Azure Active Directory authentication

<< Click to Display Table of Contents >>

Navigation:  Integration and authentication > Identity managers >

Azure Active Directory authentication


Bizagi PaaS supports integration with Identity Management services such as Azure Active Directory (Azure AD).

Bizagi PaaS integrates with Azure AD in order to provide secure sign-in and authorization services, while also offering a Single Sign-On experience, which uses the OAuth protocol with the OpenID extension.


This section describes how this integration works and how to configure it.




How Azure AD integration works

Bizagi PaaS supports the OpenID Connect protocol when connecting with Azure AD.


OpenID is an authentication protocol, built on top of OAuth to extend the authorization specification. It can be used to securely sign users into web applications (in this case, the Work portal).

By using this feature, you can outsource sign-up, sign-in, and other identity management experiences in your web applications to Azure AD.

This allows you to provide Single Sign-On capabilities while using OAuth.


This authentication mechanism introduces the concept of an id_token, which is a security token that allows for due verification of the identity of the user while obtaining some of his/her basic profile information.

Because OpenID extends OAuth 2.0, it also enables applications to securely acquire access_tokens.

Access_tokens allow you to access resources that are secured by an authorization server.


The following diagram illustrates the communication flow between Bizagi PaaS and Azure AD.




Currently supported standards in this mechanism are:

OpenID Connect v1.0, relying on the OAuth 2.0 authorization flow.


Though OAuth considers authorization aspects, these definitions apply to resources.

This means, that for access rights definitions in the Bizagi Work portal (i.e. which profiles can see, work or use certain Bizagi options), you will still need to input authorization definitions in Bizagi.


What you need to do

In order to configure Bizagi PaaS to sign in with Azure AD, please follow these steps:


1. Register your Bizagi PaaS service as an authorized app in your Azure AD.

2. Set the authentication type in Bizagi Studio to integrate with Azure AD.

3. Synchronize the users from your Azure AD into your Bizagi PaaS service.



The steps oriented toward configuring integration with Azure AD, will require specific technical details (e.g, endpoints, authorized credentials) which are usually managed by an IT admin.

Therefore, these steps will require a profile having expertise on this matter, and having access to the information mentioned above.


1. Register your Bizagi PaaS service as an authorized app in your Azure AD.

The first step is to set up the configuration needed to Register Bizagi PaaS in Azure AD. This includes inputting Bizagi endpoints while using the proper access keys for an entitled connection.


1.1 Log in to your Azure services

Access your Azure subscription with the Azure AD service. To do so, you will need to sign in to Azure's classic portal at




Note that you may also log in to the new portal and switch to the classic view:




1.2. Go into your Active Directory.

Click on Active Directory option at the left panel and click your configured active directory to add a new application to it.




1.3. Add a new app.

Go to the Applications tab and click on Add located in the lower ribbon.





1.4. Input the app's basic details

Give this application a name, and select Web Application and/or Web API for its type.





Click Next (the AzureAD_icon1 icon).


1.5 Input the app's URL properties

Add details as described below:

Sign-on URL: This should correspond to the base URL, where your end users access Bizagi PaaS production environment (the Work portal).

This URL is specified as https://[project_environment]-[your_project]-[your_company]

APP ID URL:  You may use the same URL as above.


Consider replacing [your_company] and [your_project_name] for your subscription's values accordingly.

Similarly, replace [project_environment] with test for a testing environment, or with nothing at all for a production environment.




Click Finish (the AzureAD_icon2 icon).

At this point Azure takes a moment to create your new app:




1.6 Create a valid access key for the app

In order to do this, go into the Configure tab of the newly added app.




Scroll down to the keys section and create a new key to be used solely for the Bizagi PaaS service by specifying an expiration date (duration).



Note that the above access keys may must have an expiration date, and you are therefore, in charge of managing and looking after its validity.


Note you will need to copy the Client ID value (for later use in Bizagi's configuration) and click Save in order for the new key to be generated.

Once it has been generated, ensure you copy as well the new key and safe keep it (it may no longer be shown once you exit this window):





1.7 Configure Bizagi endpoints in Azure AD

Scroll down to the single sign on section to configure a Reply URL, so that Azure AD sends out the authorization code to this URL.

For this parameter use the following URL:



Consider replacing [your_company] and [your_project_name] for your subscription's values accordingly as used in the app's main URL properties, and add the /oauth/client/callback suffix.

Similarly, replace [project_environment] with test for a testing environment, or with nothing at all for a production environment.




Click Save when done.



Adequate authorization settings are usually set Ok by default, which means you should not need to configure this setting.

By default the new applications and their keys are granted with Sign in and read user profile.


Finally, make sure you click View Endpoints in order to gather URLs that you will need to configure in Bizagi:




Once you set this up, you can verify adequate access rights for this app.


2. Configure the authentication type in Bizagi with the Management Console.

At this point, after having verified access in Azure AD is adequate, you will now need to input the Azure AD details into Bizagi.

Do this by using Bizagi Management Console targeting the environment you want this configuration to apply to (e.g, development environment, testing environment, production environment).


2.1 Open your project with the Management Console.

Open the Management Console and load your project.




2.2 Go to the security settings.

Click on the Security module.




2.3 Select Azure authentication.

To do this, click on Authentication in the middle panel, and use the following settings for the parameters in the rightmost panel:

Type: OAuth2.

Client: Azure AD.

Click Update.




Once OAuth2 and AzureAD are chosen, you will notice that new parameters for such Authentication are displayed.


2.4. Configure the authentication parameters and endpoints.

To do so, consider the detail as described below:




Client ID

Should match the Client Id as registered in Azure AD.

Client Secret

Should match the Client Key as registered in Azure AD.

Redirect Uri

Should match the Response URI as registered in Azure AD, which should correspond to the Reply URL (https://[project_environment]-[your_project]-[your_company]

OAuth2 Authorization Endpoint

Should match the OAuth 2.0 Authorization endpoint as per your Azure AD.

Use the following URL:[tenant]/oauth2/authorize



[tenant]: Should specify your Tenant id (based on your Azure's subscription).

Token Endpoint

Should match the OAuth 2.0 Token endpoint as per your Azure AD.

Use the following URL:[tenant]/oauth2/token



[tenant]: Should specify your Tenant id (based on your Azure's subscription).

Logout Endpoint

Should match the OAuth 2.0 Logout endpoint as per your Azure AD.

Use the following URL:[tenant]/oauth2/logout?post_logout_redirect_uri=[homeRedirect]



[tenant]: Should specify your Tenant id (based on your Azure's subscription).

[homeRedirect]: Should specify the URL used to direct after a log-out.

Usually, you use the same login URL, which is:




If you applied this change into an environment other than development, then you should also make sure such same changes are applied in your development environment as well.

To do this, follow the same procedure mentioned above while using the Bizagi Management Console.


3. Synchronize the users from your Azure AD into your Bizagi PaaS service.

At this point, the configuration is complete.

However, before using or testing the integrated authentication in runtime, you will need to explicitly import users from Azure AD into Bizagi PaaS (you are in charge of managing users).


Disregarding the selected Authentication type, for your Work Portal login at runtime, you will need to have imported/synchronized users from your user repository and into Bizagi (this task may be scheduled in Bizagi if integrating to your AD by relying on a VPN).

For more information about this option, refer to Importing LDAP Users.


Alternate options to an AD/LDAP sync through a VPN, consider invoking Bizagi web services from your end (a "push"), or having Bizagi invoke a web service on your side to fetch users (a "pull").



If you will not synchronize users about yet, then you may test that the authentication works as expected by simply creating one user manually in Bizagi Work portal for validation purposes. To create such user, consider:

1. You may need to temporarily switch back to using Bizagi authentication so that you can log in.

2. Ensure your created user is set with the exact domain\username combination matching your users in Azure AD.


Authentication in runtime

Once these steps are carried out, authentication will be set for your end users in runtime.

End users will be able to sign-in, and you can verify them by using a browser to access Bizagi Work portal (using https://[project_environment]-[your_project]-[your_company]


The following image exemplifies access to the testing environment's Work portal:




When the Bizagi Work portal loads, it redirects you to your Azure AD login page:




After you sign in successfully to Azure AD, you are redirected back to Bizagi Work portal with a valid session:





If you are already logged in with a valid session, you will not need to input credentials.

SSO capabilities are kept at the browser's level while having an authenticated valid session (for instance, idle session settings are also taken from your configuration in Azure AD).