LDAP authentication

<< Click to Display Table of Contents >>

Navigation:  Identity and access management >

LDAP authentication


Bizagi PaaS supports integrating with on-premises Identity managers such as LDAP Servers (i.e. Microsoft Active Directory), via a VPN configuration.

For introductory information about authentication options in Bizagi, refer to Identity and Access Management.


When using LDAP Authentication in Bizagi, credentials entered in the login page (username, password and domain) are sent to an LDAP Server for verification.

Once the server verifies and grants access, login is successful (provided that this user is already created in Bizagi).




Note that with this authentication type, passwords are never stored in Bizagi and you are autonomous to rely on your LDAP Server for adequate account configuration and password policies.


Before you start

Note that you need to set up a VPN for this type of authentication.

For detail and requirements about this first step, refer to VPN setup.


What you need to do

Once a VPN is set up, follow these steps to configure LDAP authentication:


1. Configure the authentication type in Bizagi Studio.

2. Synchronize the users from your LDAP into your Bizagi PaaS service.


Configuration procedure

By default, Bizagi Studio projects start off using Bizagi Authentication, so the first step is changing this setting.


1. Configuring the authentication type in Bizagi Studio.

At this point, you will need technical details from your LDAP system.


1.1 Open your Bizagi Studio project.

Open Bizagi Studio and load your project (development environment).




1.2 Go to the security settings.

Click on the Expert view, and select the Security module.




Click on Authentication in the middle panel, and ensure that the drop-down list at the rightmost panel shows LDAP Authentication. Click Update if you have a different choice:




Once LDAP Authentication is chosen, you will notice that sub-items for Authentication are displayed.

Configure these parameters to finish up the details and connection settings.


LDAP URL: Corresponds to the path used to access the LDAP Server (using the LDAP URI format).

It is mandatory that you input LDAP://.. with the starting LDAP prefix in uppercase, capital letters.




Use settings in LDAP synchronization: This applies if you already have configured Bizagi to synchronize your Active Directory users into Bizagi (as described in the following step).

oIf this is the scenario, turn this option on, to use the same LDAP URL and settings from the LDAP synchronization settings.

oWhen this option is on, the value of the former option will be ignored.




2. Synchronize the users from your LDAP into your Bizagi PaaS service.

Note that it is your responsibility to manage users, and therefore you will also need to consider synchronizing users from your LDAP into Bizagi PaaS.

To both set up and test the LDAP synchronization in your project, follow these steps:


2.1. Enter the connection and import settings.

This initial configuration is done on the first tab, called Basic configuration.


To do this, first enable the LDAP synchronization by marking the Enabled checkbox.

Then, make sure you fill out both the connection and import settings as described below:










Specify the URL path to access the LDAP server (LDAP URL format).


Specify a username and its domain, to be used as the authenticated user performing the synchronization.

Such user needs read access to these definitions.


Specify the password for the domain's username used as the authenticated user performing the synchronization.

Synchronization hour

Define an hour of the day that the Scheduler will perform LDAP synchronization.

Allowed values for this field are 0 to 23.

Import settings


Input a filter to import only the proper accounts into your project (according to an LDAP attribute criteria).

We strongly recommend using and setting a filtering condition to import the proper set of users (especially when testing the configuration).


Specify the domain name to which the users will be registered in Bizagi's user entity (WFUser).

User account identifier

Choose the LDAP attribute. This identifies in a UNIQUE manner each account. For example, sAMAccountName is the common LDAP attribute corresponding to a user's account name.


In this example, we set all these values:






Please note that you can define the connection and all relevant LDAP import settings separately for each of your different environments (Development, Test and Production).


An initial deployment will publish this configuration to each environment. From then on, changes to the LDAP import settings need to be done locally (managed separately) in each environment.


2.2. Specifying attribute mappings.

Move on to the next tab called Attribute mappings and make sure you add the necessary mappings for your WFUser attributes (the name of the table storing user's identifiers in Bizagi).

To do this, first click on the Add Mapping button. Then select attributes from the WFUser Entity and match them to an LDAP attribute. LDAP attributes have the following incoming information:




Note that in this example we illustrate mapping the mail and name attributes, as these two are explicitly required in Bizagi (contactEmail and fullName).


2.3. Defining default values (if any).

Next, move on to the next tab, called Default values, and add any necessary default values for your WFUser attributes.

To do this, first click on the Add Default value button, and then, select attributes from the WFUser Entity and assign them with a value.





Do not specify that the enabled attribute is set to true for all users without checking first if such set of users is the one you wish to import and synchronize.


2.4. Testing and saving your configuration.

Once you have finished your configuration, you can click the Test button to see your synchronization results.

Please note that this can take a while if you have a large number of users and it is, therefore, recommended that you use a filtering criteria.


You will be shown this in the records found on the last tab, called Test results.





Testing the configuration does not imply that an immediate synchronization is made final into Bizagi.

This is only for testing purposes and the list of users displayed is not automatically updated (given that this will be done as scheduled task later on).


Finally, save your configuration.






When synchronizing your users, if a user is no longer found at the LDAP server, then Bizagi will disable that user (a logical deletion; not physical) in its import as well.