With Multiple Authentication, you can use several authentication types and domains in your Bizagi solution. A domain refers to a specific group of users which share common parameters such as their location, area, corporation, among others.
Multiple Authentication is the common choice in projects which have users from more than one domain, for example, if your project is accessed from different locations and each location uses a different a Identity provider to authenticate the users.
With Multiple Authentication, you will need to define an Authenticator. An Authenticator is a container of domains which use an Authentication type.
If you plan on using an authentication method different than Bizagi and you are performing a deployment to an environment with no users on it (normally this would only be the case for a project's first deployment), follow these steps so that you can correctly configure your users and authentication without getting locked out of the Work Portal:
1.Perform the deployment with the authentication method set to Bizagi. This lets you access the Work Portal as the Admon user without providing any credentials.
2.Once in the Work Portal you can manually enter your users, or alternatively you can rely on the method of your choice to synchronize your users' information into the WFUser table (SOAP, Excel file, LDAP Synchronization, or performing a Data Synchronization procedure).
3.Perform an IISRESET so that the Admon user can no longer access the Work Portal.
4.After having your users registered in the Work Portal, use the Management Console to set the authentication method to your preferred one.
If you plan on using LDAP authentication with periodic users synchronization, you may ignore the previous steps since you will only need to wait until the next synchronization happens for your users to be able to log into the Work Portal.
When using Multiple authentication, make sure:
•When configuring Multiple Authentication, the user needs to select the domain before redirecting to the log in screen of the Identity Provider.
•At least one Authenticator is mandatory, otherwise, the authentication cannot be performed.
•If you enable Authentication traces in your project, all the selected events are recorded in the same log, regardless of the number of authenticators created.
•The domains configured in the Authenticators must exist in Bizagi in the WFUSER table.
•If the user selects a wrong domain, the authentication of the user is denied.
•If a domain is not configured in an Authenticator, the users associated with it are not able to log in the Work Portal.
•It is possible that a user is registered in an Identity Provider which supports two different authentication protocols and you configure two Authenticators in Bizagi using those authentication protocols. In this case, you may misunderstand how Bizagi selects the Authenticator to authenticate the user. The following example provides a better understanding and clarifies how Bizagi process the authentication requests:
Assume thay you have a user which is authenticated using Azure AD and the user has been registered in Bizagi (WFUSER table) with the following information:
- User Name: john.smith
- Domain: agilitycorp.latam
- Contact Email: firstname.lastname@example.org
And you have configured Multiple Authentication with the following Authenticators:
- Authenticator: SAML 2.0 | domain: agilitycorp.latam
- Authenticator: OAuth2 | domain: agilitycorp.com
Furthermore, for both SAML 2.0 and OAuth2 you use the user email to compare the user in the authentication procedure against WFUSER table. In this scenario, when the user logs into the Work Portal, a window appears where the user has to select one of the two domains (agilitycorp.latam or agilitycorp.com).
Now, let's suppose that the user (john.smith) selects the domain agilitycorp.com. In this case, Bizagi redirects to Azure AD using the OAuth2 protocol. Azure authenticates him and responses to Bizagi with an OAuth2 response with the information of the user including his email (email@example.com). Bizagi searches the user in the WFUSER table and finds the Bizagi user registered as agilitycorp.latam\john.smith; here, Bizagi performs an additional validation and verifies whether the user domain corresponds to the Authenticator used in the authentication procedure. As the domain of the user is agilitycorp.latam and this domain had been configured to a SAML2.0 Authenticator, Bizagi rejects the authentication and shows an error to him informing that the domain selected is wrong.
When this scenario happens it may be hard to diagnose the issue, mainly because it is not possible to know if in the protocols is being used the email to authenticate the user or if any other field such as domain\username or username@domain. To avoid these issues, follow these recommendations:
oIt is strongly recommended Authenticators using SAML2.0 or Oauth2 with different Identity Providers or register two Authenticators for the same Identity Provider using different Authentication protocols and different domains.
oIf you use several Authenticators using SAML2.0 with different domains, you need to specify it in the metadata URL. You can use one of the following formats:
oEven though you can set the email address as user name, the domain of the email is not used to decide the Authenticator.
If you want to use the email domain, map it as a user domain in the WFUSER table.
Setting Multiple Authentication in the MCW
To set Multiple as the authentication type in the Management Console Web, select security from the left panel and click on the authentication tab.
To perform changes in the authentication options, it is necessary to enable the maintenance window. To do so, click the Go to maintenance window button.
From the drop-down list, select Multiple Authentication.
Click the Add authenticator button and select from the drop-down list the authenticator you want to configure.
Setting Multiple Authentication in Bizagi Studio
To set Multiple as the authentication type in Bizagi Studio, select Multiple from the drop-down list:
Click the Update button.
Only one option is enabled when you select Multiple authentication.
To create the Authenticators required to meet your needs, click the Multiple authentication node. The Add Authenticator options appears in the right panel.
Enter the following information for the Authenticator.
•Display Name: name of the Authenticator.
•Authenticator type: Authentication method used by the Authenticator.
•Domain: Set of domains which uses the authentication method selected.
oDomain: domain of the users which uses the authentication method selected. This domain must exists in Bizagi.
oDisplay name: meaningful name for the end users when they access the log in page.
To add more domains, click Domain button.
The configured Authenticator appears under the Multiple authentication node. To add a new Authenticator, right click the Multiple authentication node or use the option displayed in the ribbon.
Add as many Authenticators as you need.
Now, you can configure each Authenticator according to the selected Authentication type. Follow the procedure mentioned in the links displayed in the Considerations of this article.
You can update the configuration of each Authenticator by selecting them and changes the attributes needed. Furthermore, you can delete them by clicking Delete Authenticator in the ribbon.
Take into account that not all the authentication protocols are supported in cloud. However, when configuring a protocol in Bizagi Studio, all the authenticators will be shown. If you are going to configure the authentication protocol in Bizagi Studio and deploy the project in the MCW, make sure to choose one of the supported authenticators.
For any type of authentication, you need to make sure that users are created at Bizagi Work portal.
Disregarding the selected Authentication types for your Work Portal login, you may choose to configure a schedule in Bizagi to import and synchronize users from the Identity Providers.
This action is configured following the procedure mentioned in your selected Authentication method. For more information, refer to Synchronizing users.
When configuring Multiple Authentication, the log in is performed in two steps.
First, select your domain.
Once you select a domain, Bizagi instantiates the corresponding authenticator and opens the corresponding login page. If you select a wrong domain, the authentication is not granted.
Login page in Multiple authentication
When you configure Bizagi Authentication in any of the Authenticators, the login page presents some differences with the current login page.
Given that domain is selected in the previous screen, this login page does not have the option to select it. If you choose a wrong domain and you want to change it, use the Change domain link.
Keep in mind that:
•The options Remember User and Password and Remember User have been replaced with the Remember me check box.
•The Change Password option does not require password confirmation. To check the password you have entered, use the icon.
•The Forgot Password? option does not require to enter the domain
•The option to unlock account does not appear as a main option. Only if your account is locked, when you try to log in to the Work portal the option appears.
Again, it is not required to enter the domain.