Configure a variety of settings including DocuSign, email servers, LDAP, SCIM, SSO, SAML, user Signals, and user extended properties.
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Configure Single Sign-On (SSO) settings.
Loading...
Manage your SSO settings.
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Configure User Signals settings in your organization.
Loading...
Manage User Signals.
Loading...
Loading...
Loading...
Loading...
Loading...
Manage user extended properties that are available to all user accounts.
Manage your Actions By Email settings.
Understand what Actions By Email is and how you can configure it in your server environment.
Understand what actions can be performed through email and how you can integrate it in your server environment.
The Actions By Email package package must be installed.
The Actions By Email package sends emails automatically during your Processes' Requests. During a Request, email recipients can make business decisions directly in the email by clicking on a button to indicate that decision. The email response returns to your ProcessMaker Platform instance to acknowledge the decision, then routes workflow for that Request. Use the Actions By Email settings to configure an IMAP server for retrieving these email responses.
The Actions By Email package has the Actions By Email connector that integrates into the Process Modeler. When the Actions By Email connector triggers during a Request, an email is sent to the Request participant to make a decision as part of the Request. This email contains pre-configured buttons for the participant to easily indicate the decision. After the email recipient clicks a button, ProcessMaker Platform receives the response through the IMAP server configured in Actions By Email settings and uses the indicated decision as part of the Request routing.
For detailed information on how to use Actions By Email functionality in your Processes, refer to Actions By Email connector and Actions By Email package.
To configure your IMAP server, refer to Actions by Email settings.
View all settings for connecting to an IMAP server used by the Actions By Email connector.
Display all Actions By Email settings in one location. This makes it easy to manage these settings.
Follow these steps to view all Actions By Email settings in your organization:
Click the Admin option from the top menu. The Users page displays.
The Actions By Email tab displays the following information in tabular format:
Setting: The Setting column displays the Actions By Email Setting name.
Configuration: The Configuration column displays the value of the setting and how it is configured.
Filter all Actions By Email settings on your server to find that one you need.
Use the Search function to filter all Actions By Email Settings from the Actions By Email page based on your entered text.
Follow these steps to search for an Actions By Email Setting:
In the Search setting, enter the Setting name to filter by Actions By Email Setting name.
The must be installed.
See the permissions or ask your Administrator for assistance.
Ensure that you are to ProcessMaker Platform.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting. The Actions By Email tab displays by default.
Use the setting to filter Actions By Email Settings that display.
Click the Edit icon. See .
Click the Copy to Clipboard icon. See .
Click the Clear icon. See .
The package must be installed.
See the permissions or ask your Administrator for assistance.
. The Actions By Email tab displays.
Click the Search iconor press enter. The Actions By Email settings display that match your entered text.
Configure general information about Actions By Email settings.
The Actions By Email package package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to search Actions By Email settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
If upgrading ProcessMaker Platform and you are changing settings in Actions By Email, ensure that to do not have in-progress Requests. Otherwise, Requests with Actions By Email that were running try to connect to the old IMAP settings in previous ProcessMaker (Platform) versions. This would cause a connection error and it displays the message Mail Delivery Failed. Then, it generates spam that blocks the ProcessMaker Platform environment.
If there are in-progress Requests and you update IMAP settings in Actions by Email settings, fix this issue as follows:
Open the command console.
Go to the ProcessMaker Platform installation folder.
Run the following command: php artisan package-actions-by-email:install --cancel-running-requests
Run the following command: php artisan config:cache
Ensure that there are no unread Requests for the new IMAP settings.
To allow access to your IMAP server, the following information is needed:
IMAP server address.
IMAP server port number.
IMAP username and password.
IMAP folder name to use for response emails (Inbox is used by default).
Configure the following Actions By Email settings as necessary:
View your Actions By Email settings. The Actions By Email tab displays.
Enter the address of your IMAP server, and then click Save.
Enter your IMAP port, and then click Save.
Optionally, enter the name or the path to your IMAP folder if you want to retrieve the emails from a different folder, and then click Save.
Enter the username for authentication to your IMAP server, and then click Save.
Enter the password for authentication to your IMAP server, and then click Save.
Enter the polling interval of your IMAP server in the edit box or adjust the slider to select a polling interval. Polling interval determines how often response emails are retrieved from the IMAP server. Click Save to save your settings.
Optionally, enable the Validate IMAP SSL Certificate toggle key to validate the SSL certificate of your IMAP server before response emails are retrieved. The following message displays: The setting was updated. Enabling this option enhances security, but could introduce compatibility issues with some IMAP servers.
Optionally, enable the Reference in Subject Line toggle key to add information about your Process in the subject line of the response emails. The following message displays: The setting was updated. When this option is enabled, a reference in the following syntax is added to the subject line:
PMABEREF <Process ID> <Node ID>
PMABEREF
is an acronym for "ProcessMaker Actions By Email Reference".
Process ID
is the ID of the Process containing the Actions By Email connector.
Node ID
is the ID of the Actions By Email connector in the Process.
For example: PMABEREF 2343 node_6
Click the Test Connection button. The following message displays if the test is successful: Server successfully connected. If a connection to the IMAP server could not be established, the following message displays: Cannot connect to server. Please check your configurations.
Click the Edit iconfor the IMAP Server setting. The IMAP Server screen displays.
Click the Edit iconfor the IMAP Port setting. The IMAP Port screen displays. Port 993 is the default value.
Click the Edit iconfor the IMAP Path setting. The IMAP Path screen displays. This is the name of the folder from which response emails are retrieved. INBOX
is the default value.
Click the Edit iconfor the IMAP Username setting. The IMAP Username screen displays.
Click the Edit iconfor the IMAP Password setting. The IMAP Password screen displays.
Click the Edit iconfor the IMAP Polling Interval setting. The IMAP Polling Interval screen displays.
Understand what DocuSign is and how you can integrate it in your server environment.
Copy an Actions By Email setting to clipboard.
Copy an Actions By Email configuration to clipboard to have this information in another environment or for testing purposes.
The Actions By Email package package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to copy Actions By Email settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to copy an Actions By Email configuration setting:
​View your Actions By Email settings. The Actions By Email tab displays.
Clear one of your Actions By Email settings.
The Actions By Email package package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to clear the value of Actions By Email settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Clearing an Actions By Email configuration setting cannot be undone.
Follow these steps to clear the value of an Actions By Email configuration setting:
​View your Actions By Email settings. The Actions By Email tab displays.
Click the Copy to Clipboard iconfor your Actions By Email configuration setting to copy. The following message displays: The setting was copied to your clipboard.
Click the Clear iconfor your Actions By Email configuration setting. The following message displays: The setting was updated.
Manage your DocuSign settings.
View all settings for connecting to a DocuSign server.
Display all DocuSign settings in one location. This makes it easy to manage these settings.
The DocuSign package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to view DocuSign settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view all DocuSign settings in your organization:
Ensure that you are logged on to ProcessMaker.
Click the Admin option from the top menu. The Users page displays.
The DocuSign tab displays the following information in tabular format:
Setting: The Setting column displays the DocuSign Setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Use the Search setting to filter DocuSign Settings that display.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Edit icon. See Configure DocuSign Settings.
Click the Copy to Clipboard icon. See Copy a DocuSign Setting.
Click the Clear icon. See Clear a DocuSign Setting.
Filter all DocuSign settings on your server to find that one you need.
Use the Search function to filter all DocuSign Settings from the DocuSign page based on your entered text.
The DocuSign package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to search DocuSign settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to search for a DocuSign Setting:
​View your DocuSign settings. The DocuSign tab displays.
In the Search setting, enter the Setting name to filter by DocuSign Setting name.
Click the Search iconor press enter. The DocuSign settings display that match your entered text.
Configure general information about DocuSign settings.
The DocuSign package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to edit DocuSign settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
To allow access to your DocuSign server, the following information is needed:
DocuSign integration key
DocuSign secret key
DocuSign server address
To generate or locate this information for your DocuSign server, refer to Apps and Keys - DocuSign eSignature Admin Guide.
Configure the following DocuSign settings as necessary:
View your DocuSign settings. The DocuSign tab displays.
Enter your DocuSign Integration key, and then click Save.
Enter your DocuSign Secret Key, and then click Save.
Enter your DocuSign server name, such as https://account-d.docusign.com
, and then click Save.
Click the Grant DocuSign Access button. The Task called DocuSign Authorization displays.
Click the Authorize Access button to grant the DocuSign eSignature platform access to your ProcessMaker Platform instance after it authenticates your DocuSign credentials. The DocuSign login page displays.
Enter your DocuSign account information to complete the authorization procedure.
Understand what DocuSign is and how you can integrate it in your server environment.
The DocuSign package must be installed.
DocuSign is a document management software that offers solutions for preparing, signing, and managing documents electronically. ProcessMaker Platform uses DocuSign's API to allow Process designers to seamlessly integrate DocuSign's eSignature functionality in a Process.
After the DocuSign package is installed, the DocuSign connector integrates into Process Modeler. Use the DocuSign connector in your Process models as a BPMN element: drag and place the DocuSign connector into your Process model, configure its settings, and then add its incoming and outgoing Sequence Flow elements.
The DocuSign connector uses DocuSign templates and recipient roles to send documents for eSignatures. Documents are sent through email to internal and external users as part of a Process. During a Request, when the DocuSign connector triggers, workflow routing can be configured in one of the following ways:
The Request pauses until the assigned user signs the document.
The Request's workflow resumes independently of the document's signing status.
For information on DocuSign templates and recipient roles, refer to Working with Templates - DocuSign eSignature User Guide.
Using the DocuSign package is a multi-step process involving these user roles:
System Administrators: An Administrator configures DocuSign server settings to ensure access to your DocuSign server.
Process designers: A Process designer configures the DocuSign connector in a Process to email documents for eSignatures to the intended recipients.
Recipients or document signers: The recipients access the documents through an email sent by DocuSign and sign them. The documents can be signed by both ProcessMaker Platform or external users.
Follow these guidelines to use the DocuSign package:
Copy a DocuSign setting to clipboard.
Copy a DocuSign configuration to clipboard to have this information in another environment or for testing purposes.
Follow these steps to copy a DocuSign configuration setting:
Click the Edit iconfor the Integration Key setting. The Integration Key screen displays.
Click the Edit iconfor the Secret setting. The Secret screen displays.
Click the Edit iconfor the Server setting. The Server screen displays.
The must be installed.
See the permissions or ask your Administrator for assistance.
​. The DocuSign tab displays.
Click the Copy to Clipboard iconfor your DocuSign configuration setting to copy. The following message displays: The setting was copied to your clipboard.
Configure email default settings that are available to all users.
Clear one of your DocuSign settings.
The DocuSign package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to clear the value of DocuSign settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Clearing a DocuSign configuration setting cannot be undone.
Follow these steps to clear the value of a DocuSign configuration setting:
​View your DocuSign settings. The DocuSign tab displays.
Click the Clear iconfor your DocuSign configuration setting. The following message displays: The setting was updated.
Understand what email default settings are and how they work in your server environment.
The email default settings allows an Administrator to configure outbound email sending. Outbound emails are available in Requests via Actions By Email connectors, Send Email connectors, Tasks, and emailed user notifications.
Email default settings are default configuration options for a mailer driver to work within server mail apps.
ProcessMaker Platform provides mailer drivers for the following services:
Manage your email default settings.
View email server default settings for a mail driver to work within server mail apps.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to view email server default settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view the email server default settings:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
Click the Email Default Settings tab. The Email Default Settings tab displays all email server default settings.
The Email Default Settings tab displays the following information in tabular format about the email server default settings:
Setting: The Setting column displays the name of the default email server settings.
Configuration: The Configuration column displays the setting value and how it is configured.
Use the Search setting to filter email server settings that display.
Click the +Mail Server button. See Create a New Email Server Configuration.
Click the -Remove Server button. See Delete an Email Server Configuration.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Edit icon. See Edit an Email Server Configuration.
Click the Copy to Clipboard icon. See Copy an Email Server Setting.
Click the Clear icon. See Clear an Email Server Setting.
Filter all email settings in an email server configuration to find that one you need.
Use the Search function to filter all email server settings from the Email Default Setting tab or any custom email server's configuration based on your entered text.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to search email server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to search for an email server setting:
​View your Email Default Settings. The Email Default Settings tab displays.
Locate the custom email server setting's tab if not searching from the default email server settings.
In the Search setting, enter the Setting name to filter settings in that email server's configuration.
Click the Search iconor press enter. The email server settings display that match your entered text.
Edit an email server configuration.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to edit an email server's configuration unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
As part of creating a new email server configuration, the new email server settings display in one of the following locations in the Settings page:
A new tab displays adjacent to the Email Default Settings tab if no other custom email server configurations have been created. The new tab is labeled by default Email Server 1.
A new tab displays adjacent to the last custom email server configuration's tab. The new tab is labeled by default Email Server X, where X is the total number of custom email server configurations created.
Follow these steps to create or edit an email server configuration:
View your email server default settings. The Email Default Settings tab displays.
Do one of the following:
Create a new email server configuration: Click on the +Mail Server button at the top of the Email Default Settings tab or any custom email server configuration's tab. A new tab displays either adjacent to the Email Default Settings tab or the last custom email server configuration's tab.
Edit an email server configuration: Locate the email server configuration to edit.
Optionally, change the name of this email server's alias name. Follow these steps:
Change the name for this email server's alias, and then click on Save.
Optionally, change which mail driver this email server uses. Follow these steps:
Select one of the following options that represent supported mail drivers:
smtp: Click on the smtp option to use the SMTP mail driver.
sendmail: Click on the sendmail option to use the Sendmail mail driver.
mailgun: Click on the mailgun option to use the Mailgun mail driver.
postmark: Click on the postmark option to use the Postmark mail driver.
ses: Click on the ses option to use the Amazon SES mail driver.
Click Save. Subsequent settings for that email server change based on the selected mail driver. See the appropriate topic for your selected mail driver:
Click the Editicon for the Mailer alias name setting. The Mailer alias name screen displays.
Click the Editicon for the Mailer driver setting. The Mailer driver screen displays.
Configure Simple Email Service (SES) mail driver protocol settings for your email server.
Simple Email Service (SES) is a cost-effective, flexible, and scalable email service that enables developers to send mail from any application. A widely used service in this category is Amazon Simple Email Service.
See the following example containing an Amazon SES mailer driver.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to edit email server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
To configure an Amazon SES email server, the following information is needed:
Amazon access key ID
Amazon secret access key
Amazon default region
To generate or locate your Amazon access key ID and secret access key, refer to Understanding and getting your AWS credentials. For details on Amazon regions, refer to Regions and Amazon SES.
Configure the following Amazon SES settings as necessary:
Create a new email server configuration. The settings for the new email server display. By default smtp is selected as the mailer driver.
Select the ses option, and then click Save. The settings for Amazon SES email server display.
Enter your Amazon access key ID, and then click Save.
Enter your Amazon secret access key, and then click Save.
Enter your Amazon region, and then click Save.
Enter the email address that this server uses to send emails, and then click Save.
Enter the person or company name that sends the email, and then click Save.
Consider the following example that stores all settings for an Amazon SES mail server configuration:
Mailer driver: ses
Amazon Access Key ID: AmazonExampleID
Amazon Secret Access Key: ••••••••••••••••••
Amazon Default Region
: us-west-2
Sender Email: LouisCanera@BigCompany.com
Sender Name: LouisCanera
Click the Edit icon for the Mailer driver setting. The Mailer driver screen displays.
Click the Edit icon for the Amazon Access Key ID setting. The Amazon Access Key ID screen displays.
Click the Edit icon for the Amazon Secret Access Key setting. The Amazon Secret Access Key screen displays.
Click the Edit icon for the Amazon Default Region setting. The Amazon Default Region screen displays.
Click the Edit icon for the Sender Email setting. The Sender Email screen displays.
Click the Edit icon for the Sender Name setting. The Sender Name screen displays.
Configure Google Gmail driver protocol settings for your email server.
Google Gmail is one of the most widely use email services in the world. Configure an email server to authenticate with Gmail Simple Mail Transfer Protocol (SMTP) from which to send emails.
See the following example containing a Gmail mailer driver.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to edit email server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Refer to the following sections in this order to configure an email server for Gmail SMTP authentication:
Follow these steps to enable SMTP authentication for the Gmail email server settings:
Create a new email server configuration. Email server settings display. The settings for the new email server display.
Select the tls option if it is not currently selected. Click Save if you changed this setting.
Enter 587
, and then click Save.
Enter smtp.gmail.com
, and then click Save.
From the Gmail Redirect URI setting, copy the redirect URI for creating the Gmail SMTP OAuth integration. This redirect URI is automatically configured for this email server after selecting the SMTP Authentication Method setting. Google calls back to this URL after Google authenticates a valid Google app in ProcessMaker Platform.
Follow these steps to create Google credentials for the Gmail email server's OAuth client:
Log on to Google Cloud Console.
In the Name setting, enter a name for the credential. This name displays only in the Google Cloud console.
The URIs 1 setting displays to enter a valid URI from a Web server.
In the URIs 1 setting, enter the Gmail Redirect URI copied from your ProcessMaker Platform instance.
Click Create at the bottom of the page. Note that it may take between five (5) minutes to a few hours for Google Cloud to enable this OAuth client.
From the Your Client ID setting, copy the client ID, and then save it for later configuration in the Gmail email server.
From the Your Client Secret setting, copy the client secret, and then save it for later configuration in the Gmail email server.
Click OK to close the OAuth client created screen.
Follow these steps to authorize the Google account for the Gmail SMTP OAuth integration:
In the ProcessMaker settings, access the email server configured for the Gmail SMTP OAuth integration.
Enter the client ID copied from the Google Cloud OAuth client.
Enter the client secret copied from the Google Cloud OAuth client.
Select the Google account with which to allow the Google OAuth client to access your Gmail email server.
Configure Mailgun mail driver protocol settings for your email server.
Mailgun requires that your email server be registered with their service. Therefore, prior to configuring your email server to use Mailgun, ensure that have registered with their service and you have received the Mailgun domain name and secret for your email server.
See the following example containing a Mailgun mailer driver.
To configure a Mailgun email server, the following information is needed:
Mailgun secret
Mailgun domain
Configure the following Mailgun settings as necessary:
Select the mailgun option, and then click Save. The settings for the Mailgun email server display.
Enter your Mailgun domain, and then click Save.
Enter your Mailgun secret, and then click Save.
Enter the email address that this server uses to send emails, and then click Save.
Enter the person or company name that sends the email, and then click Save.
Consider the following example for a Mailgun mail server configuration:
Mailer driver: mailgun
Mailgun Domain: BigCompany.mailgun.org
Mailgun Secret
: •••••••••••••••••••••
Sender Email: LouisCanera@BigCompany.com
Sender Name: LouisCanera
Click the SMTP Authentication Method setting. The SMTP Authentication Method screen displays.
Select the google option, and then click Save. The settings for the Gmail email server display. Until providing the Gmail client ID and Gmail client secret, the label Not Authorized displays in the SMTP Authentication Method setting.
Click the Edit icon for the Use Secure Connection setting. The Use secure connection screen displays.
Click the Edit icon for the Server Port setting. The Server Port screen displays.
Click the Edit icon for the Server Host setting. The Server Host screen displays.
From the Google Cloud menu, click APIs & Services, and then Credentials.
The Credentials page displays.
Click +Create Credentials, and then select the OAuth client ID option.
The Create OAuth client ID page displays.
Click the Application type drop-down menu, and then select the Web application option.
From the Authorized redirect URIs section, click the +Add URI button to allow requests from a Web browser.
The OAuth client created screen displays with the client ID and client secret for this Gmail SMTP OAuth integration with your ProcessMaker Platform instance.
Click the Edit icon for the Gmail Client ID setting. The Gmail Client ID screen displays.
Click the Edit icon for the Gmail Client Secret setting. The Gmail Client Secret screen displays.
Click the Authorize Account button at the top of the email server settings. The Sign in with Google screen displays.
Click the Allow button to grant authorization.
If the Google SMTP OAuth integration is configured correctly on your email server settings, then the email server settings display again, and the SMTP Authentication Method setting indicates that Google authorized this email server to use the Google Cloud Web application.
is a transactional email service used by developers and information technology professionals to send, receive, and track emails using its powerful Application Program Interface (API).
The must be installed.
See the permissions or ask your Administrator for assistance.
To generate or locate this information, refer to
. The settings for the new email server display. By default smtp is selected as the mailer driver.
Click the Edit icon for the Mailer driver setting. The Mailer driver screen displays.
Click the Edit icon for the Mailgun Domain setting. The Mailgun Domain screen displays.
Click the Edit icon for the Mailgun Secret setting. The Mailgun Secret screen displays.
Click the Edit icon for the Sender Email setting. The Sender Email screen displays.
Click the Edit icon for the Sender Name setting. The Sender Name screen displays.
.
Configure Microsoft Office 365 driver protocol settings for your email server.
Microsoft Office 365 is one of the most widely use email services in the world. Configure an email server to authenticate with Office 365 Simple Mail Transfer Protocol (SMTP) from which to send emails.
See the following example containing a Office 365 mailer driver.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to edit email server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Refer to the following sections in this order to configure an email server for Office 365 SMTP authentication:
Follow these steps to enable SMTP authentication for the Office 365 email server settings:
Create a new email server configuration. Email server settings display. The settings for the new email server display.
Select the tls option if it is not currently selected. Click Save if you changed this setting.
Enter 587
, and then click Save.
Enter smtp.office365.com
, and then click Save.
From the Office 365 Redirect URI setting, copy the redirect URI for creating the Office 365 SMTP OAuth integration. This redirect URI is automatically configured for this email server after selecting the SMTP Authentication Method setting. Microsoft calls back to this URL after Microsoft authenticates a valid Azure Active Directory (Azure AD) application in ProcessMaker.
SMTP authentication must be enabled in Microsoft 365 Admin Center so the Microsoft email address configured in the email server can send emails. Otherwise, Microsoft 365 will block requests to the SMTP server.
Follow these steps to enable SMTP authentication in Microsoft 365 Admin Center:
Log on to Microsoft 365 Admin Center.
The list of active users in your Microsoft 365 account displays.
Select the Mail tab for within that user's information.
Select the Authenticated SMTP option if it is not already selected. Click the Save changes button if you enabled this option.
Follow these steps to create a Microsoft Azure Active Directory (Azure AD) application:
Log on the Microsoft Azure Portal with the Microsoft email address configured on Microsoft Office 365 Admin Center.
The App registrations page displays.
In the Name setting, enter a name for this application. This is a required setting.
From the Supported account types setting, select which account type this application will support for your organization. If unsure, keep the default Accounts in this organizational directory only (FormShare only - Single tenant) option.
From the Redirect URI (optional) setting, do the following:
To the right of the Select a platform setting, enter the Office 365 redirect URI copied from your ProcessMaker instance.
From the Essentials section, click the Copy to Clipboard icon to copy beside the Application (Client) ID, and then save it for later configuration in the Office 365 email server.
From the Essentials section, click the Copy to Clipboard icon to copy beside the Directory (Tenant) ID, and then save it for later configuration in the Office 365 email server.
The Certificates & secrets page for this Azure AD application displays.
In the Description setting, enter a description for how this client secret will be used.
From the Expires setting, select at which date this client secret expires. After this date, a new client secret should be generated and updated in the PM4 instance 30 days before it is set to expire.
Click Add. A new client secret generates.
Follow these steps to authorize the Office 365 account for the Office 365 SMTP OAuth integration:
Ensure the following:
In the ProcessMaker settings, access the email server configured for the Office 365 SMTP OAuth integration.
Enter the Office 365 tenant ID copied from the Azure AD application.
Enter the Office 365 client ID copied from the Azure AD application.
Enter the Office 365 client secret copied from the Azure AD application.
Select the email address configured to send emails from the email server.
Configure Postmark mail driver protocol settings for your email server.
See the following example containing a Postmark mailer driver.
Your user account or group membership must have the "Settings: Update Settings" permission to edit email server settings unless your user account has the Make this user a Super Admin setting selected.
To configure a Postmark email server, the Postmark token is required.
Configure the following Postmark settings as necessary:
Select the postmark option, and then click Save. The settings for the Postmark email server display.
Enter your Postmark token, and then click Save.
Enter the email address that this server uses to send emails, and then click Save.
Enter the person or company name that sends the email, and then click Save.
Consider the following example that stores all settings for a Postmark mail server configuration:
Mailer driver: postmark
Postmark token
: •••••••••••••••••••••
Sender Email: LouisCanera@BigCompany.com
Sender Name: LouisCanera
Click the SMTP Authentication Method setting. The SMTP Authentication Method screen displays.
Select the office365 option, and then click Save. The settings for the Office 365 email server display. Until providing the Office 365 client ID and Office 365 client secret, the label Not Authorized displays in the SMTP Authentication Method setting.
Click the Edit icon for the Use Secure Connection setting. The Use secure connection screen displays.
Click the Edit icon for the Server Port setting. The Server Port screen displays.
Click the Edit icon for the Server Host setting. The Server Host screen displays.
From the menu icon in the upper-left, select Users, then the Active users option.
Select the active user from whom to send emails from the email server. Details about that user display in the right-side panel.
From the Email apps column, select the Manage email apps link.
The Manage email apps screen displays.
Search for, and then select the App registrations service.
Below the App registrations page title, click the +New registration button.
The Register an application page displays.
From the Select a platform setting, select the Web option.
Click the Register button. The Azure platform creates the Azure AD application, and then displays information about the application.
From the Manage left-side menu, select the Certificates & secrets option.
Click the +New client secret button.
The Add a client secret screen displays.
Click the Copy to Clipboard icon to copy the client secret value, in the middle column, and then save it for later configuration in the Office 365 email server. Ensure to copy this client secret before refreshing or leaving this page.
Click the Edit icon for the Office 365 Tenant ID setting. The Office 365 Tenant ID screen displays.
Click the Edit icon for the Office 365 Client ID setting. The Office 365 Client ID screen displays.
Click the Edit icon for the Office 365 Client Secret setting. The Office 365 Client Secret screen displays.
Click the Authorize Account button at the top of the email server settings. The Pick an account screen displays.
Select the Consent on behalf of your organization checkbox if the Permissions requested screen displays, and then click the Accept button.
If the Office 365 SMTP OAuth integration is configured correctly on your email server settings, then the email server settings display again, and the SMTP Authentication Method setting indicates that Microsoft authorized this email server to use the Azure AD app.
A Postmark is a fast and reliable application email service and trusted provider for application email needs. Follow to know more about the process of sending an email with an API.
The must be installed.
See the permissions or ask your Administrator for assistance.
To generate or locate this information, see
. The settings for the new email server display. By default smtp is selected as the mailer driver.
Click the Edit icon for the Mailer driver setting. The Mailer driver screen displays.
Click the Edit icon for the Postmark token setting. The Postmark token screen displays.
Click the Edit icon for the Sender Email setting. The Sender Email screen displays.
Click the Edit icon for the Sender Name setting. The Sender Name screen displays.
.
Configure Sendmail mailer driver protocol settings for your email server.
Sendmail is an open source software that uses the Simple Mail Transfer Protocol (SMTP) protocol to send emails. The Sendmail application must be installed on your server before you can use it as a mailer driver in ProcessMaker Platform. For more information on Sendmail, refer to Sendmail Open Source.
See the following example containing a configured Sendmail mailer driver.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to edit email server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The Sendmail application must be installed before making these configurations.
Configure the following Sendmail settings as necessary:
Create a new email server configuration. The settings for the new email server display. By default smtp is selected as the mailer driver.
Select the sendmail option, and then click Save. The settings for the Sendmail email server display.
Enter the email address that this server uses to send emails, and then click Save.
Enter the person or company name that sends the email, and then click Save.
Consider the following example for a Sendmail mailer server configuration:
Mailer driver: sendmail
Sender Email: LouisCanera@BigCompany.com
Sender Name: LouisCanera
Click the Edit icon for the Mailer driver setting. The Mailer driver screen displays.
Click the Edit icon for the Sender Email setting. The Sender Email screen displays.
Click the Edit icon for the Sender Name setting. The Sender Name screen displays.
Configure Simple Mail Transfer Protocol (SMTP) mailer driver protocol settings for your email server.
Simple Mail Transfer Protocol (SMTP) is an internet standard communication protocol for electronic email transmission. Configure the SMTP email server to use a secure or insecure connection.
See the following example containing a configured SMTP email server.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to edit email server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
If configuring SMTP with a Gmail service, as a best practice, configure the User Account setting with the same value as in the Sender Email setting.
To configure a Simple Mail Transfer Protocol (SMTP) mailer driver, the following information is needed:
SMTP server host name
SMTP server port
SMTP account username and password
Configure the following SMTP settings as necessary:
Create a new email server configuration. The settings for the new email server display. By default smtp is selected as the mailer driver and the settings for the SMTP email server display.
Enter the email address that this server uses to send emails, and then click Save.
Enter the person or company name that sends the email, and then click Save.
Enter the host SMTP application or service, and then click Save.
Enter the port number that this email server uses, and then click Save.
Select one of the following connection protocols options that this SMTP email server uses to send and receive emails:
no: Use no secure connection.
tls: Use Transport Layer Security (TLS). This is the default option.
ssl: Use Secure Sockets Layer (SSL) protocol.
Enter an active user account the SMTP email server uses, and then click Save.
Click Save.
Consider the following example for an SMTP mail server configuration:
Mailer driver: smtp
Sender Email: LouisCanera@BigCompany.com
Sender Name: LouisCanera
Server Host: smtp.mailtrap.io
Server Port: 25
Use secure connection: tls
User Account: c5ad636d522571
User Password
: •••••••••••••••••••••
Copy to clipboard an email server setting.
Copy to clipboard an email server setting to have this information in another environment or for testing purposes.
Follow these steps to copy an email server setting:
Locate the custom email server setting's tab if not copying from the default email server settings.
Click the Edit icon for the Sender Email setting. The Sender Email screen displays.
Click the Edit icon for the Sender Name setting. The Sender Name screen displays.
Click the Edit icon for the Server Host setting. The Server Host screen displays.
Click the Edit icon for the Server Port setting. The Server Port screen displays.
Click the Edit icon for the Use secure connection setting. The Use secure connection screen displays.
Click the Edit icon for for the User Account setting. The User Account screen displays.
Click the Edit icon for the User Password setting. The User Password screen displays.
Enter the password corresponding with the user account that this SMTP email server uses. The password is masked by default. Optionally, click the View Password iconto view the entered password; thereafter, click the Hide Password iconto hide the entered password.
The must be installed.
See the permissions or ask your Administrator for assistance.
​. The Email Default Settings tab displays.
Click the Copy to Clipboard iconfor your email server setting to copy. The following message displays: The setting was copied to your clipboard.
Clear the value from an email server setting.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to clear the value of an email server setting unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Clearing an email server setting cannot be undone.
Follow these steps to clear the value of an email server setting:
View your Email Default Settings. The LDAP tab displays.
Locate the custom email server setting's tab if not clearing a value from the default email server settings.
Delete an email server configuration from the Settings page.
Only custom email server configurations may be deleted. The default email server configuration cannot be deleted.
Deleting an email server cannot be undone.
Follow these steps to delete an email server configuration:
Locate the custom email server setting's tab from which to remove its configuration.
Click Confirm. The email server configuration is deleted and does not display as a setting tab in the Settings page.
Click the Clear iconfor your email server setting. The following message displays: The setting was updated.
The must be installed.
See the permissions or ask your Administrator for assistance.
. The Email Server settings tab displays.
Click the -Remove Server button. The following message displays: Are you sure you want to delete this item?
Send a test email to ensure that your email server configuration sends emails correctly.
Send a test email using an email server configuration to ensure that your email server configuration sends emails correctly.
The Send Email package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to delete an email server unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to send a test email using an email server configuration:
View your Email Default Settings. The LDAP tab displays.
Locate the custom email server setting's tab if not testing the default email server settings.
In the Recipient's email address setting, enter the valid email address to send the test email. This is a required setting.
Click Test. Any errors that occur display below the Recipient's email address setting. If no errors display, review the Inbox for the email address to which the test email was sent.
Click the Send Test Email button. The Testing Email Server screen displays.
Understand what external integrations to CDATA drivers are and how add them to your server environment.
Understand what CDATA External Integrations are and how they connect to third-party applications and services.
CDATA integrates with a large library of third-party applications and services, including the following:
DocuSign
GitHub
Microsoft Excel
Slack
ProcessMaker Platform simplifies integration with CDATA's drivers that seamlessly synchronize real-time data and streamline integration management.
ProcessMaker Platform integrates with CDATA's drivers in the following manner:
Administrators add a supported CDATA driver from Settings. Thereafter, configure authentication for that external integration.
Process Designers see the CDATA External Integration like any other Process model object. They add the external integration to their Process model, and then configure it for that object.
Manage your CDATA External Integration settings.
View all settings for the data integration with CDATA external data apps.
Display all CDATA External Integration settings in one location. This makes it easy to manage these settings.
Your user account or group membership must have the "Settings: View Settings" permission to view External Integration settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view all CDATA External Integration settings to synchronize users in your organization:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
Click the External Integrations tab. The External Integrations tab displays all authorized External Integrations.
The External Integrations tab displays the following information in tabular format about External Integrations settings:
Setting: The Setting column displays the CDATA setting name.
Configuration: The Configuration column displays if a driver has been authorized.
Use the Search setting to filter CDATA settings that display.
Click the +Driver button. See Add a Driver.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Edit icon. See Configure an External Registration.
Click the Copy to Clipboard icon. See Copy an External Registration.
Click the Delete icon. See Remove an External Registration.
Filter all CDATA External Integrations in your server to find that one you need.
Use the Search function to filter all External Integration from the External Integration page based on your entered text.
Your user account or group membership must have the "Settings: View Settings" permission to search External Integration unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to search for a CDATA External Integration:
​View your External Integrations. The External Integrations tab displays.
In the Search setting, enter the Setting name to filter by External Integration name.
Click the Search iconor press enter. The CDATA External Integrations display that match your entered text.
Add a CDATA driver of an external registration.
Use the +Driver button to add a driver of a CDATA External Registration.
Your user account or group membership must have the "Settings: View Settings" permission to add a CDATA External Registration driver unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to add a CDATA driver for an External Registration:
​View your External Registrations. The External Registrations tab displays.
From the Select a Driver dropdown, select one of the following CDATA drivers:
DocuSign
GitHub
Slack
Microsoft Excel
Click Add Driver.
Click the +Driver button. The Add Driver window displays.
Click the Edit icon. See Configure an External Registration.
Configure general information about a CDATA External Integration.
Configure the following External Registrations as necessary:
Configure credentials to connect to the CDATA External Integration for DocuSign.
Your user account or group membership must have the "Settings: Update Settings" permission to edit External Integrations unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Before proceeding, ensure that you have the client ID and client secret from your registered DocuSign driver.
Follow these steps to connect to the DocuSign server:
View your CDATA External Integrations. The External Integrations tab displays.
In the Client ID setting, enter the client ID from your registered DocuSign driver. If testing DocuSign to get the client ID, see Enable OAuth for Connect.
In the Client Secret setting, enter the client secret from your registered DocuSign driver. If testing DocuSign to get client secret, see Enable OAuth for Connect.
Enable Use Sandbox if you are using a sandbox account.
Click Authorize. If authorization is successful, the External Integrations page lists DocuSign as authorized.
Click the Edit iconfor the Docusign setting. The DocuSign screen displays.
Use the copy icon to copy the URL from the Redirect URL setting, and then provide it to your OAuth identity provider.
Configure credentials to connect to the CDATA External Integration for GitHub.
Your user account or group membership must have the "Settings: Update Settings" permission to edit External Integrations unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Before proceeding, ensure that you have the client ID and client secret from your registered GitHub driver.
Follow these steps to connect to the GitHub server:
View your CDATA External Integrations. The External Integrations tab displays.
In the Client ID setting, enter the client ID from your registered GitHub driver. If testing GitHub to get the client ID, see Creating an OAuth app.
In the Client Secret setting, enter the client secret from your registered GitHub driver. If testing GitHub to get the client secret, see Creating an OAuth app.
In the Repository Name setting, enter the GitHub repository name to restrict query results.
In the User Login setting, enter the GitHub user name to restrict query results.
Click Authorize. If authorization is successful, the External Integrations page lists GitHub as authorized.
Click the Edit iconfor the GitHub setting. The GitHub screen displays.
Use the copy icon to copy the URL from the Redirect URL setting, and then provide it to your OAuth identity provider.
Configure credentials to connect to the CDATA External Integration for Slack.
Your user account or group membership must have the "Settings: Update Settings" permission to edit External Integrations unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Before proceeding, ensure that you have the client ID and client secret from your registered Slack driver.
Follow these steps to connect to the Slack server:
View your CDATA External Integrations. The External Integrations tab displays.
In the Client ID setting, enter the client ID from your registered Slack driver. If testing Slack to get the client ID, see Creating a Slack App.
In the Client Secret setting, enter the client secret from your registered Slack driver. If testing Slack to get the client secret, see Creating a Slack App.
Click Authorize. If authorization is successful, the External Integrations page lists Slack as authorized.
Click the Edit iconfor the Slack setting. The Slack screen displays.
Use the copy icon to copy the URL from the Redirect URL setting, and then provide it to your OAuth identity provider.
Configure credentials to connect to the CDATA External Integration for Microsoft Excel.
Your user account or group membership must have the "Settings: Update Settings" permission to edit External Integrations unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Before proceeding, ensure that you have the client ID and client secret from your registered Microsoft Excel driver.
Follow these steps to connect to the Microsoft Excel server:
View your CDATA External Integrations. The External Integrations tab displays.
In the Client ID setting, enter the client ID from your registered Microsoft Excel driver. If testing Microsoft Excel to get the client ID, see Add a client ID and client secret.
In the Client Secret setting, enter the client secret from your registered Microsoft Excel driver. If testing Microsoft Excel to get the client secret, see Add a client ID and client secret.
From the Connection Type dropdown, select the service for storing and retrieving Microsoft Excel files such as Amazon S3, Azure Blog Store, Box, Dropbox, Google Cloud Storage, Google Drive, OneDrive, or SharePoint REST.
In the URI setting, enter the Uniform Resource Identifier (URI) for the Microsoft Excel resource location.
Click Authorize. If authorization is successful, the External Integrations page lists Microsoft Excel as authorized.
Click the Edit iconfor the Microsoft Excel setting. The Microsoft Excel screen displays.
Use the copy icon to copy the URL from the Redirect URL setting, and then provide it to your OAuth identity provider.
Copy to clipboard a CDATA External Integration.
Copy to clipboard CDATA External Integration configurations to have this information in another environment or for testing purposes.
Your user account or group membership must have the "Settings: Update Settings" permission to copy External Integration settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to copy CDATA External Integration configurations:
​View your CDATA External Integrations. The External Integrations tab displays.
Click the Copy to Clipboard iconfor your CDATA External Integration settings to copy. The following message displays: The setting was copied to your clipboard.
Delete a CDATA External Integration configuration.
Your user account or group membership must have the "Settings: Update Settings" permission to remove values of an External Integration unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Deleting a CDATA External Integration cannot be undone.
Follow these steps to delete a CDATA External Integration:
​View your External Integrations. The External Integrations tab displays.
Click Confirm to delete the CDATA External Integration.
Click the Delete iconfor your External Integration. The Caution! window displays.
Understand what intelligent document processing (IDP) settings are and how they integrate ProcessMaker Platform to your ProcessMaker IDP instance.
The intelligent document processing (IDP) settings allows a ProcessMaker Administrator to configure authentication to a ProcessMaker IDP instance. ProcessMaker Platform must be authenticated to a ProcessMaker IDP instance so IDP connectors configured in business processes may process documents during Requests.
Manage settings to your ProcessMaker IDP instance.
Filter all IDP Settings in your server to find that one you need.
Use the Search function to filter all IDP settings from the IDP page based on your entered text.
The IDP package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to view ProcessMaker IDP server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to search for an IDP setting:
View your IDP settings. The IDP tab displays.
In the Search setting, enter the Setting name to filter by IDP setting name.
Click the Search iconor press enter. The IDP settings display that match your entered text.
Configure authentication settings and folders to store documents for ProcessMaker IDP.
The IDP package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to view ProcessMaker IDP server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The following information is required to authenticate with ProcessMaker IDP:
Client ID: The client ID is the unique key for your ProcessMaker Platform instance to authenticate IDP connectors implemented in your ProcessMaker IDP instance.
Client secret: The client secret is the time-sensitive and private code that your ProcessMaker IDP instance acknowledges to authenticate IDP connectors when connecting.
Token URL: The token URL references the valid authentication token that authenticates IDP connectors when during authentication.
To locate the client ID and client secret, both of which are private to your organization, contact your Customer Success Manager. Since the IDP package is part of the ProcessMaker Platform Enterprise edition, this functionality is not available in in the Open Source edition.
As part of this configuration, determine to which folders within your organization that Process designers using the IDP connector can reference to store documents for intelligent document processing. Note that until your ProcessMaker IDP instance authenticates with ProcessMaker Platform, the indicator Unauthorized displays beside the setting from which to select those folders. The indicator Authorized displays after authentication.
Follow these steps to authenticate with ProcessMaker IDP prior to selecting which folders to store documents for intelligent document processing:
Enter the integration key for your ProcessMaker IDP instance, and then click Save.
Enter the client secret for your ProcessMaker IDP instance, and then click Save.
Enter the URL that references the valid authentication token to your ProcessMaker IDP instance, and then click Save.
Click the Authorize Account button.
Prior to selecting from which folder(s) in ProcessMaker Platform to store documents for intelligent document processing (IDP), ensure the following:
Folders from which to store documents exist in your ProcessMaker IDP instance. If they do not exist, consult with your Customer Sucess Manager to requisition those folders be created.
You have authenticated with your ProcessMaker IDP instance. Note that until your ProcessMaker IDP instance authenticates with ProcessMaker Platform, the indicator Unauthorized displays beside the setting from which to select those folders. The indicator Authorized displays after authentication.
Follow these steps to select document-storing folders:
Click Save.
From the Client ID setting, click the Edit icon. The Client ID setting displays. This is a required setting.
From the Client Secret setting, click the Edit icon. The Client Secret setting displays. This is a required setting.
From the Host URL setting, click the Edit icon. The Host URL setting displays. This is a required setting.
From the Token URL setting, click the Edit icon. The Token URL setting displays. This is a required setting.
From the Select Available Folders setting, click the Edit icon. The Select available folders setting displays.
Click the drop-down menu to select one or more existing folders from which to store documents for processing. Click the Remove icon to remove an added folder.
Configure settings to connect to your ProcessMaker IDP server.
Configure Lightweight Directory Access Protocol (LDAP) settings.
Understand what LDAP is and how its settings work in your server environment.
Lightweight Directory Access Protocol (LDAP) is a platform protocol used for directory services authentication.
LDAP provides the communication language that your server uses to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with your company entity on the network.
The LDAP settings ensure your company users log on by authenticating directly into an LDAP server and then enable synchronization with LDAP to update user information. Configure LDAP settings for the following purposes:
Synchronize users in your organization as ProcessMaker users.
Authenticate the server source.
Configure how users and groups synchronize.
Log on to ProcessMaker Platform using your LDAP credentials to have a unified login.
Keep using your LDAP credentials after synchronization even if you change a user password in LDAP.
LDAP uses Distinguished Names (DN) to identify users, groups, and other types of entities. The DN describes entities starting from the specific and moving to the general in the hierarchy of entities. In LDAP and Active Directory, which is Microsoft's extension of LDAP, Distinguished Names are constructed hierarchically using the following components.
Other naming attributes described in RFC 2253, such as o= for organization name and c= for country/region name, are not used in Active Directory, although they are recognized by LDAP.
For more information how to construct DNs, see this LDAP guide.
Component and Abbreviation
Usage
Example
domain components (DC)
Enter each DC as read left to right, each separated by a comma without spacing between each.
dc=acme,dc=com
organizational units (OU)
Enter each OU, each separated by a comma without spacing between each.
ou=managers,ou=regionalbranch
common names (CN)
Enter each CN, each separated by a comma without spacing between each.
cn=Louis Canera,cn=John Doe
Manage your LDAP settings.
View all settings for the user synchronization with an LDAP server. View LDAP settings like when users synchronize, server authentication source, and how users and groups synchronize.
Display all LDAP settings in one location. This makes it easy to manage these settings.
The Auth package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to view LDAP settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view all LDAP settings to synchronize users in your organization:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
Click the LDAP tab. The LDAP tab displays all LDAP settings.
The LDAP tab displays the following information in tabular format about LDAP settings:
Setting: The Setting column displays the LDAP Setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Use the Search setting to filter LDAP Settings that display.
Click the Logs button. See View LDAP Logs.
Filter all LDAP Settings in your server to find that one you need.
Use the Search function to filter all LDAP Settings from the LDAP page based on your entered text.
Follow these steps to search for an LDAP Setting:
In the Search setting, enter the Setting name to filter by LDAP Setting name.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Edit icon. See Configure an LDAP Setting.
Click the Copy to Clipboard icon. See Copy an LDAP Setting.
Click the Clear icon. See Clear an LDAP Setting.
The must be installed.
See the permissions or ask your Administrator for assistance.
. The LDAP tab displays.
Click the Search iconor press enter. The LDAP settings display that match your entered text.
Configure general information about an LDAP Setting.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit LDAP settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Configure the following LDAP settings as necessary:
Enable directory synchronization between ProcessMaker and your LDAP server. If not enabled, ProcessMaker Platform does not synchronize with your LDAP server.
Follow these steps to enable directory synchronization via LDAP:
View your LDAP Settings. The LDAP tab displays.
Enable the Enabled toggle key. This is a required setting to use LDAP with ProcessMaker Platform. The following message displays: The setting was updated.
Set at which interval to synchronize with your LDAP server. Consider that when setting this interval, the more users, groups, and/or departments your LDAP server contains, the more time ProcessMaker Platform requires to synchronize your LDAP server.
Follow these steps to set how often to synchronize between your LDAP server and ProcessMaker Platform:
View your LDAP Settings. The LDAP tab displays.
In the Quantity setting, enter how many times to synchronize for each configured frequency. 1 is the default setting.
In the Frequency setting, select the frequency in which to synchronize from the following options:
Minutes (default setting)
Hours
Days
Click Save. The following message displays: The setting was updated.
Follow these steps to select to which LDAP server type ProcessMaker Platform connects to synchronize:
View your LDAP Settings. The LDAP tab displays.
Select to which LDAP server type ProcessMaker Platform connects to synchronize:
Active Directory (default setting)
Click Save. The following message displays: The setting was updated.
Follow these steps to enter the LDAP server address and port to which ProcessMaker Platform synchronizes:
View your LDAP Settings. The LDAP tab displays.
Enter the IP address or host name for the LDAP server to which ProcessMaker Platform synchronizes.
Click Save. The following message displays: The setting was updated.
Enter the port number the LDAP server uses. By default, LDAP uses port 389. If unsure, use one of the following commands depending on your LDAP server's operating system:
Linux/UNIX: netstat -l
and netstat -lnp
Windows: netstat -a
and netstat -ab
commands
Click Save. The following message displays: The setting was updated.
If your LDAP server uses a Transport Security Layer (TLS) certificate, enable TLS to connect to the LDAP authentication source.
Follow these steps to enable TLS to connect to your LDAP authentication source:
View your LDAP Settings. The LDAP tab displays.
Enable the TLS toggle key. The following message displays: The setting was updated.
Enter the Distinguished Name (DN) from the Base object to connect the LDAP server. In most cases, the DN are the domain components (DC) of the DN. For example, the Base DN for processmaker.com
is dc=processmaker,dc=com
. For more information how to construct DNs, see this LDAP guide.
Follow these steps to enter the domain components (DC) for the base Distinguished Name (DN):
View your LDAP Settings. The LDAP tab displays.
Enter each DC of the Base DN following the guidelines above.
Click Save. The following message displays: The setting was updated.
Follow these steps to enter the credentials to connect to the LDAP server:
View your LDAP Settings. The LDAP tab displays.
Enter the username to log on to the LDAP server.
Click Save. The following message displays: The setting was updated.
Enter the password to log on to the LDAP server.
Click Save. The following message displays: The setting was updated.
Select to which LDAP groups on your LDAP server to synchronize as ProcessMaker Platform groups. During synchronization the following occurs:
ProcessMaker Platform groups that do not exist are created.
If a selected LDAP group contains no LDAP users, then a corresponding ProcessMaker Platform group is not created if it does not already exist.
ProcessMaker Platform users that exist synchronize from your LDAP server and are placed into the groups corresponding with your selected LDAP server department(s).
ProcessMaker Platform users that do not already exist but exist in your selected LDAP group(s) are created.
Ensure that you have configured at least the following LDAP settings to connect with your LDAP server prior to selecting which LDAP groups to synchronize. Otherwise, no LDAP groups are available to synchronize when editing this setting.
Follow these steps select which LDAP groups to synchronize as ProcessMaker Platform groups:
View your LDAP Settings. The LDAP tab displays.
Enable the toggle key for each LDAP group to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
Select from which LDAP departments on your LDAP server to synchronize as ProcessMaker Platform groups. During synchronization the following occurs:
ProcessMaker Platform groups that do not exist are created.
If a selected LDAP department contains no LDAP users, then a corresponding ProcessMaker Platform group is not created if it does not already exist.
ProcessMaker Platform users that exist synchronize from your LDAP server and are placed into the groups corresponding with your selected LDAP server department(s).
ProcessMaker Platform users that do not already exist but exist in your selected LDAP department(s) are created.
Ensure that you have configured at least the following LDAP settings to connect with your LDAP server prior to selecting which LDAP departments to synchronize. Otherwise, no LDAP departments are available to synchronize when editing this setting.
Follow these steps select which LDAP departments to synchronize as ProcessMaker Platform groups:
View your LDAP Settings. The LDAP tab displays.
Enable the toggle key for each LDAP department to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
Enter the LDAP object class that identifies users. Objects that match the object class synchronize with users that exist in your ProcessMaker Platform instance. During synchronization the following occurs:
LDAP groups that contain LDAP users and match the entered LDAP object class synchronize.
LDAP groups that do not contain LDAP users do not synchronize, regardless if they match the entered LDAP object class.
Follow these steps to enter the LDAP object class that identifies users:
View your LDAP Settings. The LDAP tab displays.
Enter the LDAP object class that identifies users. Follow these guidelines depending on which LDAP server type your LDAP server uses:
Active Directory: Enter samaccountname
.
Open LDAP: Enter uid
.
If unsure which object class to use: Enter *
. Synchronization is slower because all object classes are evaluated.
Click Save. The following message displays: The setting was updated.
Enter the LDAP object class that identifies groups. Objects that match the object class synchronize with groups that exist in your ProcessMaker Platform instance. ProcessMaker Platform groups that do not already exist are created from your LDAP server.
Follow these steps to enter the LDAP object class that identifies groups:
View your LDAP Settings. The LDAP tab displays.
Enter the LDAP object class that identifies groups.
Click Save. The following message displays: The setting was updated.
Map how ProcessMaker Platform user properties correspond with synchronized LDAP attributes. See _user
Magic Variable for ProcessMaker Platform user properties.
Consider the following examples.
Follow these steps to map how ProcessMaker Platform user properties correspond with LDAP attributes:
View your LDAP Settings. The LDAP tab displays.
Follow these guidelines to map a ProcessMaker Platform user properties to an LDAP attribute:
Click the +Add button. A new row displays the existing mapped user properties.
In the ProcessMaker Property setting, enter the ProcessMaker Platform user property to which to map the LDAP attribute.
In the LDAP Attribute setting, enter the LDAP attribute from which to map to the ProcessMaker Platform user property.
Click Save. The following message displays: The setting was updated.
Click the Edit iconfor the Synchronization Schedule setting. The Synchronization Schedule screen displays.
Click the Edit iconfor the Type setting. The Type screen displays.
Click the Edit iconfor the Server Address setting. The Server Address screen displays.
Click the Edit iconfor the Server Port setting. The Server Port screen displays.
Click the Edit iconfor the Base DN setting. The Base DN screen displays.
Click the Edit iconfor the Username setting. The Username screen displays.
Click the Edit iconfor the Password setting. The Password screen displays.
Click the Edit iconfor the Groups to Import setting. The Groups To Import screen displays the LDAP groups on your LDAP server. If your LDAP server contains no LDAP groups, this screen displays no groups with which to synchronize.
Click the Edit iconfor the Groups to Import setting. The Groups To Import screen displays the LDAP departments on your LDAP server. If your LDAP server contains no LDAP departments, this screen displays no departments with which to synchronize.
Click the Edit iconfor the User Class Identifier setting. The User Class Identifier screen displays.
Click the Edit iconfor the Group Class Identifier setting. The Group Class Identifier screen displays.
Click the Edit iconfor the Variable Map setting. The Variable Map screen displays.
Optionally, click the Delete iconto delete a mapped ProcessMaker Platform user property.
ProcessMaker User Property
User Property Function
Mapped LDAP Attribute
FirstName
User's first name
Name
UserName
User's user name
SameAccountName
Copy to clipboard an LDAP configuration.
Copy to clipboard an LDAP configuration to have this information in another environment or for testing purposes.
The Auth package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to copy LDAP settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to copy an LDAP configuration setting:
​View your LDAP Settings. The LDAP tab displays.
Click the Copy to Clipboard iconfor your LDAP configuration setting to copy. The following message displays: The setting was copied to your clipboard.
Clear an LDAP configuration.
The Auth package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to clear the value of LDAP settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Clearing an LDAP configuration setting cannot be undone.
Follow these steps to clear the value of an LDAP configuration setting:
​View your LDAP Settings. The LDAP tab displays.
Click the Clear iconfor your LDAP configuration setting. The following message displays: The setting was updated.
View records of scheduled LDAP synchronizations in your server.
Display LDAP logs of LDAP user, group and/or department that have currently synchronized.
The Auth package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to view LDAP logs unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view LDAP logs:
​View your LDAP Settings. The LDAP tab displays.
Click the Logs button. The Logs page displays all the LDAP synchronization logs.
The Logs page displays the following information in tabular format about LDAP logs:
ID: The ID column displays the log ID used to identify this synchronization log.
Tag: The Tag column displays the synchronization type among LDAP Users, Groups, or Departments.
Service: The Service column displays LDAP as the service type the log applies.
Message: The Message column displays the synchronization status, the number of updated records, and the number of new registers after synchronization occurs.
Created: The created column displays the date and time when synchronization occurred.
Understand what password and login settings are and how they apply to the user login.
Password and Login settings ensure a secure and reliable user log-on authentication experience.
To configure Password and Login settings, visit the Settings page from the Admin top menu, and then select the Password Policies and the Session Control tabs.
As an administrator, you can configure the following:
Password policies
Two-factor authentication
Restrict open sessions for users/company
As a participant, you can do the following:
Configure how to receive the two-authentication factor.
The platform automatically logs out that user's session after some time of inactivity to protect data from unauthorized access.
The platform automatically blocks that user's access after a specified number of incorrect login attempts to protect user accounts from unauthorized access and potential security breaches.
Require that user's account password be reset if it was blocked.
Manage log on options to configure password policies.
View which parameters to enforce for users to log on to ProcessMaker Platform.
Your user account or group membership must have the "Settings: View Settings" permission to view Password Policies unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view the Log-In Options tab settings:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
Click the Log-In Options tab. The settings display to configure parameters with which users must comply to log on to ProcessMaker Platform.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the toggle option or the Edit icon. See Edit a Password Policy.
Configure a log on option.
Your user account or group membership must have the "Settings: Update Settings" permission to edit settings from the Log-In Options tab unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Configure the following Log-In Options tab settings as necessary:
Enable users to change their passwords.
Follow these steps to enable a user to change their password:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Password Set By User toggle key. The following message displays: The setting was updated. When this setting is enabled, users are able to change their passwords when editing their user profile.
If this setting is toggled off, users won't have the option to update their password while editing their user profile.
Note: This setting applies to all users except Super Admins. Users with Super Admin permissions will always have the ability to change passwords.
Enable at least one numeric character for user passwords.
Follow these steps to enable numeric characters:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Numeric Characters toggle key. The following message displays: The setting was updated.
Enable at least one uppercase character for user passwords.
Follow these steps to enable uppercase characters:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Uppercase Characters toggle key. The following message displays: The setting was updated.
Enable at least one special character for user passwords.
Follow these steps to enable special characters:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Special Characters toggle key. The following message displays: The setting was updated.
Set the maximum length of password characters.
Follow these steps to set the maximum length:
View the Log-In Options tab settings. The Log-In Options tab displays.
In the setting, enter a maximum number of characters for the password.
Click Save. The following message displays: The setting was updated.
Set the minimum length of password characters.
Follow these steps to set the minimum length:
View the Log-In Options tab settings. The Log-In Options tab displays.
In the setting, enter a maximum number of characters for the password.
Click Save. The following message displays: The setting was updated.
Set in how many days the password expires.
Follow these steps to set the password expiration:
View the Log-In Options tab settings. The Log-In Options tab displays.
In the setting, enter a number of days when the password expires.
Click Save. The following message displays: The setting was updated.
Set the number of consecutive unsuccessful login attempts before blocking the login action momentarily.
Follow these steps to set the password expiration:
View the Log-In Options tab settings. The Log-In Options tab displays.
In the setting, enter a number of consecutive unsuccessful login attempts before blocking the login action momentarily.
Click Save. The following message displays: The setting was updated.
Enhance login security by enabling two-step authentication for user verification.
Two-step authentication must also be enabled in group-level settings.
Follow these steps to set up two-step authentication:
View the Log-In Options tab settings. The Log-In Options tab displays.
Enable the Require Two Step Authentication toggle key. The following message displays: The setting was updated.
Next, select a Two Step Authentication Method.
Choose an authentication method for sending two-step verification codes.
Follow these steps to set a two-step authentication method:
View the Log-In Options tab settings. The Log-In Options tab displays.
Select one or more authentication methods as follows:
Select By email to send the code to your account email. An email address must be configured in user properties.
Select By message to phone number to send the code to your account phone number. A phone number must be configured in user properties.
Select Authenticator App to send the code to an authenticator app such as Google Authenticator.
Click Save. The following message displays: The setting was updated.
Click the Edit iconfor the Maximum Length setting. The Maximum Length screen displays.
Click the Edit iconfor the Minimum Length setting. The Minimum Length screen displays.
Click the Edit iconfor the Password Expiration setting. The Password expiration screen displays.
Click the Edit iconfor the Login Failed setting. The Login failed screen displays.
Click the Edit iconfor the Two Step Authentication Method setting. The Two Step Authentication Method screen displays.
Manage user session settings.
View session control settings.
Your user account or group membership must have the "Settings: View Settings" permission to view session control settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view the session control options:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
Click the Session Control tab. The Session Control settings display.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the toggle option or the Edit icon. See Configure Session Control Settings.
Configure System for Cross-domain Identity Management (SCIM) settings that are available to all users.
Configure a Session Control.
Your user account or group membership must have the "Settings: Update Settings" permission to edit Session Control unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Configure the following Session Control tab settings as necessary:
Set the IP address restriction policy when a user logs on or attempts to log on again using the same user account.
Follow these steps to set the IP restriction policy:
View your Session Control settings. The Session Control tab displays.
Select the IP restriction as follows:
Disabled: Disable this setting. The user may log on from a different IP address than that used by the current session. This is the default setting.
Block duplicate session: Block any attempt to start another session by the same user on another IP address.
Kill existing session: End the active session.
Click Save. The following message displays: The setting was updated.
Set the device restriction made from user's login.
Follow these steps to set the device restriction:
View your Session Control settings. The Session Control tab displays.
Select device restriction as follows:
Disabled: Disable this setting. The user may log on from multiple devices. This is the default setting.
Block duplicate session: Block any attempt to start another session by the same user on another device.
Kill existing session: End any active sessions that the user has on other devices at the moment the new session starts. Keep the current session on the current device.
Click Save. The following message displays: The setting was updated.
Set the session inactivity in minutes.
Follow these steps to set the session inactivity:
View your Session Control settings. The Session Control tab displays.
In the setting, enter the number of minutes to wait for a session's inactivity. 180 is set by default.
Click Save. The following message displays: The setting was updated.
Click the Edit iconfor the IP Restriction setting. The IP restriction screen displays.
Click the Edit iconfor the Device restriction setting. The Device restriction screen displays.
Click the Edit iconfor the Session Inactivity setting. The Session Inactivity screen displays.
Understand what System for Cross-domain Identity Management (SCIM) is and how it applies to more easily manage users' identities.
Part of the Auth package, System for Cross-domain Identity Management (SCIM), is an open standard to automate user provisioning. The SCIM specification is designed to more easily manage user identities in cloud-based applications, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. SCIM settings provide additional profile settings available to all user accounts.
The SCIM specification is designed to more easily manage user identities in cloud-based applications. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models.
As a cloud-based technology, ProcessMaker developed SCIM so users' identities can be created either directly in a tool like Okta or imported from external systems like HR software or Active Directory. Since SCIM is a standard, user data is stored following a consistent protocol and can communicate across different apps.
The SCIM base URL is set by default in ProcessMaker after the SCIM setting is enabled. Copy the SCIM base URL to the SCIM provider's settings to synchronize user identities via SCIM. The SCIM base URL is set for your ProcessMaker instance as a redirected URL that cannot be edited.
In addition to the SCIM Base URL, a bearer token is also required to access ProcessMaker's SCIM endpoints. Follow the instructions for managing API tokens for users to obtain a bearer token for your user account and copy it to your SCIM provider's settings. This user account must also have the user permissions detailed in the Enable the SCIM Settings section.
Enable the System for Cross-domain Identity Management (SCIM) setting to use in your SCIM apps.
The Auth package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to enable SCIM settings unless your user account has the Make this user a Super Admin setting selected.
If your user account does not have the Make this user a Super Admin option selected, the following additional permissions are required to successfully access ProcessMaker's SCIM endpoints:
Users category: Create Users, Delete Users, Edit Users, View Users.
Groups category: Create Groups, Delete Groups, Edit Groups, View Groups.
See user permissions/group permissions or ask your Administrator for assistance.
Follow these steps to enable the SCIM setting:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
Click the SCIM tab. The SCIM tab displays the SCIM base URL in the Configuration column. By default SCIM is disabled.
Enable the SCIM toggle key in the Configuration column. The SCIM base URL displays beside the SCIM Base URL setting to copy into clipboard for inclusion into your SCIM provider's settings. The SCIM base URL is set for your ProcessMaker Platform instance as a redirected URL that cannot be edited.
Obtain a bearer token for your user account and copy it into your SCIM provider's settings.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Copy to Clipboard icon. See Copy the SCIM Base URL.
Understand what SSO is and how its settings work in your server environment.
The Auth package must be installed.
Single Sign-On (SSO) allows a user to sign on with one set of credentials to log on to ProcessMaker. This increases security and provides a better user experience for customers, employees, and partners by reducing the number of required accounts/passwords.
As a prerequisite to enable SSO, the Administrator must implement an Identity Provider. If you use a centralized user system, such as Microsoft or Google, you already have access to an Identity Provider.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
To use one or more Identity Providers, view SSO settings, and then enable the toggle key for the Identity provider(s). Doing so adds a new Settings tab to configure that specific Identity Provider. ProcessMaker Platform supports the following Identity Providers:
View all settings for the SSO authentication. View SSO settings like Atlassian, Auth0, Facebook, Github, Google, Keycloak, Microsoft, and SAML.
Display all SSO settings in one location. This makes it easy to manage these settings.
The Auth package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to view SSO settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view all SSO settings to synchronize users in your organization:
Ensure that you are logged on to ProcessMaker.
Click the Admin option from the top menu. The Users page displays.
Click the SSO tab. The SSO tab displays all SSO settings.
The SSO tab displays the following information in tabular format about SSO settings:
Setting: The Setting column displays the SSO setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Use the Search setting to filter SSO Settings that display.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Edit icon or switch on a toggle. See Configure SSO Settings.
Configure general information about an SSO Settings.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
Configure the following SSO settings as necessary:
Enable to display settings to log on using user credentials. When disabled, settings only display SSO log on options.
Follow these steps to enable display settings for standard log on:
​View your SSO settings. The SSO tab displays.
Enable the Allow Standard Login toggle key. The following message displays: The setting was updated.
Enable whether SSO users should automatically register the first time that they log on.
Follow these steps to enable automatic registration:
​View your SSO settings. The SSO tab displays.
Enable the Automatic Registration toggle key. The following message displays: The setting was updated.
Specify which permissions to assign new users that are created via SSO:
Follow these steps to specify which user permissions to assign new users created via SSO:
​View your SSO settings. The SSO tab displays.
Enable permissions as necessary. See Permission Descriptions for Users and Groups for descriptions.
Click Save. The following message displays: The setting was updated.
Select to which groups to assign users created via SSO.
Follow these steps to select to which groups to assign users created via SSO:
View your SSO settings. The SSO tab displays.
Enable groups as necessary.
Click Save. The following message displays: The setting was updated.
Copy to clipboard a JSON-formatted object of all assigned permissions and groups for users created via SSO.
Follow these steps to copy the permissions and groups for SSO users:
​View your SSO settings. The SSO tab displays.
Select a default SSO integration to allow users be automatically redirected to the IDP Single Sign On log on page instead of displaying the normal Login page. When the user goes to the log on page, that user is redirected to the selected provider.
Follow these steps to enable default SSO Integration:
​View your SSO settings. The SSO tab displays.
Select an SSO identity provider among:
Select the ProcessMaker SSO login option if you do not want an SSO identity provider as the default log on. This option ensures LDAP users to verify accounts in ProcessMaker Platform. This option also helps to log on as an administrator while fixing SSO problems.
Click Save. The following message displays: The setting was updated.
Select whether detailed SSO errors should be displayed. It is recommended to disable the debug mode in production servers.
Follow these steps to enable automatic registration:
​View your SSO settings. The SSO tab displays.
Switch on the Debug Mode toggle key. The following message displays: The setting was updated.
Select whether to enable single sign-on via SSO identity providers to log on as necessary. The SSO identity provider options display on the log on screen.
View your SSO settings. The SSO tab displays.
Click the Edit iconfor the New User Default Config setting. The New User Default Config screen with the Permissions tab displays.
Select a collapsed permission category to expand the view of individual permissions within that category. Otherwise, select an expanded permission category to collapse that category.
Click the Edit iconfor the New User Default Config setting. The New User Default Config screen with the Permissions tab displays.
Click the Groups tab. All available groups display.
Click the Copy to Clipboard iconfor the New User Default Config setting. The following message displays: The setting was copied to your clipboard.
Click the Edit iconfor the Default SSO Login setting. The Default SSO Login screen with the SSO identity providers displays.
Filter all SSO Settings in your server to find that one you need.
Use the Search function to filter all SSO settings from the SSO page based on your entered text.
The Auth package must be installed.
Your user account or group membership must have the "Settings: Update Settings" permission to search for an SSO setting unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to search for an SSO setting:
​View your SSO Settings. The SSO tab displays.
In the Search setting, enter the Setting name to filter by SSO setting name.
Click the Search iconor press enter. The SSO settings display that match your entered text.
Configure SSO settings for Keycloak.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The following information is required to configure SSO with Keycloak:
Base URL
Client ID
Client Secret
Realm
To generate or locate this information, refer to Keycloak Server Administration.
See an example in the following video showing how to configure Keycloak SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 3 minutes; contains narration
Configure the following Keycloak SSO settings as necessary:
​Configure your SSO Settings. From the list of SSO identity providers, select the Keycloak option. The SSO - Keycloak tab displays.
Enter your Keycloak base URL, and then click Save.
Enter your Keycloak client ID, and then click Save.
Enter your Keycloak client secret, and then click Save.
Enter your Keycloak realm, and then click Save.
Click the Edit iconfor the Base URL setting. The Base URL screen displays.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Click the Edit iconfor the Realm setting. The Realm screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Keycloak Admin Console.
Configure SSO settings for Atlassian.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The following information is required to configure SSO with Atlassian:
Client ID
Client Secret
To generate or locate this information, refer to the Atlassian Developer Guide.
See an example in the following video showing how to configure Atlassian SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 3 minutes; contains narration
Configure the following Atlassian SSO settings as necessary:
​Configure your SSO Settings. From the list of SSO identity providers, select the Atlassian option. The SSO - Atlassian tab displays.
Enter your Atlassian client ID, and then click Save.
Enter your Atlassian client secret, and then click Save
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Atlassian developer console.
Configure SSO settings for Microsoft.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The following information is required to configure SSO with Microsoft:
Client ID
Client Secret
To generate or locate your Microsoft client ID and client secret, refer to Register an app in the Microsoft identity platform.
See an example in the following video showing how to configure Microsoft SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Microsoft SSO settings as necessary:
​Configure your SSO Settings. From the list of SSO identity providers, select the Microsoft option. The SSO - Microsoft tab displays.
Enter your Microsoft client ID, and then click Save.
Enter your Microsoft client secret, and then click Save
Configure SSO settings for Auth0.
The following information is required to configure SSO with Auth0:
Client ID
Client Secret
Domain
To generate or locate this information, contact your Auth0 identity provider.
See an example in the following video showing how to configure Auth0 SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Auth0 SSO settings as necessary:
Enter your Auth0 client ID, and then click Save.
Enter your Atlassian client secret, and then click Save.
Enter your Auth0 domain, and then click Save.
Configure SSO settings for Facebook.
The following information is required to configure SSO with Facebook:
App ID
App Secret
See an example in the following video showing how to configure Facebook SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Facebook SSO settings as necessary:
Enter your Facebook App ID, and then click Save.
Enter your Facebook app secret, and then click Save
Configure SSO settings for GitHub.
The following information is required to configure SSO with GitHub:
Client ID
Client Secret
See an example in the following video showing how to configure GitHub SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following GitHub SSO settings as necessary:
Enter your GitHub client ID, and then click Save.
Enter your GitHub client secret, and then click Save
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Microsoft application settings.
The must be installed.
See the permissions or ask your Administrator for assistance.
​. From the list of SSO identity providers, select the Auth0 option. The SSO - Auth0 tab displays.
Use the copy icon to copy the URL from the Callback URL setting, and then provide it to your Auth0 identity provider.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Click the Edit iconfor the Domain setting. The Domain screen displays.
The must be installed.
See the permissions or ask your Administrator for assistance.
To generate or locate your Facebook app ID and app secret, refer to .
​. From the list of SSO identity providers, select the Facebook option. The SSO - Facebook tab displays.
Click the Edit iconfor the App ID setting. The App ID screen displays.
Click the Edit iconfor the App Secret setting. The App Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Facebook for Developers app.
The must be installed.
See the permissions or ask your Administrator for assistance.
To generate or locate your GitHub client ID and client secret, refer to .
​. From the list of SSO identity providers, select the GitHub option. The SSO - GitHub tab displays.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your GitHub application settings.
Copy an SSO configuration to the clipboard.
Copy to clipboard an SSO configuration to have this information in another environment or for testing purposes.
The Auth package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to copy a SSO setting unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to copy an SSO configuration:
​View your SSO Settings. The SSO tab displays.
Configure SSO settings for SAML.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
The following information is required to configure SSO with SAML:
SSO endpoint
SSO identifier
SLO endpoint
Encryption type
Authentication context
Public certificate
Name ID format
To generate or locate this information, contact your SAML identity provider.
See an example in the following video showing how to configure SAML SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 6 minutes; contains narration
Note: The video demonstrates the procedure to configure SAML SSO using obsolete settings. The written form of this procedure uses the current settings.
Configure the following SAML SSO settings as necessary:
​View your SSO Settings. From the list of SSO identity providers, select the SAML option. The SSO - SAML tab displays.
Click the SSO - SAML tab. The SSO - SAML settings display.
Enter the identity provider URL from which ProcessMaker retrieves the authentication response and validates it when establishing the SSO session. Your identity provider provides this URL.
Enter the URL that references the SAML XML file for your identity provider (IdP). Your identity provider provides this URL.
Enter the logout URL provided by your identity provider.
From the list of encryption types, select the encryption type your identity provider uses.
Use the Authentication Context toggle to indicate whether to send authentication context in the authorization request or not.
Enter the identity provider's certificate fingerprint by pasting it into this setting. Your identity provider provides this certificate. Ensure to include the -----BEGIN CERTIFICATE----- header. ProcessMaker retrieves the authentication response and validates it using the identity provider's certificate fingerprint.
Click the browse button and then select the file containing your SAML certificate, if one is available from your identity provider.
Click the browse button and then select the file containing your SAML key, if one is available from your identity provider.
Click the Add button. An empty row displays.
In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
In the SAML Attribute setting field, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
Click Save. The following message displays: The setting was updated.
Click the Add button. An empty row displays.
In the ProcessMaker Property setting, enter the ProcessMaker user property to which to match the SSO SAML attribute.
In the SAML Attribute setting, enter the SSO SAML attribute from which to map to the ProcessMaker user property.
Click Save. The following message displays: The setting was updated.
Enter the name identifier format supported by your SAML identity provider.
Configure SSO settings for Google.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
The following information is required to configure SSO with Google:
Client ID
Client Secret
To generate or locate your Google client ID and client secret, refer to Authentication overview - Google Cloud.
See an example in the following video showing how to configure Google SSO settings.
Intended audience: System administrators and Process designers
Viewing time: 2 minutes; contains narration
Configure the following Google SSO settings as necessary:
​Configure your SSO Settings. From the list of SSO identity providers, select the Google option. The SSO - Google tab displays.
Enter your Google client ID, and then click Save.
Enter your Google client secret, and then click Save
Clear an SSO configuration to an empty value.
Clear an SSO configuration to an empty value.
Clearing an SSO configuration setting cannot be undone.
Follow these steps to clear an SSO configuration setting:
Click the Copy to Clipboard iconfor your SSO configuration. The following message displays: The setting was copied to your clipboard.
Use the copy icon to copy the URL from the ACS Url setting, and then provide it to your SAML identity provider.
Use the copy icon to copy the URL from the Entity ID (Metadata) setting, and then provide it to your SAML identity provider.
Use the copy icon to copy the URL from the Single Logout URL setting, and then provide it to your SAML identity provider.
Click the Edit iconfor the SSO Endpoint setting. The SSO Endpoint screen displays.
Click the Edit iconfor the SSO Identifier setting. The SSO Identifier screen displays.
Click the Edit iconfor the SLO Endpoint setting. The SLO Endpoint screen displays.
Click the Edit iconfor the Encryption Type setting. The Encryption Type screen displays.
Click the Edit iconfor the Public Certificate setting. The Public Certificate screen displays.
Click the Edit iconfor the File crt setting. The File crt screen displays.
Click the Edit iconfor the File key setting. The File key screen displays.
Click the Edit iconfor the User Matching setting. The User Matching screen displays.
Optionally, click the Delete iconto delete a mapped ProcessMaker user property.
Click the Edit iconfor the Variable Map setting. The Variable Map screen displays.
Optionally, click the Delete iconto delete a mapped ProcessMaker user property, .
Click the Edit iconfor the Name ID Format setting. The Name ID Format screen displays.
Click the Edit iconfor the Client ID setting. The Client ID screen displays.
Click the Edit iconfor the Client Secret setting. The Client Secret screen displays.
Use the copy icon to copy the URL from the Redirect setting, and then provide it in your Google Web application settings.
The must be installed.
See the permissions or ask your Administrator for assistance.
​. The SSO tab displays.
Click the Clear iconfor your SSO configuration setting. The following message displays: The setting was updated.
Understand what a User Signal is and how it is configured.
The Advanced User package must be installed.
User Signals allow Process designers to react to changes to user accounts. When a change occurs to a user account, a BPMN 2.0 Signal event triggers; any Process that subscribes to that Signal can react. The Signal includes a payload containing that user’s data as a data array.
Below is a description of each user-type event and the Signal ID value to use for its corresponding Signal.
When a User Signal event triggers, the following occurs:
That User Signal broadcasts the _user
Magic Variable containing the user account affected by that User Signal event. For example, the full name set in the affected user account is accessible with JSON dot notation as _user.fullname
. See the _user
Magic Variable to reference any JSON object within this Magic Variable.
The User Signal event broadcasts any User Enhanced Properties and the affected user account's corresponding values.
Learn about Collection Signals.
User-Type Event
Description of Event
Signal ID
Create
user_create
Delete
user_update
Read
A user account is accessed in either of the following ways:
user_read
Update
user_delete
Filter User Signals in your organization to find the one you need.
Use the Search function to filter User Signals from the User Signals page based on your entered text.
The Advanced Users package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to search for a User Signal unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to search for a User Signal:
​View your User Signals. The User Signals tab displays.
In the Search setting, enter the name of the User Signal to find. For example, enter Create
to find the Create User Signal.
Click the Search iconto find User Signals matching the entered text.
Configure extended properties that are available to all users.
As an Administrator, extend the users' attributes in User Extended Properties tab. The user profile setting contains most relevant information for users. However, the client can add more profile settings fields according his/her necessities.
Understand what user extended properties are and how they apply to all users.
Part of the Advanced User package, User Extended Properties provide additional profile settings available to all user accounts. User Extended Properties setting allows Administrators to store additional information in user accounts. User Extended Properties display in the Additional Information section when editing a user account.
User Extended Properties are comprised of two parts: the JSON data variable name and the label. This JSON data variable becomes available as part of the user data object. The label displays in the Additional Information section.
To configure User Extended Properties, visit the Admin Settings page, and then select the Users tab and click on the Edit icon to open the Extended Properties management modal.
For example, add User Extended Properties to attribute information for Human Resources, such as the hiring date, onboarding date, offboarding date, and office location for each user in the organization.
Configure User Extended Properties from the Users tab in Settings. See View User Extended Properties.
View the current settings for User Signals in your organization.
The Advanced Users package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to view User Signals unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view User Signals settings:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
Click the User Signals tab to display User Signals settings. All User Signals are disabled by default.
The User Signals tab displays the following information:
Setting: The Setting column displays the User Signal name and a description. See What is a User Signal? for a description of each User Signal's function.
Configuration: The Configuration column displays a toggle key to indicate whether that User Signal is enabled or disabled.
Use the Search setting to filter User Signals that display.
Use the Configuration toggle key. See Enable or Disable a User Signal.
Enable or disable a User Signal from the User Signals tab.
Follow these steps to enable or disable a User Signal:
Click the toggle key in the Configuration column of each User Signal to enable or disable it.
A message The setting was updated
appears to confirm that the setting has been saved.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
All are disabled by default and can be enabled using a toggle key in the Configuration column. If a User Signal's toggle key is disabled, that User Signal does not broadcast to listening Signal-type events when that user-type event occurs.
The must be installed.
See the permissions or ask your Administrator for assistance.
. The User Signals tab displays:
Configure password and login settings that are available to the logon process.
View the settings that connect ProcessMaker Platform to your ProcessMaker IDP instance.
The IDP package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to view ProcessMaker IDP server settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view the IDP settings:
Ensure that you are logged on to ProcessMaker.
Click the Admin option from the top menu. The Users page displays.
Click the IDP tab. The IDP tab displays settings to authenticate ProcessMaker Platform to your ProcessMaker IDP instance.
The IDP tab displays the following information in tabular format about SSO settings:
Setting: The Setting column displays the IDP setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Use the Search setting to filter SSO Settings that display.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Edit icon to configure that setting. See Configure IDP settings.
Manage System for Cross-domain Identity Management (SCIM) settings.
Copy to clipboard the System for Cross-domain Identity Management (SCIM) base URL from the SCIM tab for inclusion to your SCIM apps.
The Auth package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to copy SCIM settings unless your user account has the Make this user a Super Admin setting selected.
If your user account is not a Super Admin, following additional permissions are required to successfully access ProcessMaker's SCIM endpoints:
Users: Create Users, Delete Users, Edit Users, View Users.
Groups: Create Groups, Delete Groups, Edit Groups, View Groups.
See user permissions/group permissions or ask your Administrator for assistance.
Follow these steps to copy the SCIM base URL:
Click on theicon to copy the URL for inclusion into your SCIM provider's settings.
Both the Edit iconand the Delete iconare deactivated in SCIM. The SCIM base URL is set for your ProcessMaker Platform instance as a redirected URL that cannot be edited.