Additional Information

SOAP services support

WorkflowGen only supports requests to the SOAP API using classic authentication methods. If you still need to use this API, you have to perform some additional steps to configure it properly:

  1. Create a new separate WorkflowGen directory (i.e. users and groups) for the SOAP API users.

  2. Provision it with users and groups as needed.

  3. In IIS Manager, enable the Basic authentication method for the \wfgen\ws application.

  4. In the web.config file (located in \Inetpub\wwwroot\wfgen), add the following under <location path="ws" inheritInChildApplications="false"> :

    <system.webServer>
        <modules>
            <remove name="ApplicationSecurityAuthenticationModule" />
        </modules>
    </system.webServer>

About session management

Microsoft Entra ID (ME-ID) supports OpenID Connect Session Management, an extension draft standard, in addition to the core OpenID Connect standard. This standard defines the rules to handle SSO session of the provider from the client. An example use is that if a user logs out of their ME-ID session from any device, a regular web client will receive a message that enables it to remove the same user's local session. WorkflowGen supports this feature when activating delegated authentication with ME-ID.

Configurable options

For a complete list of configurable options, see the Web and Application Configuration Parameters appendix in the WorkflowGen Technical Guide.

This table lists all configurable options in WorkflowGen that you can use to customize your authentication experience; these are located in the WorkflowGen web.config file.

Option

Description

ApplicationSecurityAuthSessionTokenCookie

The name of the session cookie that is generated by the authentication module. Default: wfgen_token ✏️ Note: This is useful when you have multiple instances of WorkflowGen running and you want to have access to both and be authenticated on both instances at the same time.

ApplicationSecurityAuthSessionTimeOut

The duration of the session in seconds. It defaults to the ID token expiration time received. Default: The exp value of the ID token

ApplicationSecurityAuthMobileSessionTimeOut

The duration of the session in seconds when requested from mobile devices on the token endpoint. Default: 7200 seconds

ApplicationSecurityAuthAudience

The intended recipient of the access token (e.g. the target API).

Default: https://<workflowgen url>/graphql

ApplicationSecurityAuthAdditionalScopes

Additional scopes to add to the authentication request. They will appear in the access token content.

✏️ Note: The openid, profile, and email scopes are always in the request.

ApplicationSecurityAuthGraphQLScope

Custom GraphQL scope value that will be verified when validating the authorized scopes in the access token returned from the OIDC provider.

ApplicationSecurityAuthGraphQLAppRole

Custom GraphQL application role value that will be verified when validating the roles in the access token returned from the OIDC provider in a client credentials flow.

✏️ Note: Only available for the ms-identity-v2 provider.

Current limitations

If the WorkflowGen User Portal or Administration Module is displayed without the main header menu, this feature will not work. For example, this scenario could occur when the portal home page or a request follow-up form is displayed inside an iFrame in an external solution.

Configuring the authentication without the GraphQL API

If for some reason you can't register the WorkflowGen GraphQL API application and you don't need GraphQL API authentication configured with the provider, you can avoid creating the registration and configure WorkflowGen with the Microsoft Graph API instead, which is included by default in all application registrations. To configure it, you only have to change some configuration options in the web.config file:

<configuration>
    <appSettings>
        <add key="ApplicationSecurityAuthAudience" value="https://graph.microsoft.com"/>
        <add key="ApplicationSecurityAuthDecodeAccessToken" value="N"/>
    </appSettings>
</configuration>
  1. Change the ApplicationSecurityAuthAudience key to the Microsoft Graph API URL, e.g.https://graph.microsoft.com.

  2. Set the ApplicationSecurityAuthDecodeAccessToken option to N.

  • Keep in mind that by setting ApplicationSecurityAuthDecodeAccessToken=N, the expiration date of the session token generated by WorkflowGen will be based on that of the ID token.

  • You won't be able to use the access token received from ME-ID to query the GraphQL API. This access token will give you access to the Microsoft Graph API and nothing else. To query the GraphQL API, you'll need to configure its authentication with another method, like Basic authentication.