Setup: Authentication: SSO integration by using a Custom HTTP module


#1

WorkflowGen supports Single Sign On integration with a tier application. Two main technical solutions are possible:

The advantage of the custom HTTP module solution is that it secures all WorkflowGen HTTP requests, including web services. It also provides more customization possibilities than the form authentication-based solution.

This article focuses on the custom authentication module solution.

Note: We recommend securing the WorkflowGen website with SSL and using encryption to secure the token. The code provided below is a basic sample, so you may have to customize it to enforce security and hide detailed error messages.

WorkflowGen Custom module authentication configuration

  1. Configure WorkflowGen to use Custom authentication module.

    i. Download CustomAuthModuleSSO.zip and unzip it.

    ii. Open the CustomAuthModuleSSO.csproj file located in the VS Project folder and build the solution.

    iii. Copy the CustomAuthModuleSSO.dll file into the following folders:

    • \wfgen\bin

    • \wfgen\ws\bin

    • \wfgen\wfapps\webapp\eformaspx\bin

    • \wfgen\wfapps\webforms\bin

    • All other ..\bin folders under \wfgen

  2. In IIS, change the Authentication configuration. Enable Anonymous on all IIS applications in the WorkflowGen website:

    • \wfgen

    • \wfgen\ws

    • \wfgen\wfapps\webforms

    • \wfgen\wfapps\webapps\eformaspx

    • \wfgen\wfapps\webapps

    • All other web applications you use in your processes

    Note: The subfolders in the \wfgen\wfapps\webservices folder must use basic authentication.

  3. Create a Visual Studio project to edit the CustomAuthModuleSSO.cs file. In the Authentication function, change the following variables according to your tier app:

    • Cookie or Url param name where the username is base64 encoded or encrypted:
      string tokenName="token";

    • Your tier app Login URL to use when an authentication is required: string ssoLoginUrl="/remotesso.aspx";

    • The encryption key used to decrypt the token: string privateKey="mykey";

    • Activate encryption (true) or use base64 encoding (false): bool decryptUsername=false;

Tier application configuration

  1. Call WorkflowGen with the token. Your tier app has to encode (or encrypt) the username.

  2. Put the encoded username into a cookie (set to a parent domain), a URL parameter (the token value has to be URL encoded) or an HTTP header (for web service calls).

    • If a cookie: http://www.yourwfgwebsite.yourdomain.com/wfgen

    • If a URL parameter: http://www.yourwfgwebsite.yourdomain.com/wfgen/?token=........

  3. If you have to call WorkflowGen web services, you must add an HTTP header with the token value.

  4. Manage the authentication request from WorkflowGen.

    • WorkflowGen calls your tier app login URL when authentication is required (session timeout, sign out, direct access to WorkflowGen).

    • WorkflowGen adds the ReturnUrl parameter to the URL. You must resend it to the login URL you use to call WorkflowGen following authentication.

    Examples

    • WorkflowGen calls your tier app login:

      http://www.yourwebsite.youdomain.com/yourlogin?ReturnUrl=%2fwfgen%2fshow.aspx%3fQUERY%3dCONTEXT

    • Your tier app login calls WorkflowGen login URL:

      http://www.yourwfgwebsite.youdomain.com/wfgen/loginsso.aspx?token=YXJuYXVk&ReturnUrl=%2fwfgen%2fshow.aspx%3fQUERY%3dCONTEXT

  5. Manage the sign out request done by the tier app to log out the user in WorkflowGen.

    • Your tier app login calls WorkflowGen login URL with the signout=true querystring parameter
      http://www.yourwfgwebsite.youdomain.com/wfgen/loginsso.aspx?signout=true

    • You can customize the loginsso.aspx source to manage the redirection the way you want in this case.

Encryption Method

The example provided supports base64 encoding or encryption. For the encryption option, loginsso.aspx uses 3DES mode ECB with MD5 to hash the private key by default. You can customize the loginsso.aspx code according to your requirements.

PHP code example
$key = 'mykey';

$string = 'string to be encrypted';

$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_3DES, md5($key), $string, MCRYPT_MODE_ECB);

Remove domain name when login with IIS authentication
User management
#2

It appears the CustomAuthModuleSSO.dll is not included with the attached CustomAuthModuleSSO.zip?

Trying to setup WFG with ADFS and not finding it easy. Any other doco out there on setting this up?


#3

Thanks for pointing this out, we’ve reworked the instructions to make the procedure clearer.


#4

I am trying to install the Advantys.My.dll and Advantys.Security.dll in the GAC, but am receiving an error saying the assembly does not have a strong name. Are these assemblies signed? Where can I get a copy of those?


#5

Hi,

No, those assemblies are not signed. You can add those DLLs in the Bin folder of your project.
If your project is installed on WorkflowGen’s website then you should refer to the WorkflowGen’s Bin folder.

Best Regards,
Eddy.


#6

Might be good not to recommend adding the files in the GAC. The post clearly says that you can also add these files to the GAC…??.. It is very confusing.


#7

Hi,

Thanks for bringing this to our attention. We’ve corrected the instructions accordingly.

Best regards,

Peter