9.0

User Provisioning

Overview

The self-provisioning connector is a directory connector that automatically creates and synchronizes a user based on the user's session token claims that contain claims from the OpenID Connect provider ID token. This feature is only compatible with an OpenID Connect authentication.

Prerequisites

  • Make sure to have a working WorkflowGen instance.

  • Make sure to know the instance's IP address or its fully qualified name.

  • Make sure to know the address of the instance.

  • Make sure to have configured Okta or one of the other OIDC-compliant authentication methods (Azure Active Directory, AD FS, Auth0, or Microsoft Identity Platform v2.0).

WorkflowGen configuration

This section will guide you through the WorkflowGen configurations necessary to set up the self-provisioning feature with a directory.

Step 1: Create a self-provisioning directory

This directory will contain all of the users that are not provisioned elsewhere. To create a self-provisioning directory, do the following:

  1. On the Directories page in the WorkflowGen Administration Module, click New directory.

  2. Fill in the form:

    • Name: SELF_PROVISONING(or something else)

    • Description: A good description of the directory

    • Directory connector: Self-provisioning

  3. Click Save.

Step 2: Configure the user fields-to-claims mapping

Now that you've created a new directory with the self-provisioning connector, you need to define which claims are mapped to which WorkflowGen user field. To do this:

  1. On the new directory's page, click Edit mapping.

  2. To the right of the name of the WorkflowGen user field, enter the name of the claim in the session token that you want to map.

    Here's an example of a session token generated by the auth node application from the Okta ID token connected with Google Apps:

     {
     "sub": "some.user@advantys.com",
     "iss": "https://<workflowgen_url>/auth",
     "aud": "https://<workflowgen_url>",
     "exp": 1535627127,
     "https://api.workflowgen.com/username": "some.user@advantys.com",
     "given_name": "Some",
     "family_name": "User",
     "nickname": "some-user",
     "name": "Some User",
     "picture":  "https://lh4.googleusercontent.com/path/to/photo.jpg",
     "gender": "male",
     "locale": "en",
     "updated_at": "1970-01-01T00:00:00Z",
     "email": "some.user@advantys.com",
     "email_verified": true,
     "nonce": "ffdd6d95-31e6-4466-84c4-43f8c0fbaae7",
     "iat": 1535591128
 }

    These claims could be mapped in WorkflowGen like this:

    ✏️ Note: The Username and Name fields are required.

  3. Click Save.

PreviousAuthenticationNextWorkflowGen Plus v2