Setup: Authentication: SSO integration by using form authentication

WorkflowGen supports Single Sign-On integration with a tiered application. Two main technical solutions are possible: Form authentication or Custom HttpModule.

This article will focus on the Form authentication solution, but the code provided for this solution can be reused for a Custom HttpModule.

Note about cookie access: To have access to the remote app cookie the WorkflowGen website must be in a DNS subdomain of the remote app.

WorkflowGen Form authentication configuration

The first step is to configure WorkflowGen to use Form authentication. To do this:

  1. Download this file, unzip it, and copy the loginsso.aspx file into the \wfgen folder.

  2. Open the \wfgen\web.config file and copy the following code into the <system.web> node:

    <authentication mode="Forms">
        <forms name="WFGApp"
    <deny users="?"/>
  3. Change the authentication configuration in IIS as follows:

  4. Check Enable anonymous.

  5. Uncheck the other authentication methods for the following IIS applications:

    • \wfgen

    • \wfgen\wfapps\webforms

    • \wfgen\wfapps\webapps\eformaspx

    • All other web applications found in \wfgen\wfapps\webapps that you use in your processes

  6. Edit \wfgen\loginsso.aspx. In the Authentication function, change the following variables according to your tier app:

    • Change the cookie or URL parameter name where the username is base64 encoded or Encrypted to string tokenName="token";

    • Change the tier application login URL to use when authentication is required to string ssoLoginUrl="/remotesso.aspx";

    • Change the encryption key to use to decrypt the token to string privateKey="mykey";

    • Change the session timeout to int timeOutMinutes=30;

    • Activate encryption (true), or use base64 encoding (false) bool decryptUsername=false;

Tier application configuration

  1. Call WorkflowGen with the token:

    • Your tier app must encode (or encrypt) the username.

    • Put the encoded username into a cookie (set to a parent domain) or a URL parameter (the token value must be URLencoded).

  2. Call the WorkflowGen login URL:

    • If using a cookie, call

    • If using a URL parameter, call

  3. Manage authentication requests from WorkflowGen:

    • WorkflowGen calls your tier application login URL when authentication is required (session timeout, sign out, direct access to WorkflowGen).

    • WorkflowGen adds a ReturnUrl parameter to the URL. You must resend it to the login URL you use to call WorkflowGen following authentication.


    • WorkflowGen calls your tier application login:

    • Your tier application calls the WorkflowGen login URL:

  4. Manage sign-out requests done by the tier application to logout the user in WorkflowGen:

    • Your tier application login calls the WorkflowGen login URL with the signout=true querystring parameter

    • In this case, you can customize the loginsso.aspx source to manage the redirection the way you want.

Encryption method

The example provided supports base64 encoding or encryption.

For the encryption option, loginsso.aspx uses 3DES mode ECB with MD5 to hash the private key by default. You can customize the loginsso.aspx code according to your requirements.

PHP code example

$key = 'mykey';
$string = 'string to be encrypted';
$encrypted = mcrypt_encrypt(MCRYPT_3DES, md5($key), $string, MCRYPT_MODE_ECB);