Bizagi local authentication

<< Click to Display Table of Contents >>

Navigation:  Identity and access management >

Bizagi local authentication

Overview

Bizagi supports integration with your corporate Identity Managers (recommended).

For introductory information about authentication options in Bizagi, refer to Identity and Access Management.

However, you may choose to rely on Bizagi' local authentication service which offers secure sign-in options and configuration parameters to enforce your corporate password and accounts policies.

 

What you need to do

To configure Bizagi authentication for use in Automation Service, follow these steps:

 

1. Configure the authentication type in Bizagi Studio.

2. Configure Bizagi authentication parameters.

 

Configuration procedure

By default, Bizagi Studio projects use Bizagi Authentication, so the first step is not necessary unless you have changed settings to use a different type of authentication, and now want to change back.

 

1. Configure the authentication type in Bizagi Studio.

To explicitly choose Bizagi authentication, follow these steps:

 

1.1 Open your Bizagi Studio project.

Open Bizagi Studio and select your project in your development environment.

 

Cloud_OpenProj

 

1.2 Go to the security settings.

Click Expert view, and select the Security module.

 

Cloud_SecurityModule

 

Click Authentication in the middle panel, and confirm that the drop-down list at the rightmost panel shows Bizagi Authentication:

 

Authentication_Bizagi

 

Click Update if you had a different choice before.

 

2. Configure Bizagi authentication parameters.

Once Bizagi Authentication is chosen, sub-items for Authentication display.

 

Configure these parameters to use account and password policies as needed. Some parameters apply to passwords, others to accounts and session management, and others to the overall admin procedures when managing accounts.

 

AuthOptions

 

We recommend reviewing the default values and define:

Explicitly enforce password change after first login

Enforce use of capital letters in passwords

Enforce use of small letters in passwords

Enforce use of numbers in passwords

Enforce use of special characters in passwords

Idle sessions time-out

Minimum length of passwords

Maximum number of failed login attempts.

 

To configure each parameter, click it and define a setting in the panel to its right.

Make sure you click Update if you change values.

 

Refer to the following table for a description of each of the different parameters:

 

OPTION

DESCRIPTION

Account lockout duration

Defines the number of minutes an account remains locked out due to reaching Maximum number of failed login attempts (and having set Enable account lockout for failed login attempts), before automatically being unlocked.

This duration must be greater to or equal than Failed login attempts time-out.

E-mail for an account unlock request - Body

Defines the body of the email to be sent to the administrator when a user requests the unlocking of an account  (when Enable account unlock request e-mails to admin is selected and you have specified E-mail of admin).

Use with E-mail for an account unlock request - Subject.

E-mail for an account unlock request - Subject

Defines the subject of the mail to be sent to the administrator when a user requests the unlocking of an account (i.e when Enable account unlock request e-mails to admin is selected and you have specified E-mail of admin).

Use with E-mail for an account unlock request - Body.

E-mail for an active account - Body

Defines the body of the email to be sent to a user when their account is created and set as active.

Use with E-mail for an active account - Subject.

E-mail for an active account - Subject        

Defines the subject of the email to be sent to a user when his/her account is created and set as active.

Use with E-mail for an active account - Body.

E-mail for password reminder - Body

Defines the body of the email to be sent when the user requests a password reminder.

Use with E-mail for password reminder - Subject.

E-mail for password reminder - Subject

Defines the subject of the mail to be sent when the user requests a password reminder.

Use with E-mail for password reminder - Body.

E-mail of admin

Defines the email of the administrator in charge of receiving E-mail for an account unlock request (i.e when using Enable account unlock request e-mails to admin).

Enable account lockout for failed login attempts

Establishes whether to lock out accounts when a maximum number of failed login attempts is reached (to use with Maximum number of failed login attempts).

Enable account unlock request e-mails to admin

Establishes whether to send emails when a user requests an account unlock.

Use with E-mail for an account unlock request, and E-mail of admin.

Enable authentication logging in database

Establishes whether to record an audit log with all authentication events. If enabled, look for the table AUTHOLOG in the database.

Note: Using the quick login feature does not create records in the authentication log.

Enable multiple sessions per account

Establishes whether to allow more than one simultaneous session for a single account.

Enable quick login

Applies only to the Development and Test environments.

 

Establishes whether to permit logins to the Work portal without providing the passwords of accounts (a quick login through a drop-down list displaying valid login accounts).

The drop-down list shows the first 100 active users (from the 101st user, accounts need to be manually entered into a text field).

Use quick login for unit tests or quick prototyping. This setting is not valid for a production environment.

When using quick login, the work portal's authentication log query feature does not record login events.

Enable use of a secret question

Establishes whether users can provide a secret question and answer and use them to avoid an account lockout when forget their password.

Enable password change after the first login

Establishes whether a user must change the password after the first login.

Consider using this option or setting an explicit number of days for Password minimum age.

Enforce password history

Defines the number of unique passwords an account must have before reusing an older one.

Enforce use of capital letters in passwords

Establishes whether passwords must contain at least one capital letter.

Enforce use of letters in passwords

Establishes whether passwords must contain at least one letter.

Consider using Enforce use of capital letters in password and Enforce use of lowercase in password instead.

Enforce use of numbers in passwords

Establishes whether passwords must contain at least one number.

Enforce use of small letters in passwords

Establishes whether passwords must contain at least one lower-case letter.

Enforce use of special characters in passwords

Establishes whether passwords must contain at least one special (non alphanumeric) character.

Enforce validation of sequences in passwords

Establishes whether passwords are not allowed to contain character sequences (e.g: abc or 12).

Failed login attempts time-out

Defines the time frame after which, the counter that stores the number of attempts resets if the Maximum number of failed login attempts is not reached.

Idle account duration before lockout

Defines the maximum number of days that an account can be idle before the system locks it as unused.

Idle sessions time-out

Defines the time in minutes in which an idle session expires; in which case it would be required to authenticate again.

Maximum length of passwords

Defines the maximum number of characters for passwords. Set this to zero to disable the password-length restriction.

Maximum number of failed login attempts

Defines the maximum number of consecutive unsuccessful login attempts after which an account is locked out.

Applies when Enable account lockout for failed login attempts is active.

Minimum length of passwords

Defines the minimum number of characters for passwords.

Password maximum age

Defines the maximum number of days during which a password can be used before it can be changed

Password minimum age

Defines the minimum number of days during which a password can be used before it can be changed

Consider using this option or setting an explicit number of days for Enable password change after the first login.

SLA for an account unlock request

Defines the expected service time (in hours) to process an account unlock request.

 

Next steps

You have set up account authentication and can now proceed to create or import users into Bizagi.

You do not use Bizagi Studio for user management (i.e, creating, importing, editing).

You can manually create users for each environment through the Work Portal.