Integration of WEBCON BPS with Microsoft Entra ID

Applies to versions: 2024 R1 and above; authors: Łukasz Chechelski, Jacek Język

Introduction

Microsoft Entra ID (formerly Azure Active Directory) enables secure identity management and control of access to cloud resources and on-premises applications. With the integration of WEBCON BPS with Entra ID, an effective and advanced identity and access management is possible in hybrid and cloud environments.

This article covers the installation of WEBCON BPS Standalone without a local Active Directory domain. Authentication and user list retrieval are implemented using Microsoft Entra ID.

The described installation consists of:

• WEBCON BPS 2025 Standalone installed on a Windows Server machine without Active Directory
• MSSQL server with authentication based on SQL login
• A local service account and application pool

Authentication of users to BPS and synchronization of the user list are performed using Microsoft Entra ID only.

Registering the Microsoft Entra ID authentication application

It is best to configure the application in the Microsoft Entra ID management panel before installing WEBCON BPS. This will allow you to specify the logon method and synchronize the user list during the BPS installation. However, the configuration on the WEBCON BPS side can also be done at any time after the installation of the system, as described later in this article.

For security reasons, we recommend creating two applications – one to handle authentication and another to retrieve the BPS user list.

Let's start with the authentication application.

In the App registrations window, add a new application.

In the Redirect URI section, enter the Portal address with the /signin-aad suffix. If the Portal address is not yet known, you can complete it after the BPS installation.

After registering the application, you can complete its configuration.

In the Authentication section, enable support for ID tokens.

After saving the configuration, the created application is ready for use.

From the Overview tab, copy the Tenant ID and Client ID values that are required to configure authentication on the WEBCON BPS side.

Registering the Microsoft Entra ID user list synchronization application

The next step is to create a second application that will handle the process of retrieving the BPS user list.

Registration of this application is similar to the previous one, except that in this case there is no need to complete the Redirect URI.

Now it is time to configure the permissions. To be able to download the list of users and groups, the application must have User.Read.All and Group.Read.All permissions.

Permissions should be added in the API permissions tab.

By selecting Add a permission, then the Microsoft APIs tab, click Microsoft Graph.

In the next window, indicate the Application permissions, locate and select the User.Read.Allpermission.

Follow the same steps to add the Group.Read.All permission.

Once the permissions have been added, you will need to approve them by clicking the button in the Grant consent area.

The next step is to generate a code (called Secret) that will be used to configure the mechanism on the WEBCON BPS side.

In the Certificates and secrets window, select New client secret, enter its description and expiry time.

The generated code should be saved immediately in a safe place, as it is not possible to view it after closing the window.

Important:

The code is always generated for a certain period of time (specified during code generation). After this period the code will expire and the synchronization of the user list will stop. Before the code expires, generate another code for the next period and replace it in the synchronization configuration.

The administrator who configures synchronization is responsible for managing this process.

To configure the synchronization on the WEBCON BPS side, in addition to the Client secret, you will need the Tenant ID and Client ID values, which can be copied from the Overview tab.

WEBCON BPS configuration

Configuration of user list synchronization can be done directly after installing the system in the system settings of WEBCON BPS Designer Studio system or using the administration tools in the installer (Tools for application management → Users list tab).

If you are already working with a running WEBCON BPS system, it is also possible to change the source of user data to Microsoft Entra ID, but this change can only be done with the help of the installer's administration tools.

But let's continue with the classic way of configuration, i.e. using WEBCON BPS Designer Studio. After installing and running WEBCON BPS Designer Studio, log in with the built-in admin@system.bps administration account whose password was configured during the system installation.

Next, go to the System settings → Global parameters → Users and groups synchronization → Synchronization configuration tab.

In the configuration window, select Synchronize with Microsoft Entra ID as the synchronization source, then switch to the Credentials tab where you should enter the Tenant ID, Client ID and Client secret parameters created earlier during the registration of the Microsoft Entra ID user list synchronization application.

If necessary, additional (non-default) synchronization parameters, such as a schedule, can be set in the configuration window. After saving the configuration, the first Full synchronization can be started manually by selecting Synchronize now.

Configuration of the Microsoft Entra ID authentication provider is also done in WEBCON BPS Designer Studio. Under System settings → Authentication providers select Microsoft Entra ID.

In the configuration window, enable this authentication method for Studio and Portal and enter the Tenant ID and Client ID parameters created earlier during the registration of the Microsoft Entra ID authentication application.

Once the configuration is complete, users can authenticate to the system using Microsoft Entra ID.