9.0

User Provisioning

Overview

The self-provisioning connector is a directory connector that automatically creates and synchronizes a user based on the user's session token claims that contain claims from the OpenID Connect provider ID token. This feature is only compatible with an OpenID Connect authentication.

Prerequisites

  • Make sure to have a working WorkflowGen instance.

  • Make sure to know the instance's IP address or its fully qualified name.

  • Make sure to know the address of the instance.

  • Make sure to have configured Auth0 or one of the other OIDC-compliant authentication methods (Azure Active Directory, AD FS, Okta, or Microsoft Identity Platform v2.0).

WorkflowGen configuration

This section will guide you through the WorkflowGen configurations necessary to set up the self-provisioning feature with a directory.

Step 1: Create a self-provisioning directory

This directory will contain all of the users that are not provisioned elsewhere. To create a self-provisioning directory, do the following:

  1. On the Directories page in the WorkflowGen Administration Module, click New directory.

  2. Fill in the form:

    • Name: SELF_PROVISIONING(or something else)

    • Description: A good description of the directory

    • Directory connector: Self-provisioning

  3. Click Save.

Step 2: Configure the user fields-to-claims mapping

Now that you've created a new directory with the self-provisioning connector, you need to define which claims are mapped to which WorkflowGen user field. To do this:

  1. On the new directory's page, click Edit mapping.

  2. To the right of the name of a WorkflowGen user's field, enter the name of the claim in the session token that you want to map.

    Here's an example of a session token generated by the auth node application from the Auth0 ID token connected with Google Apps:

     {
     "sub": "some.user@advantys.com",
     "iss": "https://<workflowgen_url>/auth",
     "aud": "https://<workflowgen_url>",
     "exp": 1535627127,
     "https://api.workflowgen.com/username": "some.user@advantys.com",
     "given_name": "Some",
     "family_name": "User",
     "nickname": "some-user",
     "name": "Some User",
     "picture":  "https://lh4.googleusercontent.com/path/to/photo.jpg",
     "gender": "male",
     "locale": "en",
     "updated_at": "1970-01-01T00:00:00Z",
     "email": "some.user@advantys.com",
     "email_verified": true,
     "nonce": "ffdd6d95-31e6-4466-84c4-43f8c0fbaae7",
     "iat": 1535591128
 }

    These claims could be mapped in WorkflowGen like this:

    ✏️ Note: The Username and Name fields are required.

  3. Click Save.

You've now activated the self-provisioning feature, and unknown users can be automatically provisioned and synchronized to WorkflowGen without any external actions required.

PreviousAuthenticationNextWorkflowGen Plus v2