Summary

Authentication to the Work portal is not working when using Federated authentication with an identity provider such as Ping Federate.

Applies to

Bizagi .JEE 10.7 or later.

Symptoms

After entering an authorized login and password for the authentication, a Failed to authenticate the user error is thrown at the Federated authentication error page.

Cause

This error has two common causes:

• The specific account attempting a login is currently disabled (an account lockout). 
• The specific account or all accounts, have a mismatching username information at Bizagi's database.

Solution

 1. Make sure you have configured the Federate authentication as illustrated at http://help.bizagi.com/bpmsuite/en/index.html?sso_authentication.htm.
Note that your identity provider should support the protocols and versions listed as requisites.

2. Check with your administrator that your account is not currently disabled.
A disabled account can be produced due to an account lockout at the identity provider because of your corporate security policies (e.g at Ping Federate settings), or it may have been manually disabled in Bizagi by your appointed business administrator in charge of managing Bizagi users.  

3. Verify that the specific account exists both at the users repository being used by your identity provider, and at Bizagi's database (WFUser table).

4. Verify that your users synchronization is using the username and domain information as expected.
Review that within the response assertion, the NameID field inside of the saml:Subject element contains either: username@domain or domain\username.

In Bizagi, ensure you have in the WFUser column called domain, explicitly only the domain information.
And in the WFUser column called username, you have these options:
a) only the username.
b) username@domain (works if username@domain is contained in the NameID field).
c) domain\username (works if domain\username is contained in the NameID field).