Account Provisioning With Single Sign-on (SSO)

If you want the Bonita Runtime accounts to be created automatically once a user accessing Bonita has been authenticated with the SSO provider, make sure you have a Bonita Runtime configured for single sign-on with OIDC or SAML first.

Then, in the tenant_engine folder of the existing tenant: <BUNDLE_HOME>/setup/platform_conf/current/tenants/<TENANT_ID>/tenant_engine/ edit the file bonita-tenant-sp-custom.properties to uncomment, and modify when needed, the following lines :

In addition of the username it is possible to use more information coming from the Identity Provider of the SSO in order to create the user account in Bonita, like first name, last name, email, etc…​
Actually, all the user information retrieved from the SAML response attributes or the OIDC ID tokens can be mapped to the attributes of a user account in Bonita.
In order to do that, in the tenant_portal folder of the existing tenant: <BUNDLE_HOME>/setup/platform_conf/current/tenants/<TENANT_ID>/tenant_portal/ edit the file user-creation-attribute-mapping-custom.properties and copy (and uncomment) from the file user-creation-attribute-mapping.properties the lines for the attributes you want to map.
Use $account. prefix to target a SAML attribute from the SAML response of a claim from the OIDC ID token.
A value without prefix will be directly used as it is for all users created through this feature.
For example:

The property bonita.runtime.authentication.passphrase-or-password.create-missing-user.userAttribute.role defines the name of the role to use for the users group memberships creation (values with the prefix $account. are supported as well).
The property bonita.runtime.authentication.passphrase-or-password.create-missing-user.userAttribute.groups defines the groups to use for the users group memberships creation. Its value can be a list of Bonita group paths comma separated (e.g.: /acme, /acme/hr, /acme/rd) or an SSO attribute / token claim with the prefix $account. (see the section Configure groups mapping for this use case).
If the property bonita.runtime.authentication.passphrase-or-password.create-missing-user.createUserGroupsAndRole.enabled is set to true (and if there is a mapping for them in case of groups coming from the SSO), groups and roles will be created automatically if they do not exist.
If the property bonita.runtime.authentication.passphrase-or-password.create-missing-user.lowerGroupsAndRoleNamesCase.enabled is set to true (default value), these 2 properties are not case sensitive and the groups/role will be created with lower case names/paths

When the value of the property bonita.runtime.authentication.passphrase-or-password.create-missing-user.userAttribute.groups in user-creation-attribute-mapping-custom.properties starts with the $account. attribute, it means the list of groups of the user should be retrieved from the SAML response attributes or the OIDC ID token and each group that should result in a membership creation should be associated with a group path to use in Bonita.
In order to do that, in the tenant_portal folder of the existing tenant: <BUNDLE_HOME>/setup/platform_conf/current/tenants/<TENANT_ID>/tenant_portal/ edit the file user-creation-group-mapping.properties and add one line for each group mapping. For example:

Any group coming from the IdP that is not mapped with a Bonita group will be ignored during the users memberships creation.
The format the groups attribute value coming from an OIDC token can either be an array or a String (using commas as separator).
The format the groups attribute value coming from an SAML response can either be a multiple values attribute (one value for each group name) or a single value attribute (using commas as separator).
If the property bonita.runtime.authentication.passphrase-or-password.create-missing-user.lowerGroupsAndRoleNamesCase.enabled is set to true (default value), this file is not case sensitive and the groups will be created with lower case names/paths (However, the case used in the file will be kept for the display names of the groups).

In order to access a Bonita application a user needs to have the profile associated with this application. The mapping between groups and profiles can also be automatized to avoid having to do it manually once the groups have been created.
In order to do that, in the tenant_portal folder of the existing tenant: <BUNDLE_HOME>/setup/platform_conf/current/tenants/<TENANT_ID>/tenant_portal/ edit the file user-creation-group-profile-mapping.properties and add one line for each group-to-profile mapping. For example:

Contrary to the group path, the profile name is case sensitive even if the property bonita.runtime.authentication.passphrase-or-password.create-missing-user.lowerGroupsAndRoleNamesCase.enabled is set to true.

It is possible to condition the creation of the Bonita user account to the membership of a user to a specific group in the SSO’s Identity Provider.

In the file user-creation-group-mapping.properties, the property bonita.runtime.authentication.passphrase-or-password.create-missing-user.userAttribute.mandatoryGroup defines a group that the user must be part of in order to be able to log in on the application.
If the group is not present in the list of groups retrieved from the SAML response attributes or OIDC ID token of the user, then access is denied and the user is not created in Bonita. For example: