1 of 25

8.3 WorkflowGen Technical Guide

This guide covers all of the procedures involved in the installation and maintenance of WorkflowGen. It's intended mainly for system administrators who'll be required to install or carry out maintenance of the application.

System Requirements

End-users

The WorkflowGen Administration Module and User Portal are fully web-based applications. The requirements are as follows:

Operating systems

Windows 11
macOS

Web browsers

Chrome
Firefox
Edge
Safari

Display

1280 × 800 or higher resolution
For form design, the suggested minimum resolution is 1366 × 768

Web server

The system requirements for the web server hosting WorkflowGen are as follows:

Operating systems

Windows Server 2012 or later (all releases)
Windows 11 (recommended for development environments only)

Web server

Microsoft IIS 10 or higher
.NET Framework 4.8
(requires IIS)

Server options to enable

These options are located in the Server Manager console in Windows Server, and in Windows Features in Windows 11.

Server role

Web server (IIS)

Features

.NET Framework 4.8 features:
- .NET Framework 4.8
- ASP.NET 4.8

Web Server role (IIS) / Role services

Security:
- Basic Authentication
- Integrated Windows Authentication (optional)
Application development:

Minimum hardware configuration

Quad-core processor
8 GB RAM
SATA hard disk with 40 GB free

See the guide for up-to-date server specifications based on your planned usage of the system.

Node.js-based web applications

To use the optional GraphQL, incoming webhooks, OpenID Connect Auth, and SCIM APIs, you must first install the following requirements:

✏️ Note:

Database server

The system requirements for the database server hosting the WorkflowGen database are as follows:

Hardware specifications

Quad-core processor
8 GB RAM
SATA hard disk with 40 GB free

Database servers supported

Microsoft SQL Server 2016 and Express Edition
Microsoft SQL Server 2017 and Express Edition
Microsoft SQL Server 2019 and Express Edition
Microsoft SQL Server 2022 and Express Edition

The WorkflowGen database only supports SQL_Latin1_General_CP1_CI_AS collation. Make sure your database is configured to use this specific collation before creating it.
Oracle database is no longer supported as of WorkflowGen 7.16.0.

See the guide for up-to-date server specifications based on your planned usage of the system.

Authentication methods and directory synchronization

Authentication methods

Integrated Windows or IIS Basic (Active Directory)
Applicative (WorkflowGen)
Forms
Custom (SSO: single sign-on)

Directory synchronization

Active Directory (supports all releases of Windows Server 2012 and later)
LDAP-compatible directory
Text files
SCIM

Notifications and XML syndication

Email notifications

Email notifications are sent via SMTP protocols (Exchange and Lotus Notes are compatible).
Any email client can receive WorkflowGen notifications.
Email layout and content can be customized in HTML or plain text.

For best performance, the IIS SMTP gateway should be used (see ).

XML syndication

WorkflowGen provides an XML RSS feed (called the Portlet) to embed WorkflowGen data into existing web portals. See the for more information.

Product Technical Components

Overview

WorkflowGen is a Microsoft Active Server Pages .NET (ASP.NET 4) application. It includes:

.aspx files

Setup

Preparation

You must be administrator of the web server. Using a local administrator account is recommended. You must know:

The physical path on the web server where the WorkflowGen web application will be installed.
The physical path on the web server where WorkflowGen Windows services will be installed.
The URL of the web server where WorkflowGen will be installed.
MS SQL Server database:
- The name of the MS SQL Server.
- The credentials of the SA account.
- The file path of the SQL Server database files on the SQL server machine.
The name or IP address of the SMTP gateway (it's recommended to use the IIS SMTP gateway; see ).
The default sender email address for notifications.
The authentication method you want to use for WorkflowGen web applications.

PowerShell Installation

Overview

The following procedure applies to the WorkflowGen PowerShell installation, which is only compatible with:

Azure SQL Database

WorkflowGen Windows Services & License Activation

WorkflowGen engine service

Automatic task execution (e.g. overdue exceptions and notifications management) is provided by this Windows Service. This service is installed by the setup and is started automatically after installation. (Refer to WorkflowGen Windows Services installation if the manual installation procedure was used.)

If errors occurred while the service is running, those errors will appear in the Event Viewer (source: WorkflowGenEngineService) accessible in the Windows Administrative Tools. All the messages related to this service will be displayed in the Windows Logs / Application section.

To manage this Windows service execution, open Administrative Tools / Services, then select and open WorkflowGen Engine (WorkflowGenEngineService).

WorkflowGen directory synchronization service

The automatic user and group synchronization is provided by this Windows Service, which is installed by the setup and started automatically after installation. (Refer to if the manual installation procedure was used.)

If errors occurred while the service is running, those errors will appear in the Event Viewer (source: WorkflowGenDirSyncService) accessible in Windows Administrative Tools. All messages related to this service will be displayed in the Windows Logs / Application section.

To manage this Windows service execution, open Administrative Tools / Services, then select and open WorkflowGen Directory Sync (WorkflowGenDirSyncService).

Troubleshooting

After a WorkflowGen version upgrade or system change (such as a server update or configuration change), the automatic directory synchronization can fail with the error message The license file is missing, invalid or your trial period has expired.

To resolve this issue, perform the following checks on your WorkflowGen system:

Verify that there is only one license file (.lic) in the wfgen\bin folder.
Verify that the license file (.lic) is not locked; if so, unlock it.
Verify that the two WorkflowGen service execution files (WfgDirectoriesSyncService.exe

License activation

Overview

You must have a trial, Developer, or Enterprise license to activate WorkflowGen.

You must have a serial number to activate the Developer and Enterprise versions of WorkflowGen. If you don't have one, contact your vendor.

How to activate WorkflowGen

Install the license file

Remove all current .lic files from the DRIVE:\Inetpub\wwwroot\wfgen\bin folder.
Copy your .lic file to the DRIVE:\Inetpub\wwwroot\wfgen\bin folder.
Make sure the license file inherits the security settings.

Add the serial number to the `web.config` file

For the Developer and Enterprise editions of WorkflowGen, you must edit the web.config file located in the DRIVE:\Inetpub\wwwroot\wfgen folder.

Edit the \Inetpub\wwwroot\wfgen\web.config file.
Set your serial number as the value of the ApplicationSerialNumber parameter.

License per user

If you have a license per user, you cannot exceed the maximum number of users supported by your license, otherwise you will receive an error message when you try to launch a new request. However, user management will still be accessible.

If you want to import several users from your enterprise directory (Active Directory, LDAP, etc.), and since only active users are considered, you can choose between the following cases:

If your enterprise directory has fewer users than the maximum number of users supported by your WorkflowGen license, then you can import all of your users with the option New user default status set to Active.
If your enterprise directory has more users than the maximum number of users supported by your WorkflowGen license, then you should import all your users with New user default status set to Inactive and set the Self activation option as follows:
- If you want to manually activate users authorized to use WorkflowGen, uncheck the

Tests & Additional Configurations

Tests

Web app addresses

Check the following URLs with the wfgen_admin user account:

User Portal: http://[yoursite]/wfgen
Administration Module: http://[yoursite]/wfgen/admin

If you're unable to log in, verify the web.config file in the root folder of the WorkflowGen application (usually DRIVE:\Inetpub\wwwroot\wfgen) and validate that the MainDbSource connection string contains the correct database connection information including server, database name, user, and password.

Test sample processes

You can create processes using the list of built-in process samples.

Additional configurations

You can change the security configuration (such as the authentication method) by following the instructions in the section.

Not all of the required WorkflowGen configuration parameters are defined in this setup. It's recommended that you update all other parameters in the Administration Module Configuration Panel after this setup. For more information, see the .
You can configure the time zone and language of new users through the Administration Module Configuration Panel. You can also access the Configuration Panel directly through the URL http://[yoursite]/wfgen/admin/Config.aspx once the setup is complete and the website is running.

Advanced Configurations

These sections contain instructions on how to set up certain advanced WorkflowGen configurations.

File Storage

Overview

WorkflowGen stores files (such as attachments to a request) in a folder tree structure. By default these files are stored on the web server in the folder specified in the ApplicationDataPath parameter in the configuration file (web.config), e.g. <add key="ApplicationDataPath" value="\\SERVER\SHARE$\wfgen\App_Data" />.

The default value is empty and thus will point to the physical directory DRIVE:\Inetpub\wwwroot\wfgen\App_Data. The default is to keep all the files on the web server.

You might need to move this storage folder location to a dedicated file server for the following reasons:

High volume (large attachments, document archiving, high usage level)
Web Farm architecture implementation (see )

Basic configuration allows you to easily move these files, but with a low security level.

Basic configuration

The following steps must be followed to configure your web server:

Create the storage folder on the file server DRIVE:\FOLDER (e.g. D:\filepub).
Re-create the folder tree structure relative to the file storage location:
- DRIVE:\FOLDER\wfgen\App_Data

Database file storage mode

Overview

This feature allows process file data (including attachments) to be stored in the database. It allows you to perform WorkflowGen data backup without interrupting service, so that WorkflowGen can still be used during the backup.

Setup and configuration

WorkflowGen web configuration

Set the ApplicationDefaultProcessDataFileStorageMethod parameter to File to store process data files in the file system, or set it to Database to store process data files in the database.

This parameter will define the default process data file storage method when creating a new process or importing a process XPDL of previous version.

Usage

Each process version can have the process data file storage method set independently. This will allow different processes using the file system or database storage method.

New process

On the Process information tab:

Check the Process data storage option Store file content in database to enable the database file storage method.
Uncheck the Process data storage option to disable the database file storage method. This will then use the file system storage method.

Existing process

On the Process information tab:

Uncheck the Process data storage option to disable the database file storage method. This will then use the file system storage method.

When changing the process data storage method, the following rules must be applied:

There should be no existing requests using the previous process data storage method. You can either delete existing requests or create a new version of the process.
There should be no existing FILE type process data with the default file value using the previous process data storage method. You can delete all default file values, change the process data storage method, and re-upload the default file values into the process data.

Additional information

Temporary files

For a Web Farm architecture, file storage must be centralized in a common shared storage path. The settings in the section must be applied for temporary files.

In the database file storage method, WorkflowGen will still create temporary files in the \wfgen\App_Data folder (ApplicationDataPath) to be used by requests and actions at runtime.

These temporary files will be automatically deleted when the requests or actions are completed.

Custom asynchronous system action

To ensure data integrity and 24-hour / 7-days-a-week operation time in database file storage method, your custom asynchronous system action that uses FILE IN parameters must also save the file content in your custom application database when the file is referenced later by your action.

This will ensure that the file will still exist and can be used later by your asynchronous system action, since only the WorkflowGen database and your custom application database are backed up.

Web Farm Architecture

Overview

To allow higher availability and scalability, you can install WorkflowGen in a Web Farm architecture. The application is therefore installed on several servers, but the database and file storage directory are centralized on one dedicated server.

User requests are automatically routed to different servers depending on their load and availability. You can choose between different methods of load balancing such as DNS Round Robin or set up a hardware load balancer.

Configuring Multiple Instances of WorkflowGen

Overview

This section describes how to configure multiple instances of WorkflowGen on the same web server. Each instance of WorkflowGen also requires a dedicated license. This section assumes that you've already installed separate instances of WorkflowGen as described in the section.

For instructions on how to configure multiple instances of WorkflowGen on

Custom Language Support & Layout

Overview

You can customize WorkflowGen according to your language and, if applicable, the required language layout.

Customizing the resource files

To customize the resource files for your language, first make copies of the .resx files in the following folders:

\wfgen\App_GlobalResources
\wfgen\WfApps\WebForms\App_GlobalResources
\wfgen\ws\App_GlobalResources

Append the file name with the language code and, if needed, a hyphen followed by the country code; for example, .ar-AE for Arabic and United Arab Emirates. Then, customize the resource files as needed.

Customizing the CSS files

If the custom language requires a different layout, such as right-to-left text, customize the CSS files as needed using the method in the previous section.

SMTP Notifications

Using an IIS SMTP gateway

Using a local IIS SMTP gateway is strongly recommended to improve performance. A local SMTP gateway is configured to forward emails to the enterprise SMTP gateway ("smart host") only, so the current enterprise security will be applied.

There are several advantages to using an SMTP relay at the IIS WorkflowGen server:

Better performance, since messages are sent directly to the relay.

Synchronizing a Directory in Command Line

Overview

The automatic user and group synchronization is provided by this Windows service. This service is installed by the setup pack and started automatically after installation.

Installation

SQL Reporting Module

Overview

The WorkflowGen SQL reporting module uses SQL views to gather important information about your users, requests, and actions, allowing you to create custom data reports.

Technical requirements

Azure Integration

See the WorkflowGen for Azure guide for instructions on:

Microsoft Entra ID synchronization: How to configure WorkflowGen users and groups synchronization using Microsoft Entra ID (formerly Azure Active Directory).
Microsoft Entra ID authentication: How to configure WorkflowGen authentication using OpenID Connect and Microsoft Entra ID.
Microsoft Entra ID configuration for WorkflowGen Plus v2: How to authorize access to the WorkflowGen Plus v2 mobile app using OpenID Connect and Microsoft Entra ID.
Microsoft Entra ID configuration for server-side scripts: How to authorize WorkflowGen access to server-side scripts using OpenID Connect and Microsoft Entra ID.
Microsoft Entra ID configuration for single-page applications: How to authorize WorkflowGen access to single-page applications using OpenID Connect and Microsoft Entra ID.
Azure SQL database configuration: How to configure the WorkflowGen database using Azure SQL database.
Read Scale-Out: How to configure the optional Read Scale-Out feature.
Azure Load Balancer: How to configure Azure Load Balancer for higher availability and greater scalability.
Azure Files: How to configure an Azure Files share to use in WorkflowGen.
Azure SendGrid SMTP configuration: How to configure an Azure SendGrid SMTP with WorkflowGen.
Generating a universal link for WorkflowGen Plus v2: How to generate a universal link to simplify the WorkflowGen Plus v2 mobile app user login.

Gardian Integration

Overview

This section contains instructions on how to to configure WorkflowGen delegated authentication with Gardian.

The Gardian configuration process closely mirrors that of Okta. To set up Gardian, begin by following the instructions in the section, substituting the values with Gardian service provider specifications where needed. After completing those steps, return to this section for configuration details specific to Gardian.

Database Authentication & Scaling

Database authentication

Using Windows Authentication instead of SQL Server Authentication

You can set up your SQL Server connection to use Windows Authentication (SSPI) instead of SQL Server Authentication for the WorkflowGen back-end database and other external databases. This SQL authentication mode provides additional security, since no credentials are stored in the web.config file.

To configure Windows Authentication, use one of the following connection strings in the WorkflowGen web.config file, located in the DRIVE:\Inetpub\wwwroot\wfgen folder:

You'll also need to modify the WorkflowGen application pool identity for a service account. To do this:

In IIS Manager, right-click on the WorkflowGen application pool, then select Advanced Settings.
In the Process Model section, select Identity, then click the ... button.
Select Custom Account, then click Set...

For more information on SQL Server connection strings, see .

Database scaling

Overview

The database scaling feature allows for the addition of database servers in order to dramatically improve server performance and response times. The additional read-only replica database servers will be used as dedicated read-only servers (SELECT SQL queries). The read-only database servers are replicated from the existing primary database using the SQL Server Replication service.

Requirements

Overview

SQL Server 2014 or later for all database servers
SQL Server Replication feature must be installed on all SQL Server instances
SQL Server Agent must be installed and configured on all SQL Server instances

Setup and configuration

Overview

This section provides a general procedure for configuring the SQL Server Replication service on all the SQL Server instances and enabling the WorkflowGen web server in database scaling mode. This procedure is an example based on one WorkflowGen instance and two database server instances architecture.

If your current architecture differs from this example, you can adapt the procedure and some specific configuration options according to your needs.

Your current WorkflowGen environment must meet the following prerequisites:

The initial WorkflowGen database is already installed on the primary database instance.
The read-only database instance does not contain an existing WorkflowGen database.
The WorkflowGen web server is fully configured and allows access to the Administration Module with a WorkflowGen administrator account.

SQL Server configuration options

It is mandatory to update the SQL Server's max text repl size configuration option with a higher value in order for the database replication to function properly. We recommend setting this to the maximum value of 2147483647 instead of the default value of 65536.

Run the following SQL statements in the source (primary) and destination (read-only) SQL Server database instances (this example uses SQL Server 2008):

For more information, see and select your version of SQL Server from the drop-down menu.

SQL Server replication services

To set up a publication on the primary database:

Open SQL Server Management Studio.
Connect to the primary database instance.
Open the Replication node.
Right-click on Local Publications and choose New Publication. The New Publication Wizard will open. Click Next.

To set up a subscription on the read-only database:

Open SQL Server Management Studio.
Connect to the read-only database instance.
Open the Replication node.
Right-click on Local Subscriptions and choose New Subscription. The New Subscription Wizard will open. Click Next.

The WFGEN_USER account will be used in the connection string for the WFGEN read-only database in WorkflowGen.

Database scaling in WorkflowGen

Enable the multi-database mode in WorkflowGen:

In the WorkflowGen Administration Module, open the Configuration Panel and select the General tab.
In the Read-only database connection string field, enter the WorkflowGen connection string of the read-only database instance.
Check Enable on Multi-database to turn on the database scaling feature.

References

For more information on SQL Server replication, see and select your version of SQL Server from the drop-down menu.
For more information on the SQL Server max text repl size option, see and select your version of SQL Server from the drop-down menu.

Manual Installation

Overview

The following procedure applies to the setup using the WorkflowGen manual installation pack.

The web server and database server requirements must be met before proceeding with the following installation.

Installation pack

Start by extracting the manual installation pack (.zip) to a temporary folder on the WorkflowGen web server (e.g. DRIVE:\temp).

The installation pack contains these folders:

Databases: The MS SQL Server database creation scripts
Inetpub: The WorkflowGen application files
Program Files: The WorkflowGen Windows services application file

WorkflowGen files and folders architecture

The recommended physical directory structure for WorkflowGen web application files and folders should be under DRIVE:\Inetpub\wwwroot\wfgen. This folder contains static resources such as images, HTML files and process data, and the applications used by WorkflowGen.

Copy the source \Inetpub folder to your destination DRIVE:\ (e.g. DRIVE:\Inetpub\wwwroot\wfgen).
Copy the source Advantys folder (\Program Files\Advantys) to your destination DRIVE:\Program Files (e.g. DRIVE:\Program Files\Advantys\WorkflowGen\Services\bin).

Database creation

WorkflowGen does not support case sensitive collation, so you must set up the database to be case insensitive to avoid errors.

MS SQL Server configuration

Option 1: Create the database manually using the `create.sql` SQL script

Open the SQL Server Management Studio tool and connect to your database server with an administrator account (e.g. SA).
Create a new database (e.g. WFGEN).
Create a new SQL Server user account (e.g. WFGEN_USER).

Option 2: Create the database manually using SQL scripts

Open the SQL Server Management Studio tool and connect to your database server with an administrator account (e.g. SA).
Create a new database (e.g. WFGEN).
Create a new SQL Server user account (e.g. WFGEN_USER).

Azure SQL database configuration

Azure SQL database needs to be created and configured manually; see the section in the guide for instructions on how to do this.

WorkflowGen Administrator account setup

WorkflowGen requires a valid Windows NT or Active Directory account. This account will be used by the WorkflowGen Administrator, but it's not necessary to define it as an NT or Active Directory Administrator.

You can use an existing user account or create a new user account with the name Domain\wfgen_admin.
If you use a different account name other than wfgen_admin, then you MUST change the WorkflowGen Administrator

WorkflowGen web configuration

Open and edit the DRIVE:\Inetpub\wwwroot\wfgen\web.config WorkflowGen web configuration file.
Update the database connection string:
- MS SQL Server: <add name="MainDbSource" connectionString="Data Source=localhost;Initial Catalog=WFGEN;User ID=WFGEN_USER;Password=Admin123!;" providerName="System.Data.SqlClient" />

For more information about the other configuration settings, see the appendix.

WorkflowGen Windows Services installation

The user or identity used to run WorkflowGen Windows Services must be an administrator, be part of the Administrators group, or be a Windows system account (such as Local System). You can check this by running services.msc.
If you've specified a custom installation path for the services, you'll need to update the path inside the DRIVE:\Program Files\Advantys[Custom WorkflowGen]\Services\bin\winsvc-install.cmd

Installation

Open and edit the DRIVE:\Program Files\Advantys\WorkflowGen\Services\bin\WfgWorkflowEngineService.exe.config Engine service configuration file.
Update the WorkflowGen web configuration path (e.g. <add key="WebConfigPath" value="DRIVE:\inetpub\wwwroot\wfgen\web.config" />).
Open and edit the DRIVE:\Program Files\Advantys\WorkflowGen\Services\bin\WfgDirectoriesSyncService.exe.config Directory Synchronization service configuration file.

Configuring IIS

Creating the application pool

It's recommended that WorkflowGen be isolated from other applications by creating its own application pool and associating all declared applications with the new application pool.

Domain users and the Windows accounts used to run the WorkflowGen IIS application pool and Engine service must have read and write permissions for the \wfgen\app_data folder.

In IIS Manager, click Application pools. In the right-hand pane, right-click and choose Add application pool, then give it a name (e.g. WorkflowGen).
Select the .NET Framework 4 version.
Select Integrated pipeline mode.

Creating the website (if WorkflowGen is set up on a new website)

Launch IIS Manager and expand the tree structure under the IIS server name where you want to create the new site.
Right-click on the Sites icon and choose Add Web Site. Enter the name of the site, select its application pool (if other than the default), and enter the physical path of the root (click Browse and select the \wwwroot folder, usually DRIVE:\inetpub\wwwroot\).

Configuring the website

Default document

The default.aspx default document type must be created if it doesn't exist. By default, this default document should exist on an IIS server running .NET.

To verify this, click the site's icon and ensure that the pane on the right-hand side shows the Features view (the tab at the bottom of the pane allows you to switch between Features and Content). Double-click the Default document icon. If default.aspx is missing from the list, add it to the beginning of the comma-separated list displayed. To improve performance, you can move default.aspx to the beginning of the list if it's not already there.

Authentication

Click the site's icon and ensure that the pane on the right-hand side shows the Features view.
Double-click the Authentication icon.
Right-click on Anonymous authentication and choose Disable.

Creating the WorkflowGen application

In IIS Manager, right-click on wfgen under the \wwwroot folder and select Convert to application.
Select the WorkflowGen application pool if it's not the default, then click OK.

Creating workflow applications and services

The \wfgen\ws and \wfgen\WfApps\WebForms applications within WorkflowGen must be created. To do this, repeat the same steps you performed for \wfgen in the previous section.

ISAPI and CGI restrictions

If you're using IIS 8 and above and your application pool is set to use Classic Managed Pipeline Mode, make sure ASP.NET v4.0.30319 is set to Allowed in the IIS manager ISAPI and CGI Restrictions list.

Application files access configuration

File permissions

File permission settings can be configured as follows for the WorkflowGen application identity:

DRIVE:\Inetpub\wwwroot\wfgen: Modify all

According to your authentication method (see ), the WorkflowGen application identity can be:

The corresponding Windows users
The ASP.NET or IIS application pool identity

Configuring the WorkflowGen root website to auto-redirect to the `wfgen` web app

If you'd like your WorkflowGen root website (e.g. https://server) to auto-redirect to the https://server/wfgen web app, follow the procedure below.

As of version 7.15.0, the PowerShell setup comes with this configuration pre-installed on your WorkflowGen server. This procedure is only applicable when installing WorkflowGen manually or upgrading an existing previous WorkflowGen server.

Make sure the tool is installed on your WorkflowGen server.
Create or update the web.config file in your website's root folder (e.g. DRIVE:\inetpub\wwwroot\web.config). ⚠️ Warning: This is not the same web.config file as the main WorkflowGen web.config file (located in DRIVE:\inetpub\wwroot\wfgen\web.config).

WorkflowGen Node.js-based web applications

To use the optional GraphQL, incoming webhooks, OpenID Connect Auth, and SCIM APIs, you must first install the following requirements:

After enabling GraphQL, incoming webhooks, OpenID Connect Auth, or SCIM, the WorkflowGen DLLs will be in use by Node.js, so they will be locked from being updated. In order to update the DLLs, it's necessary to stop IIS.

Enabling WorkflowGen GraphQL

In IIS, convert /wfgen/graphql to an application with a .NET 4 application pool (integrated pipeline).
Configure the GraphQL application authentication mode:
- For Windows or Basic authentication: Enable Basic authentication.

Enabling WorkflowGen incoming webhooks

In IIS, convert /wfgen/hooks to an application with a .NET 4 application pool (integrated pipeline), and configure the webhook application in Anonymous authentication mode.

If your WorkflowGen is configured to use WorkflowGen Applicative authentication or a custom authentication, you must remove the authentication module from the /hooks/web.config file by defining a <location> node within the <configuration> node as follows:

Enabling WorkflowGen OpenID Connect Auth

In IIS, convert /wfgen/auth to an application with a .NET 4 application pool (integrated pipeline), and configure the application in Anonymous authentication mode.

If your WorkflowGen is configured to use WorkflowGen Applicative authentication or a custom authentication, you must remove the authentication module from the /auth/web.config file by defining a <location> node within the <configuration> node as follows:

Enabling WorkflowGen SCIM

In IIS, convert /wfgen/scim to an application with a .NET 4 application pool (integrated pipeline), and configure the application in Anonymous authentication mode.

If your WorkflowGen is configured to use WorkflowGen Applicative authentication or a custom authentication, you must remove the authentication module from the /scim/web.config file by defining a <location> node within the <configuration> node as follows:

Security

Overview

This section details the different methods to authenticate WorkflowGen users. Choose one of them according to your needs and apply the required settings to implement it with your WorkflowGen instance.

Authentication methods

Open ID Connect

(formerly Azure Active Directory)

Classic authentication methods

(ensured by IIS)
(ensured by IIS)
(ensured by HttpModule)
(ensured by HttpModule)

Authentication method support by application

The WorkflowGen server and mobile applications can be configured to use OpenID Connect (OIDC) compliant or classic authentication methods. The following table shows the authentication methods supported by the different WorkflowGen applications:

* Except Microsoft Identity Platform v2.0.

Classic authentication method configuration

See below for information and instructions on how to configure the classic non-OIDC , , , , and authentication methods.

Which classic authentication method to choose?

If you don’t know which authentication method to choose, follow the procedures below based on your situation:

If all WorkflowGen users are managed in Active Directories, which is accessible from the web server hosting WorkflowGen, then you can choose one of these authentication methods:
- Integrated Windows authentication (ensured by IIS)
- IIS HTTP Basic authentication (ensured by IIS)
If item 1 above applies to your situation, and you want to provide transparent authentication by using the current Windows session of the users, choose the following authentication method:

For all HTTP basic and form authentication modes, it's strongly recommended to use SSL because passwords are not encrypted.

Integrated Windows authentication

IIS and WorkflowGen settings

Open the WorkflowGen Configuration Panel. In the Authentication section on the General tab, select IIS mode.
Enable Integrated Windows authentication access on the WorkflowGen website and disable all built-in access mechanisms. Apply this setting on all sub-applications except the graphql and ws applications.

IIS HTTP Basic authentication

IIS and WorkflowGen settings

Open the WorkflowGen Configuration Panel. In the Authentication section on the General tab, select IIS mode.
Enable Basic authentication access on the WorkflowGen website and disable all built-in access mechanisms. Apply this setting to all sub-applications as well.

WorkflowGen HTTP Basic authentication

IIS and WorkflowGen settings

To use WorkflowGen authentication, ensure that the directories have the Passwords are managed by WorkflowGen option selected, which allows you to set up a password for each user. Ensure that your current user has a WorkflowGen password associated with it, or you'll be locked out.
Open the WorkflowGen Configuration Panel and change the settings in the Authentication section on the General tab as follows:
1. Set Mode to WorkflowGen.

If you're using IIS 8 and above using an application pool in Classic Managed Pipeline Mode, the following will be added to your \wfgen\web.config:

If you're using IIS 8 and above using an application pool in Integrated Managed Pipeline Mode, the following will be added to your \wfgen\web.config:

Custom HTTP Basic authentication

IIS and WorkflowGen settings

Using the sample code in the section in the , create a new class for the HTTP module you're creating.
Modify the sample code to validate the credentials passed over HTTP Basic against the external configuration repository.
Build your module and copy the assembly DLL into the \wfgen\bin and \wfgen\wfapps\webforms\bin folders.

If you're using IIS 8 and above using an application pool in Classic Managed Pipeline Mode, the following will be added to your \wfgen\web.config:

If you're using IIS 8 and above using an application pool in Integrated Managed Pipeline Mode, the following will be added to your \wfgen\web.config:

Form authentication

IIS and WorkflowGen settings

Modify the login.aspx code to validate the credentials passed over HTTP Basic against the external configuration repository. If you don’t have any external configuration repository, you can add users directly in the web.config of WorkflowGen (refer to the .NET documentation).
The login.aspx file must be copied to all of your webforms folders. This should only be applied to webforms. Web services must continue to use either Basic or Integrated authentication and therefore the login.aspx page cannot be used for them.
In the WorkflowGen web.config

FIPS compliance configuration

As of version 7.10.0, WorkflowGen is FIPS compliant and compatible with Windows FIPS compliant mode. If you want to enable FIPS compliance in your Windows environment, you have to configure the configuration password management and user password management modes beforehand.

Configuration password management mode

In the Security section on the Configuration Panel General tab, set Configuration password management mode to AES (FIPS Compliant) and enter a 32-character encryption key. When you click Save, the application passwords will automatically be converted to the new symmetric encryption mode.

User password management mode

In the Authentication section on the Configuration Panel General tab, set Password management mode to One-way Hashing (SHA256 FIPS Compliant) mode.

If you're using applicative authentication in Version 5 (Legacy) password management mode, users' passwords will automatically be converted into One-way Hashing (SHA256 FIPS Compliant) the next time they log in to WorkflowGen.
If you're using applicative authentication in One-way Hashing (SHA256) password management mode:
1. Select IIS authentication mode.

HTTPS: Using SSL with WorkflowGen

Overview

This section describes how to configure WorkflowGen to use SSL connection security level on the website.

IIS configuration

Activate SSL authentication for your WorkflowGen website.

Application parameters to update

You must update the following parameter in the WorkflowGen configuration (click on the Configuration Panel from the Administration Module home page):

Web application URL: you must update the protocol of the base URL of the application to https://.

Links to WorkflowGen

Change the links to WorkflowGen to use https:// instead of http://.

In order to allow a client application (such as front-end JavaScript code from an outside domain) to access and request data, you must enable and configure the (CORS) settings. To do this:

Install the on the WorkflowGen web server.
Add the cors node with the list of external domains and their methods and headers (where HTTP requests will be allowed) to the WorkflowGen web configuration settings (located in \wfgen\web.config). See some common examples below.

📌 Example 1: Allow all origins

📌 Example 2: Allow specific origins

For more information about the CORS configuration, see the .

AD FS Integration

Overview

This section provides instructions on:

AD FS 2016 authentication: How to configure WorkflowGen authentication using AD FS OpenID Connect.
: How to authorize WorkflowGen access to mobile apps using AD FS OpenID Connect.
: How to authorize WorkflowGen access to server-side scripts using AD FS OpenID Connect.
: How to authorize WorkflowGen access to single-page applications using AD FS and OpenID Connect.
: How to generate a universal link to simplify the WorkflowGen Plus mobile app user login.

This integration is specific to AD FS 2016.
In the instructions, substitute <workflowgen url> with the domain and path to your WorkflowGen instance; for example, localhost/wfgen or mycompany.com/wfgen.

AD FS authentication

This section provides instructions on how to configure WorkflowGen delegated authentication with Active Directory Federation Services (AD FS) OpenID Connect, and will show you how to set up a working WorkflowGen instance using AD FS OpenID Connect to authenticate your users.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server. You must be a WorkflowGen administrator.
Make sure to have installed and configured AD FS 2016 or later on a server.
Make sure to have AD FS administrator access to be able to configure AD FS.
Make sure to have provisioned an existing Active Directory user that you can authenticate with to WorkflowGen and that the user has administrator privileges. This is important because once you've activated the delegation, you'll still need to be able to manage the application.

Note on provisioning users and groups

WorkflowGen supports the synchronization of Active Directory users and groups; for instructions on how to configure this, see the section in the .

AD FS configuration

Configuring AD FS is very simple: you just need to add a new application group within which you then configure a server application and a web API.

Step 1: Register a new application group

In the server manager, open AD FS Management.
Click the Application Groups directory in the left-hand pane, then click Add Application Group in the right-hand pane.
In the Add Application Group Wizard screen that opens:

You should now have an application group containing two applications: the WorkflowGen server application (which is the web application) and the WorkflowGen GraphQL API.

Step 2: Add the UPN to the access token

By default, a user UPN isn't included in the access token returned by AD FS, so you have to configure an Issuance Transform Rule for the GraphQL API that passes through the UPN. To do this:

In AD FS Management, click the Application Groups directory to the left, then double-click the WorkflowGen group.
You should now see all of the group's applications in a new window. Double-click WorkflowGen GraphQL API in the list.
On the Issuance Transform Rules tab, click Add Rule.

AD FS is now configured for WorkflowGen to delegate its authentication to it.

WorkflowGen configuration

Now, you need to configure WorkflowGen to delegate its authentication to AD FS.

Step 1: Add AD FS values to the WorkflowGen `web.config`

Open the WorkflowGen web.config file and add the following properties under <appSettings>:

Replace <CLIENT ID> with the client identifier generated by AD FS for the WorkflowGen application.
Replace <CLIENT SECRET> with the shared secret generated for the WorkflowGen application.
Replace <METADATA URL> with the AD FS server's metadata URL. By default, it should look something like https://<adfs url>/adfs/.well-known/openid-configuration

For information about available configuration options to use with your instance, see the appendix.

If your server blocks browsers from embedding web content in iFrames (by returning the X-Frame-Options: DENY header), it is strongly recommended that you set the value of ApplicationSecurityAuthSessionRefreshEnableIFrame to N. Otherwise, when the session expires and a user submits a form, they will be redirected for authentication and lose the data they entered in the form.

WorkflowGen is now linked to AD FS and back. The last thing left to do is configure a few more options in order to finish the internal wiring of WorkflowGen so that it can delegate its authentication.

Step 2: Add security values for session generation

In order to generate a session token, you need to add a few more settings to the web.config.

Open the WorkflowGen web.config file and add the following property under <appSettings>:
Replace <SECRET> with a value that can't be guessed, such as a UUID.

The secret will be only accessible inside your instance of WorkflowGen, so when generating a session token, WorkflowGen will sign it with this secret in order to check the validity of all session tokens passed to it.

Step 3: Activate the authentication delegation

You now need to activate the delegation by replacing the authentication system in IIS and pointing WorkflowGen's modules to the correct authentication module.

Configure IIS

In IIS Manager, click the WorkflowGen application in the tree view.
Click the Authentication button.
Enable Anonymous Authentication and disable all other authentications.
Perform these steps for all sub-applications as well.

Add properties to the web.config files of certain modules

Certain modules need to have their authentication checked by the special Advantys.Security.JWTAuthenticationModule WorkflowGen authentication module, but certain other modules shouldn't because they're either public or aren't part of the global authentication system.

In the WorkflowGen web.config, add the following property:
In the auth module's web.config, add the following property:
This line removes the authentication Node.js module from the global authentication system, because this Node.js application encapsulates the OpenID Connect authentication mechanisms.

You should now have a working WorkflowGen instance with the authentication delegated to AD FS through the OpenID Connect protocol. Make sure to have provisioned your users to WorkflowGen in order for them to successfully access WorkflowGen.

Configuring the authentication without the GraphQL API

This feature isn't supported for AD FS. It is necessary to configure the GraphQL API on the provider.

AD FS configuration for WorkflowGen Plus v2

Mobile applications must use an approach similar to that of regular web applications, which is called Authorization Code Flow with Proof Key for Code Exchange (PKCE). The main difference between this and the classic Authorization Code Flow is that the mobile application doesn't get a client secret, but instead exchanges a pair of codes to prove the origin of the authentication attempt. The issue is that a mobile application can't be trusted with a client secret because it's distributed directly to users and is therefore no longer under the developer's control, and the sources can be decompiled and analyzed to find secrets like this.

This section provides instructions on how to configure AD FS for the WorkflowGen Plus mobile application so that your mobile users can benefit from delegated authentication as well.

For instructions on how to generate a universal link to simplify the AD FS login process for your users, see the section.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to the AD FS to be able to configure it properly.
Make sure to have provisioned an existing Active Directory user with which you can authenticate to WorkflowGen so that you can use the application afterwards.

AD FS configuration

This configuration is done in several steps. First, you have to register a new native application in AD FS. Then, you have to give the application the necessary permissions to access the WorkflowGen GraphQL API.

Step 1: Register a new native application

In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.
Click Add application.
Configure the application:

You've now added the WorkflowGen Plus native application in your AD FS WorkflowGen application group.

Step 2: Grant access to the WorkflowGen GraphQL API

In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.
Double-click on the WorkflowGen GraphQL API application.
On the Client Permissions tab, click the WorkflowGen Plus application, then click Add.

You've now configured WorkflowGen Plus within AD FS.

AD FS configuration for server-side scripts

In some cases, you'll want to perform a specific task that can be automated but needs access to the WorkflowGen GraphQL API; this use case is often in the form as a server-side script. For this, OAuth2 provides a type of grant called Client Credentials that simply exchanges a client ID and secret for an access token. There is no ID token since it's not part of the OpenID Connect standard and there's no user involved.

This section provides instructions on how to configure AD FS with a server-side script that has access to the GraphQL API.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to WorkflowGen.
Make sure to have administrative access to AD FS to be able to configure it properly.
Make sure to have successfully configured delegated authentication to AD FS on your WorkflowGen instance following the instructions in the

AD FS configuration

Step 1: Register a new server application

In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.
In the WorkflowGen Properties window, click Add application.
Select the Server application type, then click Next.

You should now see your new server application listed in the WorkflowGen application group.

Step 2: Grant access to the GraphQL API

Now that you've created your server application, you need to grant it access to the GraphQL API. To do this:

In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.
In the WorkflowGen Properties window, double-click WorkflowGen GraphQL API.
On the Client Permissions tab in the WorkflowGen GraphQL API Properties window, click Add.

You've now registered your server application in AD FS and granted it access to the WorkflowGen GraphQL API.

WorkflowGen configuration

As with user provisioning, WorkflowGen needs to know which application is accessing the GraphQL API. Therefore, you have to register the application, which consists of your script.

Register a new application

On the Applications page in the WorkflowGen Administration Module, click New application.
Fill in the form:
- Name: My Server Application

Your application should now appear in the list of applications.

You should now have the necessary components in place to make GraphQL API requests with your script by passing the access token received from AD FS from a Client Credentials Grant flow.

AD FS configuration for single-page applications

JavaScript applications running in a browser are often hard to secure due to the open nature of the Web. Secure storage is nonexistent, and everything is in clear text (for HTTP version 1.1). Here's a quote from the Azure Active Directory team that summarizes the state of authentication with single-page applications:

The OAuth2 implicit grant is notorious for being the grant with the longest list of security concerns in the OAuth2 specification. And yet, that is the approach implemented by ADAL JS and the one we recommend when writing SPA applications. What gives? It’s all a matter of tradeoffs: and as it turns out, the implicit grant is the best approach you can pursue for applications that consume a Web API via JavaScript from a browser.
(Source: )

It's therefore important that you make all of the necessary checks to verify the validity of your requests and the responses.

This section provides instructions on how to configure AD FS with a single-page application (SPA) so that users can authenticate through it and make requests to the WorkflowGen GraphQL API.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to AD FS to be able to configure it properly.
Make sure to have provisioned an existing Active Directory user with which you can authenticate to WorkflowGen so that you can use the application afterwards.

AD FS configuration

Currently, AD FS only supports three types of applications: Native, Server, and Web API. As you can see, there's nothing for single-page applications in browsers or even regular web applications that renders pages on the server. However, you can use the supported types to get what you need. The Native application type enables you to retrieve a client ID and to specify a callback URI that can be used to perform an implicit grant flow with a single-page application; AD FS will answer as expected since it supports the OpenID Connect protocol.

Step 1: Register a new native application

In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.
Click Add application.
Configure the application:

Step 2: Grant access to the WorkflowGen GraphQL API

In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.
Double-click on the WorkflowGen GraphQL API application.
On the Client Permissions tab, click the WorkflowGen Plus application, then click Add.

You've now configured your single-page app within AD FS.

Generating a universal link for WorkflowGen Plus v2

As of WorkflowGen server version 7.11.2, you can generate a universal link to simplify the AD FS 2016 login process for your WorkflowGen Plus mobile app users.

Base URL

protocol: workflowgenplus://
hostname: auth.init

Parameters

You'll need to specify the following parameters:

provider: adfs
server_address: Your WorkflowGen application URL, whose value must be URL encoded (e.g. https://mycompany.com/wfgen)
client_id: Use the client ID you created earlier in the configuration (e.g. 6g909d00-8580-49a4-9003-a30f6b87ae86

The universal link should follow this format:

Once you've generated the universal link, give it to your users, who can use it to sign in to WorkflowGen Plus with the preset sign-in method.

Additional information on AD FS integration

SOAP services support

WorkflowGen only supports requests to the SOAP API using classic authentication methods. If you still need to use this API, you have to perform some additional steps to configure it properly.

Create a new separate WorkflowGen directory for the SOAP API users.
Provision it with users and groups as needed.
In the IIS Manager, enable the Basic authentication method for the \ws\wfgen application.

Configurable options

This table lists all configurable options in WorkflowGen that you can use to customize your authentication experience; these are located in the WorkflowGen web.config file.

Auth0 Integration

Overview

This section provides instructions on:

Auth0 authentication: How to configure WorkflowGen authentication using Auth0.
: How to create a directory with the self-provisioning connector.
: How to authorize WorkflowGen access to mobile applications using Auth0.
: How to authorize WorkflowGen access to server-side scripts using OpenID Connect and Auth0.
: How to authorize WorkflowGen access to single-page applications using Auth0.
: How to authorize Auth0 access to the WorkflowGen command line interface.
: How to generate a universal link to simplify the WorkflowGen Plus mobile app user login.

It also provides additional information on and .

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to Auth0 to be able to configure it properly.
Make sure to have provisioned an existing Auth0 user with which you can authenticate to WorkflowGen so that you can use the application afterwards.

In the instructions, substitute <workflowgen url> with the domain and path to your WorkflowGen instance; for example, localhost/wfgen or mycompany.com/wfgen.

Auth0 authentication

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server. You must be a WorkflowGen administrator.
Make sure to have Auth0 administrator access.
Make sure to have provisioned an existing Auth0 user that you can authenticate with to WorkflowGen and that the user has administrator privileges. This is important because once you activate the delegation, you'll need to still be able to manage the application. The Auth0 user is in fact a user of an identity provider that's linked to Auth0, such as GitHub or Google. You have to have provisioned at least one user.

To test your configuration after you complete the steps below, you can add an Auth0 user in the Users section of the Auth0 portal.
When importing users into WorkflowGen from the Auth0 database, make sure to set the username as the email (e.g. [email protected]).

Auth0 configuration

The configuration of Auth0 is done in several steps. First, you have to register the WorkflowGen web application and link it to your instance of WorkflowGen; then, you have to register the WorkflowGen GraphQL API to be able to register custom applications to access it.

Step 1: Create a new regular web application

Go to the Auth0 portal Applications section.
Click Create Application, and fill in the form:
- Name: WorkflowGen Web App

Your WorkflowGen Regular Web App is now configured.

Step 2: Register the GraphQL API

Now, you need to register the WorkflowGen GraphQL API module so that applications external to WorkflowGen can use the API by authentication through Auth0 using the OpenID Connect protocol.

Classic usage:

Go to the Auth0 portal APIs section.
Click Create API, and fill in the form:
- Name: WorkflowGen GraphQL API

With multi-audience support:

Go to the Auth0 portal APIs section.
Click Create API, and fill in the form:
- Name: My APIs

The GraphQL API is now registered in Auth0.

Step 3: Add an Auth0 action

In order to get a proper username from the access token when receiving one in the GraphQL API, you need to use a special feature of Auth0 called an action. Actions act as middleware between the linked cloud provider and Auth0 in order to get the correct values when needed.

Go to the Auth0 portal and select Actions in the left menu, then select Library in the sub-menu.
Click Create Action, then choose the Build from scratch template.
Give the action a name (e.g. WorkflowGen (Action)). Trigger should be set to Login / Post Login and Runtime set to Node 18 (Recommended).

This step will ensure that WorkflowGen and the GraphQL API always get a username through the same claim instead of having to make a lot of conditional statements. However, this doesn't apply to machine-to-machine authentication since there's no human user involved.

If you use a different claim from the Auth0 mapping than the one specified in the function above (e.g. user.username, user.email, user.nickname), just modify this rule or add your own. Make sure to populate https://api.workflowgen.com/username with the value or to configure the ApplicationSecurityAuthUsernameClaim option in your web.config with the correct claim to take. Note that this option is used both in the authentication application and the GraphQL API.

WorkflowGen configuration

Now, you have to configure WorkflowGen to delegate its authentication to Auth0.

Step 1: Add Auth0 values to the WorkflowGen `web.config`

Open the WorkflowGen web.config file and add the following properties under <appSettings>:
Classic usage:
With multi-audience support:
Replace <CLIENT ID> with the client ID of the WorkflowGen Regular Web App in Auth0.

Note that the ApplicationSecurityAuthUsernameClaim key is set to the value entered in the rule earlier. Therefore, you can use any value here as long as you also modify the rule.

For information about available configuration options to use with your instance, see the appendix.

WorkflowGen is now linked to Auth0 and back. The last thing left to do is configure a few more options in order to finish the internal wiring of WorkflowGen so that it can delegate its authentication.

Step 2: Add security values for session generation

In order to generate a session token, you need to add a few more settings to the web.config.

Open the WorkflowGen web.config file and add the following properties under <appSettings>:
Replace <SECRET> with a value that can't be guessed, such as a UUID.

Step 3: Activate the authentication delegation

You now need to activate the delegation by replacing the authentication system in IIS and pointing WorkflowGen's modules to the correct authentication module.

Configure IIS

In IIS Manager, click on the WorkflowGen application in the tree view.
Click the Authentication button.
Enable Anonymous Authentication, and disable all other authentications.

Add properties to the web.config files of certain modules

Certain modules need to have their authentication checked by the special Advantys.Security.JWTAuthenticationModule WorkflowGen authentication module, but certain other modules should not because they are either public or aren't part of the global authentication system.

In the WorkflowGen web.config, add the following property:
In the auth module's web.config, add the following property:
This line removes the authentication Node.js module from the global authentication system, because this Node.js application encapsulates the OpenID Connect authentication mechanisms.

You should now have a working WorkflowGen instance with the authentication delegated to Auth0 through the OpenID Connect protocol. Make sure to have provisioned your users to WorkflowGen in order for them to successfully access WorkflowGen.

Configuring the authentication without the GraphQL API

This feature is not supported for Auth0. It is necessary to configure the GraphQL API on the provider.

Auth0 user provisioning

The self-provisioning connector is a directory connector that automatically creates and synchronizes a user based on the user's session token claims that contain claims from the OpenID Connect provider ID token. This feature is only compatible with an OpenID Connect authentication.

Prerequisites

Make sure to have a working WorkflowGen instance.
Make sure to know the instance's IP address or its fully qualified name.
Make sure to know the address of the instance.
Make sure to have configured Auth0 or one of the other OIDC-compliant authentication methods (, formerly Azure Active Directory;

WorkflowGen configuration

This section will guide you through the WorkflowGen configurations necessary to set up the self-provisioning feature with a directory.

Step 1: Create a self-provisioning directory

This directory will contain all of the users that are not provisioned elsewhere. To create a self-provisioning directory, do the following:

On the Directories page in the WorkflowGen Administration Module, click New directory.
Fill in the form:
- Name: SELF_PROVISIONING(or something else)

Step 2: Configure the user fields-to-claims mapping

Now that you've created a new directory with the self-provisioning connector, you need to define which claims are mapped to which WorkflowGen user field. To do this:

On the new directory's page, click Edit mapping.
To the right of the name of a WorkflowGen user's field, enter the name of the claim in the session token that you want to map.
Here's an example of a session token generated by the auth node application from the Auth0 ID token connected with Google Apps:
These claims could be mapped in WorkflowGen like this:

You've now activated the self-provisioning feature, and unknown users can be automatically provisioned and synchronized to WorkflowGen without any external actions required.

Auth0 configuration for WorkflowGen Plus v2

This section provides instructions on how to configure Auth0 for the WorkflowGen Plus mobile application so that your mobile users can benefit from delegated authentication as well.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to Auth0 to be able to configure it properly.
Make sure to have provisioned an existing Auth0 user with which you can authenticate to WorkflowGen so that you can use the application afterwards.

Auth0 configuration

This configuration is done in several steps. First, you have to register a new native application in Auth0. Then, you have to give the application the necessary permissions to access the WorkflowGen GraphQL API. Finally, you have to register the correct callback URLs that will redirect within the native application.

Step 1: Register a new native application

In the Auth0 portal, click Create Application in the Applications section.
Fill in the form:
- Name: WorkflowGen Plus

You've now registered a new native application in Auth0.

Step 2: Add callback URLs

On the Settings tab, scroll down to the Allowed Callback URLs and add the URL workflowgenplus://oidc.
Scroll down further to the Allowed Logout URLs section and add the URL workflowgenplus://oidc.

Review the registration

You don't need to give the application access to the GraphQL API since all applications (except for machine-to-machine applications) have access to all registered APIs within a domain. Here's a review of the information you need:

A client ID, which can be found on the native application page's Settings tab.
An Auth0 domain name, which can be found directly to the left of your profile picture on the top right corner of the page.

All of this information must be given to the users who will be using the mobile application; they'll need to copy them directly into the app.

Auth0 configuration for server-side scripts

This section provides instructions on how to configure Auth0 with a server-side script that has access to the GraphQL API. First, you'll need to configure a new web application in the Auth0 portal; then, you'll need to configure a new application in WorkflowGen.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to WorkflowGen.
Make sure to have administrative access to Auth0 to be able to configure it properly.
Make sure to have successfully configured delegated authentication to Auth0 on your WorkflowGen instance following the instructions in the

Auth0 configuration

Step 1: Register a new machine-to-machine application

In the Auth0 portal Applications section, click Create Applications.
Fill in the form:
- Name: Your script name

You've now successfully registered your script in Auth0.

Step 2: Grant access to the GraphQL API

In the Auth0 portal APIs section, click WorkflowGen GraphQL API.
On the Machine-to-Machine tab, authorize the application that you just created.

You've now successfully granted the GraphQL API access to your script.

Review the registration

Here's a review of the information you need:

A client ID, which can be found on the registered application's General tab.
A client secret, which can be found on the registered application's General tab.
The WorkflowGen GraphQL API identifier, which can be found on its settings page.

You're now ready to register your script in WorkflowGen.

WorkflowGen configuration

As with user provisioning, WorkflowGen needs to know which application is accessing the GraphQL API. Therefore, you have to register the application, which consists of your script.

Register a new application

On the Applications page in the WorkflowGen Administration Module, click New application.
Fill in the form:
- Name: My Server Application

Your application should now appear in the list of applications.

You should now have the necessary components in place to make GraphQL API requests with your script by passing the access token received from Auth0 from a Client Credentials Grant flow.

Auth0 configuration for single-page applications

The OAuth2 implicit grant is notorious for being the grant with the longest list of security concerns in the OAuth2 specification. And yet, that is the approach implemented by ADAL JS and the one we recommend when writing SPA applications. What gives? It’s all a matter of tradeoffs: and as it turns out, the implicit grant is the best approach you can pursue for applications that consume a Web API via JavaScript from a browser.
(Source: )

It's therefore important that you make all of the necessary checks to verify the validity of your requests and the responses.

This section provides instructions on how to configure Auth0 with a single-page application (SPA) so that users can authenticate through it and make requests to the WorkflowGen GraphQL API. This configuration is done in three steps: registering your SPA, granting access to the API, and setting some redirect URLs.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to Auth0 to be able to configure it properly.
Make sure to have provisioned an existing Auth0 user with which you can authenticate to WorkflowGen so that you can use the application afterwards.

Auth0 configuration

Step 1: Register a new web application

In the Auth0 portal, click Create Application in the Applications section.
Fill in the form:
- Name: Your SPA name

You should now be on the registered application page.

Step 2: Add redirect URLs

On the Settings tab, scroll down to the Allowed Callback URLs section and add your application's login callback URL (for example, https://localhost/login/callback).
If you support logout from Auth0, scroll down to the Allowed Logout URLs section and add your post logout redirect URL (for example, https://localhost/logout/return).

Review the registration

You need a client ID, which can be found on the application page's Settings tab.
You need your Auth0 domain name, which can be found next to your Auth0 profile picture in the top right corner of the portal.

Your application should now be successfully linked to the Auth0 infrastructure and users can login through it. If you have met the prerequisites, your application will receive an access token that it can send to the WorkflowGen GraphQL API to make authorized requests as a Bearer token via the Authorization header.

Auth0 configuration for the WorkflowGen CLI

Interactive mode

Step 1: Register a new native application

In the Auth0 portal Applications section, click Create Application.
Fill in the form:
- Name: WorkflowGen CLI

You've now registered a new native application in Auth0.

Step 2: Add a callback URL

On the Settings tab, scroll down to the Allowed Callback URLs and add the URL http://127.0.0.1:8888/callback.

Port 8888 is defined by default; you can change it if it's already in use on your computer.

Step 3: Verify the grant types

In Settings > Advanced Settings > Grant Types, make sure that the Implicit, Authorization Code, and Refresh Token checkboxes are checked.

Review the registration

Since all applications in a domain can automatically access each other, your native application inherits access to the GraphQL API. Here's a review of all the information you need:

A client ID, which can be found on the native application's Settings tab.
An Auth0 domain name, which can be found on the native application's Settings tab.

All of this information must be given to the users who will be using the WorkflowGen CLI.

Non-interactive mode

The configuration of non-interactive mode is the same as in the section.

Here's a review of the information you'll need:

A client ID, which can be found on the registered application's parameters page.
A client secret, which can be found on the registered application's parameters page.
The domain, which can be found on the registered application's parameters page.

You can now use the WorkflowGen CLI in Client credentials mode.

Generating a universal link for WorkflowGen Plus v2

As of WorkflowGen server version 7.11.2, you can generate a universal link to simplify the Auth0 login process for your WorkflowGen Plus mobile app users.

Base URL

protocol: workflowgenplus://
hostname: auth.init

Parameters

You'll need to specify the following parameters:

provider: auth0
server_address: Your WorkflowGen application URL, whose value must be URL encoded (e.g. https://mycompany.com/wfgen)
client_id: Use the client ID you created earlier in the configuration (e.g. 7gdj4hs92y)

The universal link should follow this format:

Once you've generated the universal link, give it to your users, who can use it to sign in to WorkflowGen Plus with the preset sign-in method.

Additional information on Auth0 integration

SOAP services support

WorkflowGen only supports requests to the SOAP API using classic authentication methods. If you still need to use this API, you have to perform some additional steps to configure it properly.

Create a new separate WorkflowGen directory for the SOAP API users.
Provision it with users and groups as needed.
In the IIS Manager, enable the Basic authentication method for the \ws\wfgen application.

Provisioning users and groups

There's no automatic way to provision your users and groups from the identity providers you use behind Auth0 with WorkflowGen. You'll have to synchronize them using one of the .

Okta Integration

Overview

This section provides instructions on:

Okta authentication: How to configure WorkflowGen authentication using Okta.
: How to create a directory with the self-provisioning connector.
: How to authorize WorkflowGen access to mobile applications using Okta.
: How to authorize WorkflowGen access to server-side scripts using OpenID Connect and Okta.
: How to authorize WorkflowGen access to single-page applications using Okta.
: How to authorize Okta access to the WorkflowGen command line interface.
: How to generate a universal link to simplify the WorkflowGen Plus mobile app user login.

It also provides additional information on and .

In the instructions, substitute <workflowgen url> with the domain and path to your WorkflowGen instance; for example, localhost/wfgen or mycompany.com/wfgen.

Okta authentication

This section provides instructions on how to configure WorkflowGen delegated authentication with Okta. At the end of this section, you'll have a working WorkflowGen instance using Okta to authenticate your users.

If you don't need the GraphQL API, you won't need to create an authorization server. See the for instructions.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server. You must be a WorkflowGen administrator.
Make sure to have an Okta administrator access to be able to configure it properly.
Make sure to have provisioned an existing Okta user that you can authenticate with to WorkflowGen and that the user has administrator privileges. This is important because once you've activated the delegation, you'll still need to be able to manage the application. (The Okta user is in fact a user of an identity provider that's linked to Okta, such GitHub or Google. You have to provision at least one of the users.)

The WorkflowGen user's username must match their Okta user's username in order to identify and authenticate the correct user from Okta.
To test your configuration after the steps below, you can add an Okta user in the Okta portal's Users section.

Configuring the authentication with the GraphQL API

The configuration of Okta will be done in several steps. First, you have to configure an authorization server in the web interface; then, you have to add a regular web application.

The WorkflowGen GraphQL API (authorization server) configuration is required if you want to use the WorkflowGen Plus v2 mobile app.

Step 1: Create an authorization server

An Okta authorization server is a logic element that defines the security boundaries of your system when an application wants to access your resources via an API.

An authorization server defines your security boundary, and is used to mint access and identity tokens for use with OIDC clients and OAuth 2.0 service accounts when accessing your resources via API. Within each authorization server you can define your own OAuth scopes, claims, and access policies. Source: Information sidebar in Okta's administrative panel

You can find more information on authorization servers on the .

To create an authorization server with a classic usage:

Go to the Okta Developer portal and log in to your account.
In the left panel, choose API under the Security menu.
Click the Add Authorization Server button on the Authorization Servers tab.

To create an authorization server with multi-audience support:

Go to the Okta Developer portal and log in to your account.
In the left panel, choose API under the Security menu.
Click the Add Authorization Server button on the Authorization Servers tab.

Step 2: Add the scope

For classic usage:

Go to the WorkflowGen GraphQL API authorization server's Scopes tab.
Click the Add Scope button.
Enter the following information:

For multi-audience support:

Go to the WorkflowGen GraphQL API authorization server's Scopes tab.
Click the Add Scope button.
Enter the following information:

You've now properly configured your Okta authorization server for the WorkflowGen GraphQL API.

Step 3: Add a claim

Go to the Claims section, then click the Add Claim button.
Enter the following information:
- Name: com.workflowgen.api.username

Step 4: Add the server access policy

You now need to configure the authorization server access policy.

Go to the WorkflowGen GraphQL API authorization server's Access Policies tab.
Click the Add Policy button.
Enter the following information:

You've now successfully configured the authorization server access policy. There's just one more step needed in order for the client credentials flow to work, which will enable you to use machine-to-machine authentication with Okta and the WorkflowGen GraphQL API.

Step 5: Create the WorkflowGen web application

Go to the Okta Developer portal.
In the Applications item under the Applications menu, click the Create App Integration button.
Select the following options in Create a new app integration, then click Next:

You've now successfully configured Okta for your WorkflowGen instance.

Review the registration

You should now have all the information you need to configure WorkflowGen to delegate the authentication to Okta. Here's a review:

A client ID and a client secret which can be found on the Okta WorkflowGen web application's General tab.
An audience and a metadata endpoint (Metadata URI) which can be found on the Okta WorkflowGen GraphQL API authorization server page.

WorkflowGen configuration

Now, you need to configure WorkflowGen to delegate its authentication to Okta.

Step 1: Add Okta values to the WorkflowGen `web.config`

Open the WorkflowGen web.config file and add/update the following properties:

Classic usage:

With multi-audience support:

Replace <CLIENT ID> with the client ID of the WorkflowGen web application from Okta.
Replace <CLIENT_SECRET> with the client secret of the WorkflowGen web application from Okta.
Replace <METADATA_URL> with the Metadata URI

You've probably noticed that the setting with the ApplicationSecurityAuthUsernameClaim key is set to the value entered in a rule earlier. Therefore, you could use any value here provided that you also modify the rule.

For information about available configuration options to use with your instance, see the appendix.

WorkflowGen is now linked to Okta and back. The last thing left to do is configure a few more options in order to finish the internal wiring of WorkflowGen so that it can delegate its authentication.

Step 2: Add some security values for session generation

In order to generate a session token, you need to add a few more settings to the web.config file.

Open the WorkflowGen web.config file and add/update the following property:
Replace <SECRET> with a value that can't be easily guessed, such as a UUID.

Step 3: Activate the authentication delegation

You now need to activate the delegation by replacing the authentication system in IIS and pointing WorkflowGen's modules to the correct authentication module.

Configure IIS

In IIS Manager, click on the WorkflowGen application in the tree view.
Click the Authentication button.
Enable Anonymous Authentication, and disable all other authentications.

Perform these steps for all sub-applications as well.

Add properties to the web.config files of certain modules

Certain modules need to have their authentication checked by the special Advantys.Security.JWTAuthenticationModule WorkflowGen authentication module, but certain other modules should not because they are either public or aren't part of the global authentication system.

Open the WorkflowGen web.config file and add/update the following property:
In the auth module's web.config, add/update the following property:
This line removes the authentication Node.js module from the global authentication system, because this Node.js application encapsulates the OpenID Connect authentication mechanisms.

You should now have a working WorkflowGen instance with the authentication delegated to Okta through the OpenID Connect protocol. Make sure to have provisioned your users to WorkflowGen in order for them to successfully access WorkflowGen.

Configuring the authentication without the GraphQL API

If for some reason you can't add an authorization server in your Okta account and you don't need GraphQL API authentication configured with the provider, you can avoid creating the server and configure WorkflowGen with the default Okta authorization server.

Step 1: Create the WorkflowGen web application

Go to the Okta Developer portal.
In the Applications item under the Applications menu, click the Create App Integration button.
Select the following options in Create a new app integration, then click Next:

You've now successfully configured Okta for your WorkflowGen instance.

Step 2: Configure WorkflowGen

Add or update the following configuration options in the WorkflowGen web.config file.

Change MetadataUrl to https://<YOUR OKTA DOMAIN>/.well-known/openid-configuration.
Change UsernameClaim to preferred_username.
Change AuthAudience

Keep in mind that by setting ApplicationSecurityAuthDecodeAccessToken=N, the expiration date of the session token generated by WorkflowGen will be based on that of the ID token.
You won't be able to use the access token received from Okta to query the GraphQL API. This access token will give you access to the Okta API and nothing else. To query the GraphQL API, you'll need to configure its authentication with another method, like Basic authentication.

Classic usage:

Step 3: Add some security values for session generation

In order to generate a session token, you need to add a few more settings to the web.config file.

Open the WorkflowGen web.config file and add/update the following property:
Replace <SECRET> with a value that can't be easily guessed, such as a UUID.

Step 4: Activate the authentication delegation

You now need to activate the delegation by replacing the authentication system in IIS and pointing WorkflowGen's modules to the correct authentication module.

Configure IIS

In IIS Manager, click on the WorkflowGen application in the tree view.
Click the Authentication button.
Enable Anonymous Authentication, and disable all other authentications.

Perform these steps for all sub-applications as well.

Add properties to the web.config files of certain modules

Certain modules need to have their authentication checked by the special Advantys.Security.JWTAuthenticationModule WorkflowGen authentication module, but certain other modules should not because they are either public or aren't part of the global authentication system.

Open the WorkflowGen web.config file and add/update the following property:
In the auth module's web.config, add/update the following property:
This line removes the authentication Node.js module from the global authentication system, because this Node.js application encapsulates the OpenID Connect authentication mechanisms.

Okta user provisioning

Prerequisites

Make sure to have a working WorkflowGen instance.
Make sure to know the instance's IP address or its fully qualified name.
Make sure to know the address of the instance.
Make sure to have configured Okta or one of the other OIDC-compliant authentication methods (, formerly

WorkflowGen configuration

This section will guide you through the WorkflowGen configurations necessary to set up the self-provisioning feature with a directory.

Step 1: Create a self-provisioning directory

This directory will contain all of the users that are not provisioned elsewhere. To create a self-provisioning directory, do the following:

On the Directories page in the WorkflowGen Administration Module, click New directory.
Fill in the form:
- Name: SELF_PROVISONING(or something else)

Step 2: Configure the user fields-to-claims mapping

Now that you've created a new directory with the self-provisioning connector, you need to define which claims are mapped to which WorkflowGen user field. To do this:

On the new directory's page, click Edit mapping.
To the right of the name of the WorkflowGen user field, enter the name of the claim in the session token that you want to map.
Here's an example of a session token generated by the auth node application from the Okta ID token connected with Google Apps:
These claims could be mapped in WorkflowGen like this:

Okta configuration for WorkflowGen Plus v2

This section provides instructions on how to configure Okta for mobile apps so that your mobile users can benefit from delegated authentication as well.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to Okta to be able to configure it properly.
Make sure to have provisioned an existing Okta user with which you can authenticate to WorkflowGen so that you can use the application afterwards.
Make sure to have the WorkflowGen Plus mobile application installed on a device that you have access to.

Okta configuration

Step 1: Create the WorkflowGen Plus native application

In your Okta developer portal, go to the Applications item under the Applications menu, then click the Create App Integration button.
Select the following options under Create a new app integration, then click Next:
- Sign-in method: OIDC - OpenID Connect

On your Okta WorkflowGen Plus native application page, go to the General Settings section on the General tab, then click the Edit button.
Enter the following information:
- Initiate login URI: workflowgenplus://oidc

Review the registration

If you've set up delegated authentication to Okta on your WorkflowGen server, you should have an access policy on your Okta WorkflowGen GraphQL API authorization server that will let any configured client access it. Therefore, there's nothing left to do on the Okta side. Here's a review of the information you need:

A client ID, which can be found on the Okta WorkflowGen Plus native application page's Settings tab.
Your Okta domain name, which can be found directly to the left of your profile picture on the top right corner of the page.

All of this information must be given to the users who will be using the mobile application; they'll need to copy them directly into the app.

Okta configuration for server-side scripts

In some cases, you'll want to perform a specific task that can be automated but needs access to the WorkflowGen GraphQL API; this use case is often in the form of a server-side script. For this, OAuth2 provides a type of grant called Client Credentials that simply exchanges a client ID and secret for an access token. There's no ID token since it's not part of the OpenID Connect standard and there's no user involved.

This section provides instructions on how to configure Okta with a server-side script that has access to the GraphQL API. First, you'll need to configure a new web application in the Okta portal; then, you'll need to configure a new application in WorkflowGen.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to WorkflowGen.
Make sure to have administrative access to Okta to be able to configure it properly.
Make sure to have successfully configured delegated authentication to Okta on your WorkflowGen instance following the instructions in the

Okta configuration

Create a new API services application

In the Applications item under the Applications menu in your Okta developer portal, click the Create App Integration button.
Select the API Services sign-in method, then click Next.
Enter the name of your application, then click Save.

Review the registration

Here's a review of the information you need:

A client ID and a client secret, which can be found on the newly registered service application's general tab.
The WorkflowGen GraphQL API identifier, which can be found on its settings page.

WorkflowGen configuration

As with user provisioning, WorkflowGen needs to know which application is accessing the GraphQL API. Therefore, you have to register the application, which consists of your script.

Register a new application

On the Applications page in the WorkflowGen Administration Module, click New application.
Fill in the form:
- Name: My API Services App

Your application should now appear in the list of applications.

You should now have the necessary components in place to make GraphQL API requests with your script by passing the access token received from Okta from a Client Credentials Grant flow.

Okta configuration for single-page applications

The OAuth2 implicit grant is notorious for being the grant with the longest list of security concerns in the OAuth2 specification. And yet, that is the approach implemented by ADAL JS and the one we recommend when writing SPA applications. What gives? It’s all a matter of tradeoffs: and as it turns out, the implicit grant is the best approach you can pursue for applications that consume a Web API via JavaScript from a browser.
(Source: )

It's therefore important that you make all of the necessary checks to verify the validity of your requests and the responses.

This section provides instructions on how to configure Okta with a single-page application (SPA) so that users can authenticate through it and make requests to the WorkflowGen GraphQL API. This configuration is done in two steps: registering your SPA, then setting some redirect URLs.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to Okta to be able to configure it properly.
Make sure to have provisioned an existing Okta user with which you can authenticate to WorkflowGen so that you can use the application afterwards.
Make sure to have successfully configured delegated authentication to Okta on your WorkflowGen instance following the instructions in the

Okta configuration

Create a new single-page application

In your Okta developer portal, go to the Applications item under the Applications menu, then click the Create App Integration button.
Select the OIDC - OpenID Connect sign-in method, select Single-Page Application as the application type, then click Next.
Enter the following information:

Review the registration

You need a client ID, which can be found on the General tab on your single-page application page.

Your application should now successfully linked to the Okta infrastructure and users can log in through it. If you have met the prerequisites, your application will receive an access token that it can send to the WorkflowGen GraphQL API to make authorized requests as a Bearer token via the Authorization header.

Okta configuration for the WorkflowGen CLI

Interactive mode

Create a new native application

In your Okta developer portal, go to the Applications item under the Applications menu, then click Create App Integration.
Select the OIDC - OpenID Connect sign-in method, select Native Application as the application type, then click Next.
Enter the following information:

Review the registration

If you've configured delegated authentication to Okta on your WorkflowGen server, you should have an access policy on your Okta authorization server from the WorkflowGen GraphQL API that will allow all configured users to access it; there's nothing left to do on the Okta side. Here's a summary of the information you'll need:

A client ID, which can be found on the General tab on the WorkflowGen CLI native application's page.
A metadata endpoint, which consists of the value of Metadata URI property from the Settings tab of your WorkflowGen GraphQL API authorization server with /.well-known/oauth-authorization-server replaced by /.well-known/openid-configuration.

All of this information must be given to users who will be using the WorkflowGen CLI.

Non-interactive mode

The configuration of non-interactive mode is the same as in the section.

Here's a review of the information of the information you'll need:

A client ID, which can be found on the registered application's parameters tab.
A client secret, which can be found on the registered application's parameters tab.
The domain, which can be found on the registered application's parameters tab.

You can now use the WorkflowGen CLI in Client credentials mode.

Generating a universal link for WorkflowGen Plus v2

As of WorkflowGen server version 7.14.0, you can generate a universal link to simplify the Okta login process for your WorkflowGen Plus mobile app users.

Base URL

protocol: workflowgenplus://
hostname: auth.init

Parameters

You'll need to specify the following parameters:

provider: okta
server_address: Your WorkflowGen application URL, whose value must be URL encoded (e.g. https://mycompany.com/wfgen)
client_id: Use the client ID you created earlier in the configuration (e.g.

The universal link should follow this format:

Once you've generated the universal link, give it to your users, who can use it to sign in to WorkflowGen Plus with the preset sign-in method.

Additional information on Okta integration

WorkflowGen SOAP API services support

WorkflowGen only supports requests to the SOAP API using classic authentication methods. If you still need to use this API, you have to perform some additional steps to configure it properly.

Create a new separate WorkflowGen directory for the SOAP API users.
Provision it with users and groups as needed.
In the IIS Manager, enable the Basic authentication method for the \wfgen\ws application.

Web service type application support

Web service type applications only support requests using classic authentication methods. If you still need to use these APIs, you have to perform some additional steps to configure it properly.

Make sure you have a local or domain account provisioned on your WorkflowGen server. (This can be the account you used prior to changing your authentication method to Okta.)
In the IIS Manager, enable either the Basic or Windows authentication method for your application (e.g. wfapps/webservices/myWebService).
In the web.config file (located in \Inetpub\wwwroot\wfgen), add the following new location under the last location: