SAML v2.0 Authentication

Overview

SAML v2.0 provides enterprise-grade federated authentication with request ID tracking for security. It allows WorkflowGen to delegate authentication to identity provider systems (IdPs) so that users can access the application with their existing corporate credentials.

Configuration

See the OIDC configuration settings section below for a table listing all of the required and optional settings, along with their descriptions and default values.

Microsoft Entra ID

Provider: saml-azure

Required settings

<add key="ApplicationSecurityAuthProvider" value="saml-azure" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://login.microsoftonline.com/{tenant-id}/saml2" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://sts.windows.net/{tenant-id}/" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />

Optional settings

Complete sign-out via portal

<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://myapps.microsoft.com/logout" />

SP-initiated SL

<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://login.microsoftonline.com/{tenant-id}/saml2" />

If ApplicationSecurityAuthSAMLLogoutUrl doesn't behave as expected for your tenant/browser setup, remove it (leave undefined) and rely on WorkflowGen-only logout or portal logout via https://myapps.microsoft.com/logout.

PingFederate

Provider: saml-pingfederate

Required settings

<add key="ApplicationSecurityAuthProvider" value="saml-pingfederate" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://auth.pingone.ca/{environment-id}/saml20/idp/sso" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://auth.pingone.ca/{environment-id}" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />
<!-- PingFederate wants logout requests to be signed - required for PingFederate SLO -->
<add key="ApplicationSecurityAuthSAMLWantLogoutRequestsSigned" value="true" />
<!-- PingFederate wants assertions to be signed - required for PingFederate SLO -->
<add key="ApplicationSecurityAuthSAMLWantAssertionsSigned" value="true" />

Optional settings

Complete sign-out via portal

<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://auth.pingone.ca/{environment-id}/saml20/idp/slo" />

SP-initiated SLO

<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://auth.pingone.ca/{environment-id}/saml20/idp/slo" />

Auth0

Provider: saml-auth0

Required settings

<add key="ApplicationSecurityAuthProvider" value="saml-auth0" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://{tenant-id}.auth0.com/samlp/{client-id}" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="urn:{tenant-id}.auth0.com" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />
<!-- Auth0 wants assertions to be signed - required for Auth0 SLO -->
<add key="ApplicationSecurityAuthSAMLWantAssertionsSigned" value="true" />

Optional settings

Complete sign-out via portal

<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://{tenant-id}.auth0.com/logout" />

SP-initiated SLO

<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://{tenant-id}.auth0.com/samlp/{client-id}/logout" />

Okta

Provider: okta-saml

Required settings

<add key="ApplicationSecurityAuthProvider" value="saml-okta" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://{okta-domain-id}.okta.com/app/{app-name}/{app-id}/sso/saml" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://www.okta.com/{app-id}" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />

Optional settings

Complete sign-out via portal

<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://{okta-domain-id}.okta.com/login/signout" />

SP-initiated SLO

<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://{okta-domain-id}.okta.com/app/{app-name}/{app-id}/slo/saml" />

If ApplicationSecurityAuthSAMLLogoutUrl doesn't work as expected (e.g., Okta returns RequestDenied/AuthnFailed), leave it undefined and use portal logout via /wfgen/auth/logout?logoutType=complete.

AD FS

SAML v2.0 support for AD FS is still in experimental mode. You should test the configuration for compatibility.

Provider: saml-adfs

Required settings

<add key="ApplicationSecurityAuthProvider" value="saml-adfs" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://{your-adfs-server}/adfs/ls/" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://{your-adfs-server}/adfs/services/trust" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />

Optional settings

Complete sign-out via portal

<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://{your-adfs-server}/adfs/ls/?wa=wsignout1.0" />

SP-initiated SLO

<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://{your-adfs-server}/adfs/ls/?wa=wsignout1.0" />

Generic providers

SAML v2.0 authentication support for generic IdPs is still in experimental mode. You should test the configuration for compatibility.

Provider: saml-generic

Required settings

<add key="ApplicationSecurityAuthProvider" value="saml-generic" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://{your-idp-server}/sso/saml" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://{your-idp-server}" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />

Optional settings

Complete sign-out via portal

<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://{your-idp-server}/logout" />

SP-initiated SLO

<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://{your-idp-server}/slo/saml" />

OIDC configuration settings

Setting

Description & values

Core settings

ApplicationSecurityAuthProviders (required)

Identity provider identifier Default: Not set

ApplicationSecurityAuthClientId (required)

OAuth client ID Default: Not set

ApplicationSecurityAuthClientSecret (required)

OAuth client secret Default: Not set

ApplicationSecurityAuthMetadataUrl (required)

OIDC metadata endpoint Default: Not set

ApplicationSecurityAuthSessionTokenSigningSecret (required)

JWT signing secret Default: Not set

User claims

ApplicationSecurityAuthUsernameClaim

Username claim name Default: preferred_username

ApplicationSecurityAuthAppIdClaim

App ID claim name Default: appid

ApplicationSecurityAuthAccessTokenUsernameClaim

Access token username claim Default: upn

Token settings

ApplicationSecurityAuthAudience

Token audience validation Default: Empty

ApplicationSecurityAuthDecodeAccessToken

Decode access token Default: N

ApplicationSecurityAuthExposeAccessTokenInCookies

Expose token in cookies Default: N

ApplicationSecurityAuthClockTolerance

JWT clock tolerance (seconds) Default: 60

Session & flow

ApplicationSecurityAuthSessionTokenSigningSecret (required)

JWT session token signing secret Default: Not set

ApplicationSecurityAuthSessionTokenAudience

JWT session token audience Default: Application URL

ApplicationSecurityAuthSessionTimeOut

Session timeout (seconds) Default: Not set

ApplicationSecurityAuthMobileSessionTimeOut

Mobile session timeout (seconds) Default: 7200

ApplicationSecurityAuthResponseMode

OIDC response mode Default: form_post

ApplicationSecurityAuthSessionRefreshEnableIFrame

Enable iframe refresh Default: Y

ApplicationSecurityAuthCheckSessionUrl

Check session iframe URL Default: Empty

ApplicationSecurityAuthLogoutUrl

Custom logout URL Default: Empty

ApplicationSecurityAuthAcrValues

Authentication context class Default: Empty

PreviousGardian Integration NextAppendix: Web & Application Configuration Parameters

hashtagOverview

hashtagConfiguration

hashtagMicrosoft Entra ID

hashtagRequired settings

hashtagOptional settings

hashtagPingFederate

hashtagRequired settings

hashtagOptional settings

hashtagAuth0

hashtagRequired settings

hashtagOptional settings

hashtagOkta

hashtagRequired settings

hashtagOptional settings

hashtagAD FS

hashtagRequired settings

hashtagOptional settings

hashtagGeneric providers

hashtagRequired settings

hashtagOptional settings

hashtagOIDC configuration settings

Overview

Configuration

Microsoft Entra ID

Required settings

Optional settings

PingFederate

Required settings

Optional settings

Auth0

Required settings

Optional settings

Okta

Required settings

Optional settings

AD FS

Required settings

Optional settings

Generic providers

Required settings

Optional settings

OIDC configuration settings