Importing LDAP users

<< Click to Display Table of Contents >>

Navigation:  Low-code Process Automation > Studio Cloud - Authoring environment > Bizagi Studio > Security definition > Work Portal Security > Synchronizing users >

Importing LDAP users

Overview

Regardless of the authentication type configured for Work Portal login, you can set up a schedule in Bizagi to import and synchronize users from your LDAP server.

 

With this option enabled, Bizagi runs a daily job to keep user account information—stored in your organization’s LDAP server—up to date.

Note that passwords are handled according to the selected Authentication method. If you choose LDAP or Windows Authentication, Bizagi does not store any passwords.

 

Before you start

To configure LDAP user synchronization, ensure the following:

A valid LDAP URL in the proper format (LDAP over SSL is supported).

A username and password with permission to read user information.

 

Steps in Bizagi

To configure and test LDAP synchronization in your project, you’ll need to provide connection details, credentials, and import settings. This is done across three tabs, following the next steps:

1.Enter connection and import settings

2.Map LDAP attributes to Bizagi attributes

3.Define default values (optional)

4.Test and save your configuration

5.Restart the environment

 

note_pin

You can later update these settings for specific environments (Test or Production) through the Management Console.

 

1. Enter connection and import settings

This is done in the Basic configuration tab. Start by enabling LDAP synchronization via the Enabled checkbox.

 

Then complete the following sections:

 

Setting

Description

Connection

LDAP URL

Specify the URL of the LDAP server. Use LDAP:// for standard connections or LDAPS:// for secure (SSL) connections.

Domain\username

Specify a username along with its domain, which will be used as the authenticated user performing the synchronization. This user must have read access to these definitions.

Password

Specify the password for the domain's username used as the authenticated user performing the synchronization.

Synchronization hour

Set the hour (0–23) when the Scheduler will run the synchronization. If you want to trigger it immediately, set the current server hour (e.g., enter 14 if it’s 14:35).

For Automation Service (cloud), this is based on UTC.

Import settings

Filter

Define a filter to import only relevant users, based on LDAP attribute criteria. This is highly recommended, especially during testing. View more information about filter options at LDAP attributes.

Domain

Domain name to associate users with in the Bizagi WFUser entity.

User account identifier

LDAP attribute used to uniquely identify each account (e.g., sAMAccountName is the common LDAP attribute corresponding to an user's account name).

 

note_pin

If the domain field is left empty, any user whose LDAP data does not include a domain will be excluded from synchronization. To include these users, define a Default value for accounts without an LDAP domain.

 

LDAP05_cloud

 

Once all values are configured, click the Test button.

 

A success message confirms that the filter and connection are valid.

 

LDAP07_cloud

 

An error message appears if the filter cannot be applied.

 

LDAP06_cloud

 

note_pin

Note that you may define the connection and all relevant LDAP import settings separately for each of your different environments (Development, Test and Production).

 

The initial deployment applies this configuration to all environments. Afterward, changes must be made locally in each one.

 

We strongly recommend applying a filter to exclude records that have empty or null values for these fields:

contactEmail

fullName

User account identifier

 

2. Map LDAP attributes to Bizagi attributes

LDAP account information is synchronized into Bizagi's WFUser System entity. By specifying attribute mappings, you define how information from LDAP attributes is stored in WFUser attributes.

 

To do this:

1.Click the Attribute mappings tab.

2.Click the Add Mapping button.

3.Select a WFUser attribute and map it to the corresponding LDAP attribute.

 

note_pin

You cannot map the idUser attribute, to preserve data integrity.

 

LDAP02_cloud

 

In this example, we illustrate mapping the mail and name attributes because these are explicitly required in Bizagi: contactEmail and fullName.

The attribute used as the user account identifier is also mandatory and cannot be null.

 

The following is the list of default WFUser attributes available for mapping:

 

Attribute

Data type

Comment

contactEmail

String

Sets the user’s email address. Mandatory field (cannot be null).

CreatedCasesSkipAssignRules

Boolean

Indicates whether cases created by this user in Development or Test environments should skip allocation rules.

DelegateEnabled

Boolean

Indicates whether task delegation is enabled for this user.

domain

String

Specifies the user's domain. Mandatory field (cannot be null).

enabled

Boolean

Indicates whether the user is enabled in Bizagi.

enabledForAssignation

Boolean

Indicates whether the user is eligible for task allocation.

fullname

String

Sets the full name of the user.

idArea

Integer

Identifier of the user’s area (from the AREA table).*

idBossUser

Integer

Identifier of the user's boss (from the WFUser table).*

idDelegate

Integer

Identifier of the delegated user (from the WFUser table).*

idLocation

Integer

Identifier of the user's location (from the LOCATION table).*

idTimeZone

Integer

Identifier of the user's time zone (from the BATIMEZONE table).*

idWorkingTimeSchema

Integer

Identifier of the user's working time schema (from the WORKINGTIMESCHEMA table).*

language

Integer

Identifier of the user’s preferred language.

notifyByEmail

Boolean

Indicates whether the user should receive email notifications (both automatic and custom).

userName

String

Sets the username. Mandatory field (cannot be null).

userStartPage

Integer

Sets the default landing page after login. Options:

1.Automatic (default): "Me" if assigned to a Persona, or "Inbox" otherwise.

2.Inbox: Always opens the Inbox.

3.Me: Always opens the Me page.

* Available for on-premises installations, as the identifier is retrieved directly from the database.

 

Required Attributes and Synchronization Behavior

You must map the following attributes:

contactEmail

domain: Bizagi recognizes domains in strings like "domain\username" and "username@domain"

userName

 

Important Notes for Designing Synchronization

1.None of these three fields (contactEmail, domain, userName) should be null or left blank.

2.The combination of userName + domain uniquely identifies a user in Bizagi. No two users can share the same combination.

3.During synchronization, if Bizagi finds an existing user with the same userName and domain, it treats this as an update to that record.

4.The userName is typically taken from either the userPrincipalName or sAMAccountName LDAP attribute.

5.If Bizagi receives an invalid value (i.e., an unrecognized identifier), it will ignore it.

6.Fields not listed in the attribute table above should be ignored, as they have been deprecated (e.g., offlineForms).

 

3. Define default values (optional)

This step is optional but recommended if you want to assign default values to WFUser attributes when the corresponding LDAP attribute is not present.

 

To do this:

1.Go to the Default values tab.

2.Click Add Default value.

3.Select a WFUser attribute and assign a value to be used when no LDAP value is provided.

 

LDAP03_cloud

 

4. Testing and saving your configuration

Once you finish setting up the configuration, click the Test button to preview the synchronization results.

 

Keep in mind that this process might take some time if you have a large number of users. For this reason, it is recommended to apply a filter to limit the results during testing.

 

The retrieved records will be displayed in the last tab, Test results.

 

note_pin

Running this test does not trigger an actual synchronization in the Bizagi database. It is only intended to validate the configuration. The final synchronization will be performed by the Scheduler service based on your settings.

 

Once the test is complete, click Save to store your configuration.

 

5. Restarting the environment

The synchronization of LDAP accounts (objects) is handled by the Scheduler service in your project. To initiate the synchronization and have users appear in the Work Portal, you need to restart the environment. You can do this by using a Maintenance Window. Once the environment is restarted, the Scheduler will run the synchronization job at the configured time.

 

When the process is completed, LDAP users will be automatically created in Bizagi.

 

To verify what happened during the synchronization (including inserted and updated records), you can check the Scheduler's trace log. Look for lines starting with INFO_LDAP, which contain the details of the synchronization activity.

 

note_pin

If a user is no longer present in the LDAP server, Bizagi will automatically disable that user during the import. This is a logical deletion (the user is not physically removed from the database).


Last Updated 5/4/2025 11:39:35 PM