When using Windows authentication in Bizagi, the Work Portal delegates the authentication to the Windows machine on the client's side (by relying on the Windows session which should be already validated against a domain).
With Windows authentication, a successful login happens if the Windows session is valid and if the user is already created in Bizagi Work portal (passwords are not stored in Bizagi).
Since Windows authentication is a type of integrated authentication, there is a Single Sign-On experience when accessing from Windows OS which belong to the corporate domain (being authenticated with a valid session with that same domain).
This means that the login page will be automatically skipped.
When otherwise (accessing from a different domain, or a non-Windows OS or a mobile device), then users will need to explicitly input their credentials.
This feature is not eligible for Automation Service.
Potential advantages offered by the use of Windows authentication are not applicable due to the fact that underlying infrastructure of Automation Service is not included in your corporate domain.
For integrated authentication possibilities with your identity provider systems, while relying on top security measures and a SSO experience, it is recommended to use an ADFS or Azure AD in Automation Service.
If you plan on using an authentication method different than Bizagi and you are performing a deployment to an environment with no user information on it (normally this would only be the case for a project's first deployment), follow these steps so that you can correctly configure your users and authentication without getting locked out of the Work Portal:
1.Perform the deployment with the authentication method set to Bizagi. This lets you access the Work Portal as the Admon user without providing any credentials.
2.Once in the Work Portal you can manually enter your users, or alternatively you can rely on the method of your choice to synchronize your users' information into the WFUser table (SOAP, Excel file, LDAP Synchronization, or performing a Data Synchronization procedure).
3.Perform an IISRESET so that the Admon user can no longer access the Work Portal.
4.After having your users registered in the Work Portal, use the Management Console to set the authentication method to your preferred one.
If you plan on using LDAP authentication with periodic users synchronization, you may ignore the previous steps since you will only need to wait until the next synchronization happens for your users to be able to log into the Work Portal.
When using Windows authentication, make sure:
1. That you Bizagi Work portal configuration in the IIS, enables the Anonymous authentication and Windows authentication.
2. That browsers accessing Bizagi Work portal support Windows authentication as implemented by Microsoft.
Such standards can include:
•IWA (Integrated Windows Authentication).
Its support allows you to skip an intermediate Bizagi login page.
•HTTP Negotiate authentication.
•Windows NT Challenge/Response Authentication.
When not all of your users are registered in the local or corporate domain, it is recommend to rely on an additional type of authentication.
Keep in mind that for such scenario, you may use Windows authentication alongside a local Bizagi authentication through the Mixed authentication option.
Setting Windows Authentication
To set Windows as the authentication type, select Windows from the drop-down list:
Click on the Update button.
Fill in or configure these settings:
•Cookie type: Define the type of cookie Bizagi uses Persistent o Session cookies. The idle session time-out defines the expiration time for cookies.
•Enable authentication logging in database: Check this checkbox (set to On) to direct the web application to log every authentication event, according to your auditing requirements and expectations. You can view the log in the Work portal.
•Idle sessions time-out: Define the minutes of inactivity after which a session expires, according to your authentication requirements and expectations (e.g, 5 minutes).
•Show detailed authentication error messages: Check this box if you want authentication errors to be shown in a detailed way when they occur.
By default, with this configuration Bizagi Work portal will show the login page but validate access if the session is valid.
If you wish to skip the login page and have Bizagi automatically take the Windows session's credentials, you will need to carry out additional steps at the Web server (IIS) and for the browsers, as described in the next section.
When using Windows authentication or Mixed authentication (with Windows authentication enabled), by default Bizagi will skip the login page.
This is automatically done if the user is a registered Bizagi user and he/she is logged in to the intranet authenticating with Windows credentials.
If the above condition is not met, then the login page is presented.
The above also implies that Windows authentication has priority over Bizagi authentication (meaning that Windows credentials are automatically first identified for log in).
In some browsers such as IE, and according to your corporate browser configuration settings and policies, you may need further configuration to make sure that credentials are automatically taken or input them for a first time.
Importing LDAP Users
For any type of authentication, you will need to make sure that users are created at Bizagi Work portal.
Disregarding the selected Authentication type for your Work Portal login, you may choose to configure a schedule in Bizagi to import and synchronize users from your LDAP Server into Bizagi.
For more information about this option, refer to Importing LDAP Users.