LDAP authentication

<< Click to Display Table of Contents >>

Navigation:  Integration and authentication > Identity managers >

LDAP authentication

Overview

Bizagi Cloud supports integrating with on-premises Identity managers such as LDAP Servers (i.e. Microsoft Active Directory), via a VPN configuration.

When using LDAP Authentication in Bizagi, credentials entered in the login page (username, password and domain) are sent to an LDAP Server for verification.

Once the server verifies and grants access, login is successful (provided that this user is already created in Bizagi).

 

Cloud_LDAP

 

Note that with this authentication type, passwords are never stored in Bizagi and you rely on your LDAP Server for adequate account configuration and password policies.

 

Before you start

Note that you need to set up a VPN for this type of authentication.

For detail and requirements about this first step, refer to VPN setup.

 

What you need to do

Once a VPN is set up, follow these steps to configure LDAP authentication:

 

1. Configure the authentication type in Bizagi Studio.

2. Synchronize the users from your LDAP into your Bizagi Cloud service.

 

Configuration procedure

By default, Bizagi Studio projects start off using Bizagi Authentication, so the first step is changing this setting.

 

1. Configuring the authentication type in Bizagi Studio.

At this point, you may need details from your LDAP system.

 

1.1 Open your Bizagi Studio project.

Open Bizagi Studio and load your project (development environment).

 

Cloud_OpenProj

 

1.2 Go to the security settings.

Click on the Expert view, and select the Security module.

 

Cloud_SecurityModule

 

Click on Authentication in the middle panel, and ensure that the drop-down list at the rightmost panel shows LDAP Authentication. Click Update if you have a different choice:

 

Authentication_LDAP

 

Once LDAP Authentication is chosen, you will notice that sub-items for Authentication are displayed.

Configure these parameters to finish up the details and connection settings.

 

LDAP URL: Corresponds to the path used to access the LDAP Server (using the LDAP URI format).

 

Cloud_LDAP2

 

Use settings in LDAP synchronization: This applies if you already have configured Bizagi to synchronize your Active Directory users into Bizagi (as described in the following step).

oIf this is the scenario, turn this option on, to use the same LDAP URL and settings from the LDAP synchronization settings.

oWhen this option is on, the value of the former option will be ignored.

 

Authentication_and_Security2_Image029

 

note_pin

Windows Active Directory is supported for LDAP authentication.

 

2. Synchronize the users from your LDAP into your Bizagi Cloud service.

Note that it is your responsibility to manage users, and therefore you will also need to consider synchronizing users from your LDAP into Bizagi Cloud.

To do so, you can rely on the import users' module, or alternatively use Bizagi SOA web services.

 

To both set up and test the LDAP synchronization in your project, follow these steps:

 

2.1. Enter the connection and import settings.

This initial configuration is done on the first tab, called Basic configuration.

 

To do this, first enable the LDAP synchronization by marking the Enabled checkbox.

Then, make sure you fill out both the connection and import settings as described below:

 

 

Setting

 

 

Description

 

Connection

LDAP URL

Specify the URL path to access the LDAP server (LDAP URL format).

Domain/username

Specify a username and its domain, to be used as the authenticated user performing the synchronization.

Password

Specify the password for the domain's username used as the authenticated user performing the synchronization.

Synchronization hour

Define an hour of the day that the Scheduler will perform LDAP synchronization.

Allowed values for this field are 0 to 23.

Import settings

Filter

Input a filter to import only the proper accounts into your project (according to an LDAP attribute criteria).

We strongly recommend using and setting a filtering condition to import the proper set of users (especially when testing the configuration).

Domain

Specify the domain name to which the users will be registered in Bizagi's user entity (WFUser).

User account identifier

Choose the LDAP attribute. This identifies in a UNIQUE manner each account. For example, sAMAccountName is the common LDAP attribute corresponding to a user's account name.

 

In this example, we set all these values:

 

LDAP01

 

 

note_pin

Please note that you can define the connection and all relevant LDAP import settings separately for each of your different environments (Development, Test and Production).

 

An initial deployment will publish this configuration to each environment. From then on, changes to the LDAP import settings need to be done locally (managed separately) in each environment.

 

2.2. Specifying attribute mappings.

Move on to the next tab called Attribute mappings and make sure you add the necessary mappings for your WFUser attributes.

 

To do this, first click on the Add Mapping button. Then select attributes from the WFUser Entity and match them to an LDAP attribute. LDAP attributes have the following incoming information:

 

LDAP02

 

Note that in this example we illustrate mapping the mail and name attributes, as these two are explicitly required in Bizagi (contactEmail and fullName).

 

2.3. Defining default values (if any).

Next, move on to the next tab, called Default values, and add any necessary default values for your WFUser attributes.

To do this, first click on the Add Default value button, and then, select attributes from the WFUser Entity and assign them with a value.

 

LDAP03

 

note_pin

Do NOT specify that the enabled attribute is set to true, unless you are completely certain that your current license will support the number of imported users.

Also, keep in mind that if the total number of active users is greater than the number of licensed users, then the Work Portal will stop working.

 

2.4. Testing and saving your configuration.

Once you have finished your configuration, you can click the Test button to see your synchronization results.

Please note that this can take a while if you have a large number of users and it is, therefore, recommended that you use a filtering criteria.

 

You will be shown this in the records found on the last tab, called Test results.

 

LDAP04

 

note_pin

Testing the configuration does not imply that an immediate synchronization is carried out at Bizagi's database.

This is only for testing purposes and the list of users displayed is not automatically updated (given that this will be done as scheduled task later on).

 

Finally, save your configuration.

 

LDAPSave

 

 

note_pin

When synchronizing your users,  if a user is no longer found at the LDAP server, then Bizagi will disable that user (a logical deletion; not physical) in its import as well.