9.0

WorkflowGen Plus v2

Overview

Mobile applications must use an approach similar to that of regular web applications, which is called Authorization Code Flow with Proof Key for Code Exchange (PKCE). The main difference between this and the classic Authorization Code Flow is that the mobile application doesn't get a client secret, but instead exchanges a pair of codes to prove the origin of the authentication attempt. The issue is that a mobile application can't be trusted with a client secret because it's distributed directly to users and is therefore no longer under the developer's control, and the sources can be decompiled and analyzed to find secrets like this.

This section provides instructions on how to configure AD FS for the WorkflowGen Plus mobile application so that your mobile users can benefit from delegated authentication as well.

For instructions on how to generate a universal link to simplify the AD FS login process for your users, see the Generating a universal link for WorkflowGen Plus v2 section.

Prerequisites

  • Make sure to have a licensed copy of WorkflowGen installed and running on a server.

  • Make sure to have administrative access to the AD FS to be able to configure it properly.

  • Make sure to have provisioned an existing Active Directory user with which you can authenticate to WorkflowGen so that you can use the application afterwards.

  • Make sure to have the latest WorkflowGen Plus version installed on your device and that your device is supported.

  • Make sure to have successfully configured delegated authentication to AD FS on your WorkflowGen instance following the instructions in the AD FS authentication section.

AD FS configuration

This configuration is done in several steps. First, you have to register a new native application in AD FS. Then, you have to give the application the necessary permissions to access the WorkflowGen GraphQL API.

Step 1: Register a new native application

  1. In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.

  2. Click Add application.

  3. Configure the application:

    1. Name: WorkflowGen Plus

    2. Copy the client identifier, which you'll need in the application.

    3. Redirect URI: workflowgenplus://oidc

  4. Click Add, then click Next.

  5. Review the configuration; once you've finished, click Next and then Close.

You've now added the WorkflowGen Plus native application in your AD FS WorkflowGen application group.

Step 2: Grant access to the WorkflowGen GraphQL API

  1. In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.

  2. Double-click on the WorkflowGen GraphQL API application.

  3. On the Client Permissions tab, click the WorkflowGen Plus application, then click Add.

  4. Select WorkflowGen Plus in the application permissions list.

  5. Make sure that the openid, profile, and email scopes are checked.

  6. Click OK, then click OK in the WorkflowGen application group menu.

You've now configured WorkflowGen Plus within AD FS.

PreviousAuthenticationNextServer-Side Scripts