# SAML v2.0 Authentication ## Overview SAML v2.0 provides enterprise-grade federated authentication with request ID tracking for security. It allows WorkflowGen to delegate authentication to identity provider systems (IdPs) so that users can access the application with their existing corporate credentials. ## Configuration {% hint style="info" %} See the [OIDC configuration settings](#oidc-configuration-settings) section below for a table listing all of the required and optional settings, along with their descriptions and default values. {% endhint %} ### Microsoft Entra ID **Provider:** `saml-azure` #### Required settings ```html ``` #### Optional settings **Complete sign-out via portal** ```html ``` **SP-initiated SL** ```html ``` {% hint style="info" %} If `ApplicationSecurityAuthSAMLLogoutUrl` doesn't behave as expected for your tenant/browser setup, remove it (leave undefined) and rely on WorkflowGen-only logout or portal logout via `https://myapps.microsoft.com/logout`. {% endhint %} ### PingFederate **Provider**: `saml-pingfederate` #### Required settings

<add key="ApplicationSecurityAuthProvider" value="saml-pingfederate" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://auth.pingone.ca/{environment-id}/saml20/idp/sso" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://auth.pingone.ca/{environment-id}" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />
<!-- PingFederate wants logout requests to be signed - required for PingFederate SLO -->
<add key="ApplicationSecurityAuthSAMLWantLogoutRequestsSigned" value="true" />
<!-- PingFederate wants assertions to be signed - required for PingFederate SLO -->
<add key="ApplicationSecurityAuthSAMLWantAssertionsSigned" value="true" />

#### Optional settings **Complete sign-out via portal** ```html ``` **SP-initiated SLO** ```html ``` ### Auth0 **Provider:** `saml-auth0` #### Required settings ```html ``` #### Optional settings **Complete sign-out via portal** ```html ``` **SP-initiated SLO** ```html ``` ### Okta **Provider:** `okta-saml` #### Required settings ```html ``` #### Optional settings **Complete sign-out via portal** ```html ``` **SP-initiated SLO** ```html ``` {% hint style="info" %} If `ApplicationSecurityAuthSAMLLogoutUrl` doesn't work as expected (e.g., Okta returns `RequestDenied`/`AuthnFailed`), leave it undefined and use portal logout via `/wfgen/auth/logout?logoutType=complete`. {% endhint %} ### AD FS {% hint style="warning" %} SAML v2.0 support for AD FS is still in experimental mode. You should test the configuration for compatibility. {% endhint %} **Provider:** `saml-adfs` #### Required settings ```html ``` #### Optional settings **Complete sign-out via portal** ```html ``` **SP-initiated SLO** ```html ``` ### Generic providers {% hint style="warning" %} SAML v2.0 authentication support for generic IdPs is still in experimental mode. You should test the configuration for compatibility. {% endhint %} **Provider:** `saml-generic` #### Required settings ```html ``` #### Optional settings **Complete sign-out via portal** ```html ``` **SP-initiated SLO** ```html ``` ## OIDC configuration settings

Setting	Description & values
Core settings
`ApplicationSecurityAuthProviders` (required)	Identity provider identifier Default: Not set
`ApplicationSecurityAuthClientId` (required)	OAuth client ID Default: Not set
`ApplicationSecurityAuthClientSecret` (required)	OAuth client secret Default: Not set
`ApplicationSecurityAuthMetadataUrl` (required)	OIDC metadata endpoint Default: Not set
`ApplicationSecurityAuthSessionTokenSigningSecret` (required)	JWT signing secret Default: Not set
User claims
`ApplicationSecurityAuthUsernameClaim`	Username claim name Default: `preferred_username`
`ApplicationSecurityAuthAppIdClaim`	App ID claim name Default: `appid`
`ApplicationSecurityAuthAccessTokenUsernameClaim`	Access token username claim Default: `upn`
Token settings
`ApplicationSecurityAuthAudience`	Token audience validation Default: Empty
`ApplicationSecurityAuthDecodeAccessToken`	Decode access token Default: `N`
`ApplicationSecurityAuthExposeAccessTokenInCookies`	Expose token in cookies Default: `N`
`ApplicationSecurityAuthClockTolerance`	JWT clock tolerance (seconds) Default: `60`
Session & flow
`ApplicationSecurityAuthSessionTokenSigningSecret` (required)	JWT session token signing secret Default: Not set
`ApplicationSecurityAuthSessionTokenAudience`	JWT session token audience Default: Application URL
`ApplicationSecurityAuthSessionTimeOut`	Session timeout (seconds) Default: Not set
`ApplicationSecurityAuthMobileSessionTimeOut`	Mobile session timeout (seconds) Default: `7200`
`ApplicationSecurityAuthResponseMode`	OIDC response mode Default: `form_post`
`ApplicationSecurityAuthSessionRefreshEnableIFrame`	Enable iframe refresh Default: `Y`
`ApplicationSecurityAuthCheckSessionUrl`	Check session iframe URL Default: Empty
`ApplicationSecurityAuthLogoutUrl`	Custom logout URL Default: Empty
`ApplicationSecurityAuthAcrValues`	Authentication context class Default: Empty