group (Analytics user). However, if a user does not belong to a group, then IBM Process Mining can only grant the basic user permission with the read-only access (Business User).

Configure a mapping between the name of the attributes that are present in the SAML2 request and the name that the IBM Process Mining application expects.

Use the following configuration for user provisioning:

    policy : {
  	autoActivate: true,  # if new sign-up accounts are activated without administrator review
  	selfProvisioning : true # if new user are created into databese
  },
  provisioning : {
  	attributes : {
  		email : "EmailAddress",
  		firstName : "FirstName", #http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  		lastName : "LastName",  #http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
		groups : "groups"
  	},
  	groupMapping: {
  		owner : "pm-owner-grp",
  		administrator : "pm-admin-grp"
  	}
  }

where pm-owner-grp and pm-admin-grp are the group that is defined on the IdP side

SSO SAML2 Configuration 3

Log checks after startup

You get the following logs after startup:

 2023/05/18 09:17:44.531 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.filterChain (200) - ******************************************************
 2023/05/18 09:17:44.532 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.filterChain (201) - ********* Initializing SAML Security Context *********
 2023/05/18 09:17:45.871 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.relyingPartyRegistrations (99) - idp.metadata https://ibm-pm-dev01-gb.verify.ibm.com/v1.0/saml/federations/saml20ip/metadata
 2023/05/18 09:17:45.872 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.relyingPartyRegistrations (116) - Get metadata from uri
 2023/05/18 09:17:45.872 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.relyingPartyRegistrations (126) - entityId https://tst-rel-pkg.automationcloud.ibm.com/saml2/service-provider-metadata/processmining
 2023/05/18 09:17:45.872 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.relyingPartyRegistrations (135) - assertionConsumerServiceLocation https://tst-rel-pkg.automationcloud.ibm.com/login/saml2/sso/processmining
 2023/05/18 09:17:45.875 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.getLogOutCredential (181) - Logout with signer
 2023/05/18 09:17:45.875 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.getLogOutCredential (182) - Certificates  _.automationcloud.ibm.com.pem, PrivateKey star_automationcloud.key
 2023/05/18 09:17:45.876 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.getCertificateCredential (258) - Loading credential _.automationcloud.ibm.com.pem
 2023/05/18 09:17:45.877 +0000 INFO  c.i.c.auth.saml.SAMLSecurityConfig.getCertificateCredential (258) - Loading credential cic_certificate.cer