1. Make sure you have configured the Federate authentication as illustrated at http://help.bizagi.com/bpmsuite/en/index.html?sso_authentication.htm.
Note that your identity provider should support the protocols and versions listed as requisites.
2. Check with your administrator that your account is not currently disabled.
A disabled account can be produced due to an account lockout at the identity provider because of your corporate security policies (e.g at Ping Federate settings), or it may have been manually disabled in Bizagi by your appointed business administrator in charge of managing Bizagi users.
3. Verify that the specific account exists both at the users repository being used by your identity provider, and at Bizagi's database (WFUser table).
4. Verify that your users synchronization is using the username and domain information as expected.
Review that within the response assertion, the NameID field inside of the saml:Subject element contains either: username@domain or domain\username.
In Bizagi, ensure you have in the WFUser column called domain, explicitly only the domain information.
And in the WFUser column called username, you have these options:
a) only the username.
b) username@domain (works if username@domain is contained in the NameID field).
c) domain\username (works if domain\username is contained in the NameID field).