Multiple authentication

<< Click to Display Table of Contents >>

Navigation:  Environments identity and access management > Work Portal access >

Multiple authentication

Overview

With Multiple Authentication, you can use several authentication types and domains in your Bizagi solution. A domain refers to a specific group of users which share common parameters such as their location, area, corporation, among others.

Multiple Authentication is the common choice in projects which have users from more than one domain, for example, if your project is accessed from different locations and each location uses a different a Identity provider to authenticate the users.

 

MultipleAuth_01

 

With Multiple Authentication, you will need to define an Authenticator. An Authenticator is a container of domains which use an Authentication type.

 

Considerations

When using Multiple authentication, make sure:

 

When configuring Multiple Authentication, the user needs to select the domain before redirecting to the log in screen of the Identity Provider.

You can configure one or more Authentication types, defined as Authenticator, between the following:

oBizagi Authentication

oOAuth2 Authentication

oSAML 2.0 Authentication

At least one Authenticator is mandatory, otherwise, the authentication cannot be performed.

If you enable Authentication traces in your project, all the selected events are recorded in the same log, regardless of the number of authenticators created.

The domains configured in the Authenticators must exist in Bizagi in the WFUSER table.

If the user selects a wrong domain, the authentication of the user is denied.

If a domain is not configured in an Authenticator, the users associated with it are not able to log in the Work Portal.

It is possible that a user is registered in an Identity Provider which supports two different authentication protocols and you configure two Authenticators in Bizagi using those authentication protocols. In this case, you may misunderstand how Bizagi selects the Authenticator to authenticate the user. The following example provides a better understanding and clarifies how Bizagi process the authentication requests:

Assume thay you have a user which is authenticated using Azure AD and the user has been registered in Bizagi (WFUSER table) with the following information:

- User Name: john.smith

- Domain: agilitycorp.latam

- Contact Email: john.smith@agilitycorp.com

 

And you have configured Multiple Authentication with the following Authenticators:

- Authenticator: SAML 2.0 | domain: agilitycorp.latam

- Authenticator: OAuth2    | domain: agilitycorp.com

 

Furthermore, for both SAML 2.0 and OAuth2 you use the user email to compare the user in the authentication procedure against WFUSER table. In this scenario, when the user logs into the Work Portal, a window appears where the user has to select one of the two domains (agilitycorp.latam or agilitycorp.com).

Now, let's suppose that the user (john.smith) selects the domain agilitycorp.com. In this case, Bizagi redirects to Azure AD using the OAuth2 protocol. Azure authenticates him and responses to Bizagi with an OAuth2 response with the information of the user including his email (john.smith@agilitycorp.com). Bizagi searches the user in the WFUSER table and finds the Bizagi user registered as agilitycorp.latam\john.smith; here, Bizagi performs an additional validation and verifies whether the user domain corresponds to the Authenticator used in the authentication procedure. As the domain of the user is agilitycorp.latam and this domain had been configured to a SAML2.0 Authenticator, Bizagi rejects the authentication and shows an error to him informing that the domain selected is wrong.

 

When this scenario happens it may be hard to diagnose the issue, mainly because it is not possible to know if in the protocols is being used the email to authenticate the user or if any other field such as domain\username or username@domain. To avoid these issues, follow these recommendations:

oIt is strongly recommended Authenticators using SAML2.0 or Oauth2 with different Identity Providers or register two Authenticators for the same Identity Provider using different Authentication protocols and different domains.

oIf you use several Authenticators using SAML2.0 with different domains, you need to specify it in the metadata URL. You can use one of the following formats:

/saml2/metadata.xml?domain=[DomainName]

/saml2/metadata.xml/mydomain

oEven though you can set the email address as user name, the domain of the email is not used to decide the Authenticator.

 

MultipleAuth_09

 

If you want to use the email domain, map it as a user domain in the WFUSER table.

 

Setting Multiple Authentication in the MCW

To set Multiple as the authentication type in the Management Console Web, select security from the left panel and click on the authentication tab.

 

MultipleAuthMCW_01

 

To perform changes in the authentication options, it is necessary to enable the maintenance window. To do so, click the Go to maintenance window button.

 

MultipleAuthMCW_02

 

From the drop-down list, select Multiple Authentication.

 

MultipleAuthMCW_03

 

Click the Add authenticator button and select from the drop-down list the authenticator you want to configure.

 

MultipleAuthMCW_04

 

Setting Multiple Authentication in Bizagi Studio

To set Multiple as the authentication type in Bizagi Studio, select Multiple from the drop-down list:

 

MultipleAuth_02

 

Click the Update button.

Only one option is enabled when you select Multiple authentication.

 

MultipleAuth_03

 

To create the Authenticators required to meet your needs, click the Multiple authentication node. The Add Authenticator options appears in the right panel.

 

MultipleAuth_04

 

Enter the following information for the Authenticator.

Display Name: name of the Authenticator.

Authenticator type: Authentication method used by the Authenticator.

Domain: Set of domains which uses the authentication method selected.

oDomain: domain of the users which uses the authentication method selected. This domain must exists in Bizagi.

oDisplay name: meaningful name for the end users when they access the log in page.

 

MultipleAuth_05

 

To add more domains, click Domain button.

 

The configured Authenticator appears under the Multiple authentication node. To add a new Authenticator, right click the Multiple authentication node or use the option displayed in the ribbon.

 

MultipleAuth_06

 

Add as many Authenticators as you need.

 

Now, you can configure each Authenticator according to the selected Authentication type. Follow the procedure mentioned in the links displayed in the Considerations of this article.

 

MultipleAuth_07

 

You can update the configuration of each Authenticator by selecting them and changes the attributes needed. Furthermore, you can delete them by clicking Delete Authenticator in the ribbon.

 

note_pin

Take into account that not all the authentication protocols are supported in cloud. However, when configuring a protocol in Bizagi Studio, all the authenticators will be shown. If you are going to configure the authentication protocol in Bizagi Studio and deploy the project in the MCW, make sure to choose one of the supported authenticators.

 

Importing Users

For any type of authentication, you need to make sure that users are created at Bizagi Work portal.

Disregarding the selected Authentication types for your Work Portal login, you may choose to configure a schedule in Bizagi to import and synchronize users from the Identity Providers.

This action is configured following the procedure mentioned in your selected Authentication method. For more information, refer to Synchronizing users.

 

Login page

When configuring Multiple Authentication, the log in is performed in two steps.

First, select your domain.

 

MultipleAuth_08

 

Once you select a domain, Bizagi instantiates the corresponding authenticator and opens the corresponding login page. If you select a wrong domain, the authentication is not granted.

 

Login page in Multiple authentication

When you configure Bizagi Authentication in any of the Authenticators, the login page presents some differences with the current login page.

 

MultipleAuth_10

 

Given that domain is selected in the previous screen, this login page does not have the option to select it. If you choose a wrong domain and you want to change it, use the Change domain link.

Keep in mind that:

 

The options Remember User and Password and Remember User have been replaced with the Remember me check box.

The Change Password option does not require password confirmation. To check the password you have entered, use the MultipleAuth_11 icon.

 

MultipleAuth_12

 

The Forgot Password? option does not require to enter the domain

 

MultipleAuth_13

 

The option to unlock account does not appear as a main option. Only if your account is locked, when you try to log in to the Work portal the option appears.

 

MultipleAuth_14

 

Again, it is not required to enter the domain.