Overview
Bizagi supports integration with your corporate Identity Managers (recommended).
For introductory information about authentication options in Bizagi, refer to Identity and Access Management.
However, you may choose to rely on Bizagi' local authentication service which offers secure sign-in options and configuration parameters to enforce your corporate password and accounts policies.
What you need to do
To configure Bizagi authentication for use in Automation Service, follow these steps:
1. Configure the authentication type in Bizagi Studio.
2. Configure Bizagi authentication parameters.
Configuration procedure
By default, Bizagi Studio projects use Bizagi Authentication, so the first step is not necessary unless you have changed settings to use a different type of authentication, and now want to change back.
1. Configure the authentication type in Bizagi Studio.
To explicitly choose Bizagi authentication, follow these steps:
1.1 Open your Bizagi Studio project.
Open Bizagi Studio and select your project in your Development environment.
1.2 Go to the security settings.
Click Expert view, and select the Security module.
Click Authentication in the middle panel, and confirm that the drop-down list at the rightmost panel shows Bizagi Authentication:
Click Update if you had a different choice before.
2. Configure Bizagi authentication parameters.
Once Bizagi Authentication is chosen, sub-items for Authentication display.
Configure these parameters to use account and password policies as needed. Some parameters apply to passwords, others to accounts and session management, and others to the overall admin procedures when managing accounts.
We recommend reviewing the default values and explicitly defining:
•Explicitly enforce password change after first login
•Enforce use of capital letters in passwords
•Enforce use of small letters in passwords
•Enforce use of numbers in passwords
•Enforce use of special characters in passwords
•Idle sessions time-out
•Minimum length of passwords
•Maximum number of failed login attempts.
To configure each parameter, click it and define a setting in the panel to its right.
Make sure you click Update if you change values.
Refer to the following table for a description of each of the different parameters:
Option |
Description |
|---|---|
Account lockout duration |
Defines the number of minutes an account remains locked out due to reaching Maximum number of failed login attempts (and having set Enable account lockout for failed login attempts), before automatically being unlocked. This duration must be greater or equal than Failed login attempts time-out. |
Cookie type |
Defines whether Bizagi uses Persistent o Session cookies. The idle session time-out defines the expiration time for cookies. |
E-mail for an account unlock request - Body |
Defines the body of the mail to be sent to the administrator when a user requests the unlocking of an account (i.e when using Enable account unlock request e-mails to admin and specifying E-mail of admin). Use with E-mail for an account unlock request - Subject. |
E-mail for an account unlock request - Subject |
Defines the subject of the mail to be sent to the administrator when a user requests the unlocking of an account (i.e when using Enable account unlock request e-mails to admin and specifying E-mail of admin). Use with E-mail for an account unlock request - Body. |
E-mail for an active account - Body |
Defines the body of the mail to be sent to a user when his/her account is created and set as active. Use with E-mail for an active account - Subject. |
E-mail for an active account - Subject |
Defines the subject of the mail to be sent to a user when his/her account is created and set as active. Use with E-mail for an active account - Body. |
E-mail for password reminder - Body |
Defines the body of the mail to be sent when the user requests a password reminder. Use with E-mail for password reminder - Subject. |
E-mail for password reminder - Subject |
Defines the subject of the mail to be sent when the user requests a password reminder. Use with E-mail for password reminder - Body. |
E-mail of admin |
Defines the e-mail of the administrator of accounts in charge of receiving E-mail for an account unlock request (i.e when using Enable account unlock request e-mails to admin). |
Enable account lockout for failed login attempts |
Establishes if accounts should be locked out when a maximum number of failed login attempts is reached (to use with Maximum number of failed login attempts). |
Enable account unlock request e-mails to admin |
Establishes if e-mails are sent when a user requests an account unlock. Use with E-mail for an account unlock request, and E-mail of admin. |
Enable authentication logging |
Establishes if an audit log is recorded with all authentication events. If enabled look for the table AUTHOLOG in the database. Notes: •Using Quick login feature does not create records in the authentication log. •Even when this option is disabled, failed authentication attempts are logged. This happens so that failed attempts can be counted and validate if the account should be blocked after a certain amount of failed attempts. |
Enable quick login |
Applies only to the Development and Test environments.
Establishes if login to the Work Portal is done without inputting the passwords of accounts (a quick login through a drop-down list displaying valid login accounts). The drop-down list will show the first 100 active users (from the 101st user, accounts need to be typed into a text field). To use for unit tests or quick prototyping purposes (this setting is not valid for a production environment). When using quick login, the Work Portal's authentication log query feature will not record login events. As soon as you enable it, you need to make sure to run an iisreset command on your prompt, for the quick login to work seamlessly. |
Enable restriction of multiple sessions per account |
Establishes if more than one simultaneous session is allowed for a same account. |
Enable multiple factor authentication |
Establishes if there will be multiple factor authentication. |
Enable use of a secret question |
Establishes if a secret question and answer can be filled out by users, in order to have the possibility of avoiding an account lockout when the password is forgotten. |
Enable password change after the first login |
Establishes if a user must change the password after the first login. Consider using this option or setting an explicit number of days for Password minimum age. |
Enforce password history |
Defines the number of unique passwords an account must have before reusing an older one. |
Enforce use of capital letters in passwords |
Establishes if passwords must contain at least one capital letter. |
Enforce use of letters in passwords |
Establishes if passwords must contain at least one letter. Consider using Enforce use of capital letters in password and Enforce use of lowercase in password instead. |
Enforce use of numbers in passwords |
Establishes if passwords must contain at least one number. |
Enforce use of lower-case letters in passwords |
Establishes if passwords must contain at least one small letter. |
Enforce use of special characters in passwords |
Establishes if passwords must contain at least one special character (i.e non alphanumeric characters). |
Enforce validation of sequences in passwords |
Establishes if passwords are not allowed to contain character sequences (e.g: abc or 12). |
Failed login attempts time-out |
Defines the number of minutes in which failed login attempts time-out. The counter that stores this number of attempts is reset after this time frame, provided that the Maximum number of failed login attempts is not reached. |
Idle account duration before lockout |
Defines the maximum number of days before an unused account is locked out (unused accounts are those which have not had activity in that time frame). |
Idle sessions time-out
|
Defines the time in minutes in which an idle session expires; in which case it would be required to authenticate again. This setting defines the expiration time for cookies. |
Maximum length of passwords |
Defines the maximum number of characters for passwords (use zero if a maximum length is not desired). |
Maximum number of failed login attempts |
Defines a maximum number of login attempts before an account is locked out. Applies when Enable account lockout for failed login attempts is active. |
Minimum length of passwords |
Defines the minimum number of characters for passwords. |
Password maximum age |
Defines the maximum number of days in which a password can be used, before it requires to be changed (i.e, the expiration time of passwords). |
Password minimum age |
Defines the minimum number of days in which a password must be used, before it is available for a change. Consider using this option or setting an explicit number of days for Enable password change after the first login. |
SLA for an account unlock request |
Defines the expected service time (in hours) to process an account unlock request. |
Next steps
You have set up account authentication and can now proceed to create or import users into Bizagi.
You do not use Bizagi Studio for user management (i.e, creating, importing, editing).
You can manually create users for each environment through the Work Portal.