User Provisioning

Overview

The self-provisioning connector is a directory connector that automatically creates and synchronizes a user based on the user's session token claims that contain claims from the OpenID Connect provider ID token. This feature is only compatible with an OpenID Connect authentication.

Prerequisites

  • Make sure to have a working WorkflowGen instance.

  • Make sure to know the instance's IP address or its fully qualified name.

  • Make sure to know the address of the instance.

  • Make sure to have configured Auth0 or one of the other OIDC-compliant authentication methods (Microsoft Entra ID, formerly Azure Active Directory; AD FS; Okta; or Microsoft Identity Platform v2.0).

WorkflowGen configuration

This section will guide you through the WorkflowGen configurations necessary to set up the self-provisioning feature with a directory.

Step 1: Create a self-provisioning directory

This directory will contain all of the users that are not provisioned elsewhere. To create a self-provisioning directory, do the following:

  1. On the Directories page in the WorkflowGen Administration Module, click New directory.

  2. Fill in the form:

    • Name: SELF_PROVISIONING(or something else)

    • Description: A good description of the directory

    • Directory connector: Self-provisioning

  3. Click Save.

Step 2: Configure the user fields-to-claims mapping

Now that you've created a new directory with the self-provisioning connector, you need to define which claims are mapped to which WorkflowGen user field. To do this:

  1. On the new directory's page, click Edit mapping.

  2. To the right of the name of a WorkflowGen user's field, enter the name of the claim in the session token that you want to map.

    Here's an example of a session token generated by the auth node application from the Auth0 ID token connected with Google Apps:

     {
     "sub": "[email protected]",
     "iss": "https://<workflowgen_url>/auth",
     "aud": "https://<workflowgen_url>",
     "exp": 1535627127,
     "https://api.workflowgen.com/username": "[email protected]",
     "given_name": "Some",
     "family_name": "User",
     "nickname": "some-user",
     "name": "Some User",
     "picture":  "https://lh4.googleusercontent.com/path/to/photo.jpg",
     "gender": "male",
     "locale": "en",
     "updated_at": "1970-01-01T00:00:00Z",
     "email": "[email protected]",
     "email_verified": true,
     "nonce": "ffdd6d95-31e6-4466-84c4-43f8c0fbaae7",
     "iat": 1535591128
 }

    These claims could be mapped in WorkflowGen like this:

    ✏️ Note: The Username and Name fields are required.

  3. Click Save.

You've now activated the self-provisioning feature, and unknown users can be automatically provisioned and synchronized to WorkflowGen without any external actions required.

PreviousAuthenticationNextWorkflowGen Plus v2

Last updated