Additional Information

SOAP services support

WorkflowGen only supports requests to the SOAP API using classic authentication methods. If you still need to use this API, you have to perform some additional steps to configure it properly:

Create a new separate WorkflowGen directory (i.e. users and groups) for the SOAP API users.
Provision it with users and groups as needed.
In IIS Manager, enable the Basic authentication method for the \wfgen\ws application.

In the web.config file (located in \Inetpub\wwwroot\wfgen), add the following under <location path="ws" inheritInChildApplications="false"> :

<system.webServer>
    <modules>
        <remove name="ApplicationSecurityAuthenticationModule" />
    </modules>
</system.webServer>

About session management

Microsoft Entra ID (ME-ID) supports OpenID Connect Session Management, an extension draft standard, in addition to the core OpenID Connect standard. This standard defines the rules to handle SSO session of the provider from the client. An example use is that if a user logs out of their ME-ID session from any device, a regular web client will receive a message that enables it to remove the same user's local session. WorkflowGen supports this feature when activating delegated authentication with ME-ID.

Configurable options

For a complete list of configurable options, see the Web and Application Configuration Parameters appendix in the WorkflowGen Technical Guide.

This table lists all configurable options in WorkflowGen that you can use to customize your authentication experience; these are located in the WorkflowGen web.config file.

Current limitations

If the WorkflowGen User Portal or Administration Module is displayed without the main header menu, this feature will not work. For example, this scenario could occur when the portal home page or a request follow-up form is displayed inside an iFrame in an external solution.

Configuring the authentication without the GraphQL API

If for some reason you can't register the WorkflowGen GraphQL API application and you don't need GraphQL API authentication configured with the provider, you can avoid creating the registration and configure WorkflowGen with the Microsoft Graph API instead, which is included by default in all application registrations. To configure it, you only have to change some configuration options in the web.config file:

<configuration>
    <appSettings>
        <add key="ApplicationSecurityAuthAudience" value="https://graph.microsoft.com"/>
        <add key="ApplicationSecurityAuthDecodeAccessToken" value="N"/>
    </appSettings>
</configuration>

Change the ApplicationSecurityAuthAudience key to the Microsoft Graph API URL, e.g.https://graph.microsoft.com.
Set the ApplicationSecurityAuthDecodeAccessToken option to N.

Keep in mind that by setting ApplicationSecurityAuthDecodeAccessToken=N, the expiration date of the session token generated by WorkflowGen will be based on that of the ID token.
You won't be able to use the access token received from ME-ID to query the GraphQL API. This access token will give you access to the Microsoft Graph API and nothing else. To query the GraphQL API, you'll need to configure its authentication with another method, like Basic authentication.

PreviousAzure Kubernetes Service