Summary

Authentication to the Work portal is not working when using Federated authentication with an identity provider such as Ping Federate.

Applies to

Bizagi .JEE 10.7 or later.

Symptoms

After entering an authorized login and password for the authentication, a The assertion must contain the service provider https://... error is thrown at the Federated authentication error page.

Cause

This error is commonly caused when the identity provider is not capable of validating the EntityId information, to match it with the identifier it has stored in the Relying Party Trust configuration (regarding Bizagi as the Service Provider).

Solution

1.Make sure you have configured the Federate authentication as illustrated at http://help.bizagi.com/bpmsuite/en/index.html?sso_authentication.htm.
Note that your identity provider should support the protocols and versions listed as requisites.

2. Verify that the EntityId corresponds exactly to the one created in the SAML configuration.

Double-check for the port numbers and the slash characters (/), so that these also match exactly the value of your EntityId as used in the SAML configuration. For example:

https://saml-adfs30.devbizagi.loc:3443/BizAgi-war/ is actually different than https://saml-adfs30.devbizagi.loc:3443/BizAgi-war (note that the first value has a slash in the end).

3. Check for logged information in your identity provider.
For instance a:
Got StatusCode urn:oasis:names:tc:SAML:2.0:Status:Responder should be
urn:oasis:names:tc:SAML:2.0:Status:Success 
means that Bizagi is responding as expected but the identity provider may have configuration issues.