SAML v2.0 Authentication
Overview
SAML v2.0 provides enterprise-grade federated authentication with request ID tracking for security. It allows WorkflowGen to delegate authentication to identity provider systems (IdPs) so that users can access the application with their existing corporate credentials.
Configuration
Microsoft Entra ID
Provider: saml-azure
Required settings
<add key="ApplicationSecurityAuthProvider" value="saml-azure" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://login.microsoftonline.com/{tenant-id}/saml2" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://sts.windows.net/{tenant-id}/" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />Optional settings
Complete sign-out via portal:
<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://myapps.microsoft.com/logout" />SP-initiated SL
<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://login.microsoftonline.com/{tenant-id}/saml2" />PingFederate
Provider: saml-pingfederate
Required settings
<add key="ApplicationSecurityAuthProvider" value="saml-pingfederate" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://auth.pingone.ca/{environment-id}/saml20/idp/sso" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://auth.pingone.ca/{environment-id}" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />
<!-- PingFederate wants logout requests to be signed - required for PingFederate SLO -->
<add key="ApplicationSecurityAuthSAMLWantLogoutRequestsSigned" value="true" />
<!-- PingFederate wants assertions to be signed - required for PingFederate SLO -->
<add key="ApplicationSecurityAuthSAMLWantAssertionsSigned" value="true" />Optional settings
Complete sign-out via portal
<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://auth.pingone.ca/{environment-id}/saml20/idp/slo" />SP-initiated SLO
<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://auth.pingone.ca/{environment-id}/saml20/idp/slo" />Auth0
Provider: saml-auth0
Required settings
<add key="ApplicationSecurityAuthProvider" value="saml-auth0" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://{tenant-id}.auth0.com/samlp/{client-id}" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="urn:{tenant-id}.auth0.com" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />
<!-- Auth0 wants assertions to be signed - required for Auth0 SLO -->
<add key="ApplicationSecurityAuthSAMLWantAssertionsSigned" value="true" />Optional settings
Complete sign-out via portal
<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://{tenant-id}.auth0.com/logout" />SP-initiated SLO
<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://{tenant-id}.auth0.com/samlp/{client-id}/logout" />Okta
Provider: okta-saml
Required settings
<add key="ApplicationSecurityAuthProvider" value="saml-okta" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://{okta-domain-id}.okta.com/app/{app-name}/{app-id}/sso/saml" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://www.okta.com/{app-id}" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />Optional settings
Complete sign-out via portal
<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://{okta-domain-id}.okta.com/login/signout" />SP-initiated SLO
<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://{okta-domain-id}.okta.com/app/{app-name}/{app-id}/slo/saml" />AD FS
SAML v2.0 support for AD FS is still in experimental mode. You should test the configuration for compatibility.
Provider: saml-adfs
Required settings
<add key="ApplicationSecurityAuthProvider" value="saml-adfs" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://{your-adfs-server}/adfs/ls/" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://{your-adfs-server}/adfs/services/trust" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />Optional settings
Complete sign-out via portal
<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://{your-adfs-server}/adfs/ls/?wa=wsignout1.0" />SP-initiated SLO
<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://{your-adfs-server}/adfs/ls/?wa=wsignout1.0" />Generic providers
SAML v2.0 authentication support for generic IdPs is still in experimental mode. You should test the configuration for compatibility.
Provider: saml-generic
Required settings
<add key="ApplicationSecurityAuthProvider" value="saml-generic" />
<add key="ApplicationSecurityAuthSAMLEntryPoint" value="https://{your-idp-server}/sso/saml" />
<add key="ApplicationSecurityAuthSAMLIssuer" value="https://{your-workflowgen-domain}/wfgen/auth" />
<add key="ApplicationSecurityAuthSAMLIdpIssuer" value="https://{your-idp-server}" />
<add key="ApplicationSecurityAuthSAMLCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSAMLPrivateKey" value="-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----" />
<add key="ApplicationSecurityAuthSAMLIdpCert" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" />
<add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="your-session-secret" />Optional settings
Complete sign-out via portal
<add key="ApplicationSecurityAuthSAMLLogoutPortalUrl" value="https://{your-idp-server}/logout" />SP-initiated SLO
<add key="ApplicationSecurityAuthSAMLLogoutUrl" value="https://{your-idp-server}/slo/saml" />Last updated