When using Windows authentication in Bizagi, the Work Portal delegates the authentication to the Windows machine on the client's side (by relying on the Windows session which should be already validated against a domain).
With Windows authentication, a successful login happens if the Windows session is valid and if the user is already created in Bizagi Work portal (passwords are not stored in Bizagi).
Since Windows authentication is a type of integrated authentication, there is a Single Sign-On experience when accessing from Windows OS which belong to the corporate domain (being authenticated with a valid session with that same domain).
This means that the login page will be automatically skipped.
When otherwise (accessing from a different domain, or a non-Windows OS or a mobile device), then users will need to explicitly input their credentials.
This feature is not eligible for Bizagi PaaS.
Potential advantages offered by the use of Windows authentication are not applicable due to the fact that underlying infrastructure of Bizagi PaaS is not included in your corporate domain.
For integrated authentication possibilities with your identity provider systems, while relying on top security measures and a SSO experience, it is recommended to use an ADFS or Azure AD in Bizagi PaaS.
When using Windows authentication, ensure:
1. That you Bizagi Work portal configuration in the IIS, enables the Anonymous authentication and Windows authentication.
2. That browsers accessing Bizagi Work portal support Windows authentication as implemented by Microsoft.
Such standards can include:
•IWA (Integrated Windows Authentication).
Its support allows you to skip an intermediate Bizagi login page.
•HTTP Negotiate authentication.
•Windows NT Challenge/Response Authentication.
When not all of your users are registered in the local or corporate domain, it is recommend to rely on an additional type of authentication.
Keep in mind that for such scenario, you may use Windows authentication alongside a local Bizagi authentication through the Mixed authentication option.
Setting Windows Authentication
To set Windows as the authentication type, select Windows from the drop-down list:
Click on the Update button.
There is no further configuration at this point (Windows authentication does not require additional parameters up for configuration).
By default, with this configuration Bizagi Work portal will show the login page but validate access if the session is valid.
If you wish to skip the login page and have Bizagi automatically take the Windows session's credentials, you will need to carry out additional steps at the Web server (IIS) and for the browsers, as described in the next section.
When using Windows authentication or Mixed authentication (with Windows authentication enabled), by default Bizagi will skip the login page.
This is automatically done if the user is a registered Bizagi user and he/she is logged in to the intranet authenticating with Windows credentials.
If the above condition is not met, then the login page is presented.
The above also implies that Windows authentication has priority over Bizagi authentication (meaning that Windows credentials are automatically first identified for log in).
In some browsers such as IE, and according to your corporate browser configuration settings and policies, you may need further configuration to ensure that credentials are automatically taken or input them for a first time.
Importing LDAP Users
For any type of authentication, you will need to ensure that users are created at Bizagi Work portal.
Disregarding the selected Authentication type for your Work Portal login, you may choose to configure a schedule in Bizagi to import and synchronize users from your LDAP Server into Bizagi.
For more information about this option, refer to Importing LDAP Users.