Additional Information
SOAP services support
WorkflowGen only supports requests to the SOAP API using classic authentication methods. If you still need to use this API, you have to perform some additional steps to configure it properly:
Create a new separate WorkflowGen directory (i.e. users and groups) for the SOAP API users.
Provision it with users and groups as needed.
In IIS Manager, enable the Basic authentication method for the
\wfgen\ws
application.In the
web.config
file (located in\Inetpub\wwwroot\wfgen
), add the following under<location path="ws" inheritInChildApplications="false">
:
About session management
Microsoft Entra ID (ME-ID) supports OpenID Connect Session Management, an extension draft standard, in addition to the core OpenID Connect standard. This standard defines the rules to handle SSO session of the provider from the client. An example use is that if a user logs out of their ME-ID session from any device, a regular web client will receive a message that enables it to remove the same user's local session. WorkflowGen supports this feature when activating delegated authentication with ME-ID.
Configurable options
For a complete list of configurable options, see the Web and Application Configuration Parameters appendix in the WorkflowGen Technical Guide.
This table lists all configurable options in WorkflowGen that you can use to customize your authentication experience; these are located in the WorkflowGen web.config
file.
Option
Description
ApplicationSecurityAuthSessionTokenCookie
The name of the session cookie that is generated by the authentication module.
Default: wfgen_token
✏️ Note: This is useful when you have multiple instances of WorkflowGen running and you want to have access to both and be authenticated on both instances at the same time.
ApplicationSecurityAuthSessionTimeOut
The duration of the session in seconds. It defaults to the ID token expiration time received. Default: The exp value of the ID token
ApplicationSecurityAuthMobileSessionTimeOut
The duration of the session in seconds when requested from mobile devices on the token endpoint. Default: 7200 seconds
ApplicationSecurityAuthAudience
The intended recipient of the access token (e.g. the target API).
Default: https://<workflowgen url>/graphql
ApplicationSecurityAuthAdditionalScopes
Additional scopes to add to the authentication request. They will appear in the access token content.
✏️ Note: The openid
, profile
, and email
scopes are always in the request.
ApplicationSecurityAuthGraphQLScope
Custom GraphQL scope value that will be verified when validating the authorized scopes in the access token returned from the OIDC provider.
ApplicationSecurityAuthGraphQLAppRole
Custom GraphQL application role value that will be verified when validating the roles in the access token returned from the OIDC provider in a client credentials flow.
✏️ Note: Only available for the ms-identity-v2
provider.
Current limitations
If the WorkflowGen User Portal or Administration Module is displayed without the main header menu, this feature will not work. For example, this scenario could occur when the portal home page or a request follow-up form is displayed inside an iFrame in an external solution.
Configuring the authentication without the GraphQL API
If for some reason you can't register the WorkflowGen GraphQL API
application and you don't need GraphQL API authentication configured with the provider, you can avoid creating the registration and configure WorkflowGen with the Microsoft Graph API instead, which is included by default in all application registrations. To configure it, you only have to change some configuration options in the web.config
file:
Change the
ApplicationSecurityAuthAudience
key to the Microsoft Graph API URL, e.g.https://graph.microsoft.com
.Set the
ApplicationSecurityAuthDecodeAccessToken
option toN
.
Keep in mind that by setting
ApplicationSecurityAuthDecodeAccessToken=N
, the expiration date of the session token generated by WorkflowGen will be based on that of the ID token.You won't be able to use the access token received from ME-ID to query the GraphQL API. This access token will give you access to the Microsoft Graph API and nothing else. To query the GraphQL API, you'll need to configure its authentication with another method, like Basic authentication.
Last updated