WorkflowGen supports Single Sign-On integration with a tiered application. Two main technical solutions are possible: Form authentication or Custom HttpModule.
This article will focus on the Form authentication solution, but the code provided for this solution can be reused for a Custom HttpModule.
Note about cookie access: To have access to the remote app cookie the WorkflowGen website must be in a DNS subdomain of the remote app.
WorkflowGen Form authentication configuration
The first step is to configure WorkflowGen to use Form authentication. To do this:
-
Download this file, unzip it, and copy the
loginsso.aspxfile into the\wfgenfolder. -
Open the
\wfgen\web.configfile and copy the following code into the<system.web>node:<authentication mode="Forms"> <forms name="WFGApp" timeout="30" loginUrl="/wfgen/loginsso.aspx" defaultUrl="/wfgen/default.aspx" cookieless="UseCookies" protection="None" /> </authentication> <authorization> <deny users="?"/> </authorization> -
Change the authentication configuration in IIS as follows:
-
Check Enable anonymous.
-
Uncheck the other authentication methods for the following IIS applications:
-
\wfgen -
\wfgen\wfapps\webforms -
\wfgen\wfapps\webapps\eformaspx -
All other web applications found in
\wfgen\wfapps\webappsthat you use in your processes
-
-
Edit
\wfgen\loginsso.aspx. In the Authentication function, change the following variables according to your tier app:-
Change the cookie or URL parameter name where the username is base64 encoded or Encrypted to
string tokenName="token"; -
Change the tier application login URL to use when authentication is required to
string ssoLoginUrl="/remotesso.aspx"; -
Change the encryption key to use to decrypt the token to
string privateKey="mykey"; -
Change the session timeout to
int timeOutMinutes=30; -
Activate encryption (
true), or use base64 encoding (false)bool decryptUsername=false;
-
Tier application configuration
-
Call WorkflowGen with the token:
-
Your tier app must encode (or encrypt) the username.
-
Put the encoded username into a cookie (set to a parent domain) or a URL parameter (the token value must be URLencoded).
-
-
Call the WorkflowGen login URL:
-
If using a cookie, call
http://www.yourwfgwebsite.youdomain.com/wfgen/loginsso.aspx -
If using a URL parameter, call
http://www.yourwfgwebsite.youdomain.com/wfgen/loginsso.aspx?token=.......
-
-
Manage authentication requests from WorkflowGen:
-
WorkflowGen calls your tier application login URL when authentication is required (session timeout, sign out, direct access to WorkflowGen).
-
WorkflowGen adds a
ReturnUrlparameter to the URL. You must resend it to the login URL you use to call WorkflowGen following authentication.
Example:
-
WorkflowGen calls your tier application login:
http://www.yourwebsite.youdomain.com/yourlogin?ReturnUrl=%2fwfgen%2fshow.aspx%3fQUERY%3dCONTEXT -
Your tier application calls the WorkflowGen login URL:
http://www.yourwfgwebsite.youdomain.com/wfgen/loginsso.aspx?token=YXJuYXVk=%2fwfgen%2fshow.aspx%3fQUERY%3dCONTEXT
-
-
Manage sign-out requests done by the tier application to logout the user in WorkflowGen:
-
Your tier application login calls the WorkflowGen login URL with the
signout=truequerystring parameterhttp://www.yourwfgwebsite.youdomain.com/wfgen/loginsso.aspx?signout=true -
In this case, you can customize the
loginsso.aspxsource to manage the redirection the way you want.
-
Encryption method
The example provided supports base64 encoding or encryption.
For the encryption option, loginsso.aspx uses 3DES mode ECB with MD5 to hash the private key by default. You can customize the loginsso.aspx code according to your requirements.
PHP code example
$key = 'mykey';
$string = 'string to be encrypted';
$encrypted = mcrypt_encrypt(MCRYPT_3DES, md5($key), $string, MCRYPT_MODE_ECB);