Microsoft Entra ID Authentication

Overview

This section provides instructions on how to configure WorkflowGen delegated authentication with Microsoft Entra ID (ME-ID) authentication via the Microsoft Identity Platform v2.0 or API endpoint v1 providers, and will show you how to set up a working WorkflowGen instance that uses ME-ID to authenticate your users.

Prerequisites

• Make sure to have a licensed copy of WorkflowGen installed and running on an IIS web server in HTTPS secure connection mode.

• You must be a WorkflowGen Administrator.

• Make sure to have ME-ID Administrator access to be able to configure ME-ID.

• Make sure to have provisioned an existing ME-ID user that you can authenticate with WorkflowGen and that the user has WorkflowGen Administrator permissions. This is important because once you've activated the delegated authentication with ME-ID, you'll still need to be able to manage the WorkflowGen web application.

• AES encryption mode and its key are required for the authentication to work.

Microsoft Entra ID configuration

The configuration of ME-ID is done in two parts. First, you have to register the WorkflowGen web application and link it to your instance of WorkflowGen; then, you have to register the WorkflowGen GraphQL API in order to be able to register other custom applications to access it.

Step 1: Create a new application registration for WorkflowGen

1. In the Azure portal, click App registrations in the Azure services section.

2. Click New registration, and fill in the properties form:

   • Name: WorkflowGen Web app

   • Supported account type: Account in this organizational directory only (Default Directory only - Single tenant)

     ✏️ Note: Depending on the context, you should choose the right option for your use case for the Supported account type value.

   • Redirect URI:

     • Platform: Web

     • Value: https://<workflowgen url>/auth/callback

     📌 Example: https://mycompany.com/wfgen/auth/callback

3. Click Register at the bottom of the page.

You should now see the WorkflowGen Web app application registration's overview page.

Step 2: Create a client secret for the application

Now, you have to generate a client secret to be used by the WorkflowGen OIDC authentication module.

1. Click Add a certificate or secret.

2. In the Client secrets section, click New client secret.

   • Description: My secret, or something to know that this is the client secret.

   • Expires: Choose 730 days (24 months) or your desired expiration period.

3. Click Add.

4. The auto-generated client secret is now displayed under the Value column. Copy the client secret value and save it somewhere safe, since you won't be able to retrieve it afterwards.

Step 3: Add a redirect URI

In order for the communication between the WorkflowGen instance and ME-ID to work, you need to add one more authorized redirect URI to the WorkflowGen Web app application registration.

1. Under Redirect URIs on the application's overview page, click Add a Redirect URI.

2. Enter the following information:

   • Redirect URI: https://<workflowgen url>/auth/logout/return 📌 Example: https://mycompany.com/wfgen/auth/logout/return ✏️ Note: You should also see https://<workflowgen url>/auth/callback in this list.

3. Click Save at the bottom of the section.

Step 4: Create a new application registration for WorkflowGen GraphQL API

In order to expose the WorkflowGen GraphQL API, you need to add a new application registration in ME-ID that will represent it. To do this:

1. In the Azure portal, click App registrations in the Azure services section.

2. Click New registration, and fill in the properties form:

   • Name: WorkflowGen GraphQL API

   • Supported account type: Account in this organizational directory only (Default Directory only - Single tenant)

   • Redirect URI: Leave this blank.

3. Click Register at the bottom of the page.

You've now successfully registered the WorkflowGen GraphQL API application in ME-ID.

Step 5: Expose the API in the WorkflowGen GraphQL API application registration

1. Click Expose an API.

2. To the right of Application ID URI, click Set and enter the URI https://<workflowgen url>/graphql 📌 Example: https://mycompany.com/wfgen/graphql

3. Click Save.

4. Click Add a scope and enter the following information:

   • Scope name: default

   • Who can consent?: Admins and users

   • Admin consent display name: Default access to the WorkflowGen GraphQL API

   • Admin consent description: Allows the application to get access to WorkflowGen GraphQL API.

   • User consent display name: Default access to the WorkflowGen GraphQL API

   • User consent description: Allows the application to get access to WorkflowGen GraphQL API.

5. Click Add scope.

You should now have a new scope defined (e.g. https://<workflowgen url>/graphql/default).

Step 6: Grant WorkflowGen access to WorkflowGen GraphQL API

1. On the WorkflowGen Web app application registration page, click API permissions.

2. Click Add a permission, then select the tab My APIs.

3. Click the WorkflowGen GraphQL API application in the list.

4. Click Delegated permissions and check default under the Permission column.

5. Click Add permissions.

6. On the API permissions page, click Grant admin consent for <your tenant name>, then click Yes.

Review the registrations

You should now have all of the information you need to configure your WorkflowGen instance to delegate authentication to Microsoft Entra ID Here's a review:

• A client ID. This is the application (client) ID of the WorkflowGen Web app application registration in ME-ID. You can find it on its Overview page.

• A client secret. This is the secret previously generated in step 2 for the WorkflowGen Web app.

• An audience. This is the Application ID URI property (e.g. https://<workflowgen url>/graphql) in the Expose an API section of the WorkflowGen GraphQL API application registration.

• The metadata endpoint URL. This URL is bound to your ME-ID directory. To find it:

  1. Go to the Overview page and copy the Tenant ID value.

  2. The metadata endpoint URL is built by replacing <Tenant ID> with your Tenant ID as follows: For Microsoft Identity Platform v2.0 (recommended):

     Copy

     https://login.microsoftonline.com/<Tenant ID>/v2.0/.well-known/openid-configuration

     For Azure v1:

     Copy

     https://login.microsoftonline.com/<Tenant ID>/.well-known/openid-configuration

By now, you should have all the information needed to link your WorkflowGen instance to ME-ID.

WorkflowGen configuration

Now, you have to configure WorkflowGen to delegate its authentication to ME-ID.

Step 1: Add Microsoft Entra ID values to the WorkflowGen web.config

1. Open the WorkflowGen web.config file and add and/or update the following properties under <appSettings> For Microsoft Identity Platform v2.0 (recommended):

   Copy

   <!-- Microsoft Identity Platform v2 -->
   <add key="ApplicationSecurityAuthProvider" value="ms-identity-v2"/>
   <add key="ApplicationSecurityAuthClientId" value="<CLIENT ID>" />
   <add key="ApplicationSecurityAuthClientSecret" value="<CLIENT SECRET>" />
   <add key="ApplicationSecurityAuthMetadataUrl" value="<METADATA URL>" />
   <add key="ApplicationSecurityAuthAppIdClaim" value="appid" />
   <add key="ApplicationSecurityAuthUsernameClaim" value="preferred_username" />
   <add key="ApplicationSecurityAuthClockTolerance" value="60" />
   <add key="ApplicationSecurityAuthSessionRefreshEnableIFrame" value="Y"/>
   <add key="ApplicationSecurityAuthAccessTokenUsernameClaim" value="upn" />
   <add key="ApplicationSecurityAuthAdditionalScopes" value="https://<workflowgen url>/graphql/default" />

   For Azure v1:

   Copy

   <!-- Azure v1 auth -->
   <add key="ApplicationSecurityAuthProvider" value="azure-v1"/>
   <add key="ApplicationSecurityAuthClientId" value="<CLIENT ID>" />
   <add key="ApplicationSecurityAuthClientSecret" value="<CLIENT SECRET>" />
   <add key="ApplicationSecurityAuthMetadataUrl" value="<METADATA URL>" />
   <add key="ApplicationSecurityAuthAppIdClaim" value="appid" />
   <add key="ApplicationSecurityAuthUsernameClaim" value="upn" />
   <add key="ApplicationSecurityAuthClockTolerance" value="60" />
   <add key="ApplicationSecurityAuthSessionRefreshEnableIFrame" value="Y"/>
   <add key="ApplicationSecurityAuthCheckSessionUrl" value="<CHECK SESSION URL>" />

   ✏️ Note: Check session iFrame (e.g. ApplicationSecurityAuthCheckSessionUrl) is not supported in Microsoft Identity Platform v2.0.

2. Replace <CLIENT ID> with the WorkflowGen Web app application (client) ID from ME-ID.

3. Replace <CLIENT SECRET> with the WorkflowGen Web app application registration's generated secret from ME-ID.

4. Replace <METADATA URL> with the metadata endpoint URL that you built earlier from your ME-ID's Tenant ID value.

5. For Microsoft Identity Platform v2.0, replace <workflowgen url> with your WorkflowGen URL in the value of the ApplicationSecurityAuthAdditionalScopes key (e.g. https://mycompany.com/wfgen/graphql/default) if you have configured the WorkflowGen GraphQL API application registration (steps 4 through 6). Otherwise, remove the ApplicationSecurityAuthAdditionalScopes key completely.

6. For Azure v1, replace <CHECK SESSION URL> (which is usually https://login.microsoftonline.com/<Tenant ID>/oauth2/checksession) with the value of the metadata endpoint's check_session_iframe property. To do this, you'll have to make an HTTP GET request to your metadata endpoint URL (e.g. https://login.microsoftonline.com/<Tenant ID>/.well-known/openid-configuration), then copy and paste the value. See the examples below on how to request the metadata endpoint.

   Linux/macOS request example:

   Copy

   curl "<METADATA URL>" | python -m json.tool

   ✏️ Note: Remove | python -m json.tool if you don't have Python; this is for pretty printing.

   Windows PowerShell request example:

   Copy

   Invoke-RestMethod -Uri "<METADATA URL>" -Method GET | ConvertTo-JSONTable of web.config options

WorkflowGen should now be linked to your ME-ID. The last thing left to do is to configure a few more options in order to finish the internal wiring of WorkflowGen so that it can delegate its authentication.

Step 2: Add security values for the WorkflowGen session token generation

WorkflowGen uses an internal session token to manage the user session and identify the current user for all the HTTP requests made to the web application after the user has logged in to ME-ID. In order to generate a session token, you need to add a few more settings to the web.config.

1. Open the WorkflowGen web.config file and add and/or update the following property under <appSettings>:

   Copy

   <add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="<SECRET>" />

2. Replace <SECRET> with a custom value that can't be guessed, such as a UUID or a complex password.

The secret will be only accessible inside your instance of WorkflowGen, so when generating a session token, WorkflowGen will sign it with this secret in order to check the validity of all session tokens passed to it.

Step 3: Activate the authentication delegation module

You now need to activate the delegation by replacing the authentication system in IIS and pointing WorkflowGen's modules to the correct authentication module.

Configure IIS

1. In IIS Manager, click on the WorkflowGen website in the tree view.

2. Click the Authentication button.

3. Enable Anonymous Authentication, and disable all other authentications.

4. Perform these steps for all sub-applications as well.

Add properties to the web.config files of sub-applications

Certain sub-applications need to have their authentication checked by the special Advantys.Security.JWTAuthenticationModule WorkflowGen authentication module, but certain other sub-applications (such as /wfgen/auth, /wfgen/hooks and /wfgen/scim) should not because they are either public or aren't part of the global authentication system.

1. Add the following property to the WorkflowGen web.config file:

   Copy

   <configuration>
    <system.webServer>
        <modules>
            <add name="ApplicationSecurityAuthenticationModule" type="Advantys.Security.Http.JWTAuthenticationModule" />
        </modules>
    </system.webServer>
   </configuration>

2. If you have developed custom web forms with their own \bin folders, you have to copy the following .NET assemblies and dependency libraries from \wfgen\bin to each custom web form's \bin folder (\wfgen\wfapps\webforms\<custom webform>\bin):

   • Advantys.My.dll

   • Advantys.Security.dll

   • Newtonsoft.Json.dll

   • jose-jwt.dll

Calling third-party APIs with the shared access token

By default, the only recipient of the access token is the WorkflowGen GraphQL API application. This means that the access token can only be used to send queries to the GraphQL API only. In order to use the same access token to call your own APIs from WorkflowGen (e.g. web forms), you will need to perform the following steps in your Azure portal, and then modify the WorkflowGen web.config file.

In your Azure portal:

Step 1: Add a new application registration that represents all your APIs

1. In the Azure portal, click App registrations in the Azure services section.

2. Click New registration, and fill in the properties:

   • Name: My APIs

   • Supported account types: Account in this organizational directory only (Default Directory only - Single tenant) ✏️ Note: Depending on the context, you should choose the right option for your use case for the Supported account type value.

   • Redirect URI: Leave this blank

3. Click Register at the bottom of the page.

Step 2: Expose your APIs in the registration

1. Click Expose an API.

2. To the right of Application ID URI, click Set and enter the URI api://my-apis.

3. Click Save.

4. Click Add a scope and enter the following information:

   • Scope name: wfgen-graphql-full-access

   • Who can consent?: Admins and users

   • Admin consent display name: Full access to the WorkflowGen GraphQL API

   • Admin consent description: Allows the application to get access to WorkflowGen GraphQL API.

   • User consent display name: Full access to the WorkflowGen GraphQL API

   • User consent description: Allows the application to get access to WorkflowGen GraphQL API.

5. Click Add scope.

6. Add any other scopes that seem necessary for your other APIs.

Step 3: Add an application role

1. Click Manifest.

2. Find the appRoles JSON property and add the following JSON object to the JSON array:

   Copy

   {
     "allowedMemberTypes": [
       "Application"
     ],
     "description": "Allows the application to get access to WorkflowGen GraphQL API.",
     "displayName": "wfgen-graphql-full-access-role",
     "id": "<NEW ID>",
     "isEnabled": true,
     "lang": null,
     "origin": "Application",
     "value": "wfgen-graphql-full-access-role"
   }

   ✏️ Note: Replace <NEW ID> with the value generated by the [guid]::NewGuid().ToString() PowerShell command or use any GUID generators.

3. Click Save.

Step 4: Grant WorkflowGen access to My APIs application

1. On the WorkflowGen Web app application registration page, click API permissions.

2. In the Configured permissions section, click Add a permission.

3. Click My APIs, then select the My APIs application in the list.

4. Click Delegated permissions and check wfgen-graphql-full-access under the Permission column.

5. Click Add permissions.

6. On the API permissions page, click Grant admin consent for <your tenant name>, then click Yes.

Step 5 (optional): Grant your automated applications in Azure (client credentials flow) access to the My APIs application

For each of your automated applications in Azure (e.g. server-side script, background service, or application) that requires access to the My APIs application, do the following:

1. Go to the application's registration page, then click API permissions.

2. In the Configured permissions section, click Add a permission.

3. Click My APIs, then select the My APIs application in the list.

4. Click Application permissions and check wfgen-graphql-full-access-role under the Permission column.

5. Click Add permissions.

6. On the API permissions page, click Grant admin consent for <your tenant name>, then click Yes.In the WorkflowGen web.config file:

Open the WorkflowGen web.config file, add and/or update the following application settings, then save the file:

<add key="ApplicationSecurityAuthAudience" value="api://my-apis"/>
<add key="ApplicationSecurityAuthAdditionalScopes" value="api://my-apis/wfgen-graphql-full-access" />
<add key="ApplicationSecurityAuthGraphQLScope" value="wfgen-graphql-full-access" />
<add key="ApplicationSecurityAuthGraphQLAppRole" value="wfgen-graphql-full-access-role" />

.NET Web Forms Access Token Helper

The WorkflowPage class in the WorkflowGen.My library provides a public CurrentUserAccessToken method to easily retrieve the current user's shared access token that can be used to query the GraphQL API and your third-party APIs. See the snippet code below.

protected void Page_Load(object sender, EventArgs e)
{
    base.Page_Load(sender, e);

    string accessToken = this.CurrentUserAccessToken();

    // Use accessToken to query GraphQL API or your third-party APIs...
}