Importing LDAP Users

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio > Security definition > Work Portal Security > Authentication > LDAP Authentication >

Importing LDAP Users

Overview

Disregarding the selected Authentication type for your Work Portal login, you may choose to configure a schedule in Bizagi to import and synchronize users from your LDAP Server into Bizagi.

 

With this option, Bizagi will run a daily job to keep up-to-date the accounts' information (residing in an LDAP Server in your organization).

Keep in mind that passwords will be queried according to the selected Authentication type (meaning, that if you choose LDAP or Windows Authentication, Bizagi will not store any passwords).

 

 

What you need to do in Bizagi

To both set and test the LDAP synchronization in your project, you need to enter the configuration details to your LDAP server, such as: URL, connection credentials and import settings or mappings.

 

This is done easily through 3 tabs in Bizagi Studio, in these steps:

 

1. Entering the connection and import settings.

Synchronization is carried out with an authenticated domain account.

 

2. Specifying attribute mappings.

LDAP accounts information is synchronized into Bizagi's WFUser System Entity.

By specifying attribute mappings you define in which WFUser attributes is the incoming information stored.

 

3. Defining default values (if any).

This step is optional and recommended to define any default values for the WFUser attributes.

 

4. Testing and saving your configuration.

You may immediately test your synchronization in order to review and ensure that your configuration is accurate.

This will not update any information into your project (only for testing purposes).

 

5. Restarting the Scheduler service.

As noted before, take into account that LDAP synchronization can be tested directly in Bizagi Studio.

However, the actual synchronization of the LDAP accounts (objects) is carried out by the Scheduler service in your project.

Therefore, to initialize this synchronization and actually see your users in your Work Portal (project's execution), you will need to restart the Scheduler service.

 

note_pin

You may also choose to modify later these settings for a specific environment in your project (Test or Production environment).

To review or modify LDAP synchronization in a given environment, use Bizagi Management Console.

 

 

Setting LDAP synchronization

We will illustrate how to set the LDAP synchronization in Bizagi.

In the following example, we will configure synchronization to Microsoft's Active Directory.

 

1. Entering the connection and import settings.

This initial configuration is done in the first tab called Basic configuration.

To do this, first enable the LDAP synchronization by marking the Enabled checkbox.

 

Then, make sure you fill out both the connection and import settings as described below:

 

 

Setting

Description

Connection

LDAP URL

Specify the URL path to access the LDAP server (LDAP URL format).

Domain\username

Specify a username and its domain, to be used as the authenticated user performing the synchronization.

Password

Specify the password for the domain's username used as the authenticated user performing the synchronization.

Synchronization hour

Define an hour of the day in which the Scheduler will perform the LDAP synchronization.

Allowed values for this field are 0 to 23.

Import settings

Filter

Input a filter to import only the proper accounts into your project (according to an LDAP attribute criteria).

It is strongly recommended to use and set a filtering condition in order to import the proper set of users (specially when testing the configuration).

View more information about filter options at LDAP attributes.

Domain

Specify the domain name to which the users will be registered in Bizagi's user entity (WFUser).

User account identifier

Choose the LDAP attribute which identifies in an UNIQUE manner each account. For example, sAMAccountName is the common LDAP attribute corresponding to an user's account name.

 

In this example, we set all these values:

 

LDAP01

 

 

note_pin

Note that you may define the connection and all relevant LDAP import settings separately for each of your different environments (Development, Test and Production).

 

An initial deployment (the very first one) will publish this configuration to each environment.

Henceforth, changes to the LDAP import settings need to be done locally (managed separately) in each environment.

 

2. Specifying attribute mappings.

Move on to the next tab called Attribute mappings and make sure you add the necessary mappings for your WFUser attributes.

 

To do this, first click on the Add Mapping button.

Select attributes from the WFUser Entity and match them to an LDAP attribute, which has the incoming information:

 

LDAP02

 

Note that in this example we illustrate mapping the mail and name attributes since these 2 are explicitly required in Bizagi (contactEmail and fullName).

 

3. Defining default values (if any).

Move on to the next tab called Default values and add any necessary default values for your WFUser attributes.

To do this, first click on the Add Default value button.

Select attributes from the WFUser Entity and assign to them a value:

 

 

LDAP03

 

note_pin

Do NOT specify that the enabled attribute is set to true, unless you are completely certain that your current license will support the number of imported users.

Keep in mind that if the total number of active users is greater than the number of licensed users, then the Work Portal will stop working.

 

4. Testing and saving your configuration.

Once you have finished your configuration, you may click the Test button to see your synchronization results.

Notice that this can take a while if you have a large number of users and therefore, it is recommended to use a filtering criteria.

 

You will be shown the records found in last tab called Test results:

 

 

LDAP04

 

note_pin

Testing the configuration does not imply that an immediate synchronization is carried out at Bizagi's database.

This is only for testing purposes and not persisted, since the Scheduler service will be in charge of executing your final configuration.

 

Finally, save your configuration:

 

LDAPSave

 

5. Restarting the Scheduler service.

To start the actual import and synchronization, take into account that you need to restart the Scheduler Service.

In Bizagi .NET, you may do this by using Bizagi Management Console.

 

The Scheduler's job will start to execute the synchronization at the defined hour.

When this has been completed, the LDAP users will be automatically created as Bizagi users.

 

To check for information about the executed synchronization (inserted and updated values), you may check the detail Bizagi saves in the Scheduler's trace.

Detail for this, would begin the line as INFO_LDAP at the Scheduler’s log file.

For more information about enabling traces, refer to Error control and diagnostics.

 

 

note_pin

When synchronizing your users, Bizagi will only import as active, the first imported users according to the number of supported users by your active license.

 

If a user is no longer found at the LDAP server, then Bizagi will disable that user (a logical deletion; not physical) in its import as well.