Security · Corporate identity · ENS · NIS2

Dokuflex SSO: Active Directory, ADFS, OAuth, SAML, CAS and 2FA — every enterprise authentication standard

Plugging a BPM into your corporate identity should not be a six-month project. Dokuflex natively supports Active Directory, ADFS, SAML 2.0, OAuth 2.0/OpenID Connect with Google and Microsoft Entra ID, Okta, CAS and 2FA.

It is configured from a single panel, preserves the audit trail required by ENS High and NIS2, and lets you blend multiple providers (internal employees + external partners) without duplicating identities.

Talk to an engineer See security architecture
Executive summary
  • 10+ protocols supported out-of-the-box (AD, ADFS, SAML, OAuth, OIDC, CAS, LDAPS, Kerberos, FIDO2).
  • <1h to connect a standard Active Directory.
  • Multi-IdP: employees, partners and vendors with separate policies.
  • 2FA/MFA by role, IP, action sensitivity and network origin.
  • ENS High · NIS2 · ISO 27001 · GDPR aligned.
D
Dokuflex Security Team
Updated: May 20, 2026

For CISOs, IT managers and identity architects. This guide is technical and specific to Dokuflex. If you need concrete details about your IdP (claims, scopes, endpoints), your Customer Success Manager delivers them in under 24h.

Why a BPM needs enterprise SSO

A BPM handles case files, contracts, invoices, signatures and approvals. In other words: personal, financial and legal data. Every user that authenticates outside the corporate perimeter is a risk vector and one more identity to maintain.

Without SSO four problems pile up: weak or reused passwords, ex-employees with live access, audit logs you cannot correlate with the corporate SIEM, and onboarding/offboarding that drags for weeks instead of minutes.

With SSO wired to your source of truth (Active Directory, Entra ID or Google Workspace), an HR offboarding deactivates the Dokuflex account in the same provisioning cycle. No tickets, no spreadsheets.

Supported protocols at a glance

What is covered out of the box — no custom development, no hidden premium modules:

Protocol / standard Typical use case Support
Active Directory (LDAP/LDAPS) Authentication against the corporate AD, on-premise or hybrid. ✓ Native
ADFS (Active Directory Federation Services) SAML/WS-Fed federation over AD for Windows Server environments. ✓ Native
SAML 2.0 Standard SSO with any SAML IdP (Okta, OneLogin, Ping, Auth0, Keycloak…). ✓ Native
OAuth 2.0 + OpenID Connect (OIDC) Modern authentication with authorization-code + PKCE flows. ✓ Native
Microsoft Entra ID (formerly Azure AD) SSO with Microsoft 365, Conditional Access, claims and groups. ✓ Native
Google Workspace SSO with corporate Google accounts via OIDC or SAML. ✓ Native
CAS (Central Authentication Service) Common SSO in universities and public administrations with CAS 3.x. ✓ Native
Kerberos / SPNEGO Transparent intranet single sign-on with the Windows session. ✓ Native
2FA / MFA TOTP (Google Authenticator, Authy, Microsoft Authenticator), SMS, email, push. ✓ Native
WebAuthn / FIDO2 Passkeys, YubiKey and biometric authenticators for administrators. ✓ Native
Digital certificate + eID Authentication with cryptographic smartcard (AC FNMT, ACA, ANCERT, Camerfirma). ✓ Native
SCIM 2.0 (provisioning) Automatic user and group sync from the IdP. ✓ Native

All protocols are included in the Business plan and above, with no per-user surcharge and no separate "Enterprise Security" license.

Active Directory and LDAP/LDAPS

The most common scenario in mid-size companies running a Windows domain. Dokuflex talks to the domain controller via LDAPS (LDAP over TLS) and authenticates the user without ever storing the password.

What you configure in under an hour:

  • DC URL: ldaps://dc.empresa.local:636
  • Technical bind DN (service account with read permission).
  • Search base DN: OU=Usuarios,DC=empresa,DC=local
  • Attribute mapping: sAMAccountName, mail, memberOf for roles.
  • Membership filter: only users in the group CN=Dokuflex-Users,OU=Apps.

For hybrid setups (AD on-prem + Entra ID in the cloud), we recommend delegating authentication to Entra ID with OIDC and reserving LDAP for back-office integrations only.

ADFS and SAML 2.0

If your organisation already federates applications via ADFS or a SAML IdP (Okta, OneLogin, Ping Identity, Auth0, Keycloak, Shibboleth), Dokuflex plugs in as a Service Provider in just a few steps:

  1. Download the Dokuflex SP metadata (XML with entityID, ACS URL and certificate).
  2. Import them into your IdP as a new Relying Party / Application.
  3. Define the claims that travel in the SAML assertion: NameID, email, groups, department.
  4. Upload the IdP metadata in the Dokuflex panel.
  5. Map SAML groups → Dokuflex roles.

We support SP-Initiated SSO, IdP-Initiated SSO, Single Logout (SLO), signed and encrypted assertions, and automatic certificate rotation.

OAuth 2.0 and OIDC with Google and Microsoft Entra ID

For cloud-identity organisations, the recommended flow is OAuth 2.0 + OpenID Connect (authorization code + PKCE). It is the modern standard: token rotation, refresh tokens, claims signed as JWTs.

M

Microsoft Entra ID

You register Dokuflex as an application in your tenant, configure the redirect URI, define scopes (openid, email, profile, groups) and optionally enforce Conditional Access.

  • App Registration with HTTPS redirect URI.
  • Entra ID groups → Dokuflex roles.
  • Conditional Access (IP, device, session risk).
  • MFA delegated to Entra ID (Authenticator app, FIDO2).
G

Google Workspace

You create an OAuth Client in the Google Cloud Console, lock the domain (hd=empresa.com) and map Workspace groups to roles.

  • Client ID + Client Secret in Google Cloud.
  • Domain restriction to block personal accounts.
  • Workspace groups → Dokuflex roles via Directory API.
  • 2FA delegated to Google (Authenticator, Titan Key).

In both cases Dokuflex never stores the password or the authentication factor: the session lives in your IdP and Dokuflex only receives the signed token.

CAS (Central Authentication Service)

CAS is the dominant standard in public universities, hospitals and government bodies across Spain and Europe. Dokuflex implements CAS 3.x as a client:

  • Configuration of the cas-server-url.
  • Service ticket validation via /serviceValidate.
  • Attribute readout (department, role) from the CAS response.
  • Federated logout (single sign-out) with notification to the CAS server.

If your organisation works with cl@ve, Cl@ve Firma, AutenticaIDP or other public-sector IdPs, they also integrate over federated SAML 2.0.

2FA / MFA: factors and policies

When the corporate IdP already enforces MFA (Entra ID Conditional Access, Google 2-Step), Dokuflex respects it without asking for a second factor on top. When it does not, Dokuflex applies MFA directly at login.

Supported factors:

  • TOTP (RFC 6238): Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden.
  • WebAuthn / FIDO2: YubiKey, device passkeys (Touch ID, Windows Hello), Titan keys.
  • SMS (with the caveats recommended by NIST for sensitive environments).
  • Email OTP for external users without a corporate smartphone.
  • Push notification from the Dokuflex mobile app.
  • Digital certificate + eID as a second factor in signing operations.

Configurable policies: mandatory for administrators, conditional by role, by IP (internal without MFA / external with MFA), by action sensitivity (sign, export, approve > €X), and by session inactivity.

Automatic provisioning (SCIM 2.0) and JIT

Beyond login, Dokuflex syncs with your IdP in two modes:

  • JIT (Just-In-Time): the user is created in Dokuflex automatically on first SSO login. Handy for SAML/OIDC with groups as claims.
  • SCIM 2.0: proactive sync from Entra ID, Okta, OneLogin or Workspace. Creates, updates and deactivates users and groups in real time from the IdP, no manual intervention.

Combined: when HR offboards someone in Workday/SAP SuccessFactors, the change flows to the IdP and from there to Dokuflex within minutes. Zero orphaned access.

Regulatory compliance

Dokuflex SSO/MFA is designed to withstand audits for:

ENS High

Strong access control (op.acc.5/6/7), traceability (op.mon.1) and mandatory MFA in HIGH categories.

NIS2

Article 21: access control, MFA and identity management as mandatory measures.

ISO/IEC 27001

Controls A.9 (access control) and A.8 (identity management), end-to-end traceability.

GDPR

Data minimisation (only necessary claims) and least-privilege principle for personal data.

Every authentication, failed attempt, MFA factor change and policy update is recorded in Dokuflex's immutable log, exportable to your SIEM (Splunk, QRadar, Elastic, Sentinel) via syslog or API.

CISO checklist before rollout

  • 1. Authoritative IdP chosen: Entra ID, Google Workspace or ADFS as the single source.
  • 2. MFA enforced for administrators: mandatory, with WebAuthn/FIDO2 as the recommended primary factor.
  • 3. Break-glass account: a local emergency account with strong MFA and usage logging, outside the IdP.
  • 4. Role mapping validated: IdP groups ↔ Dokuflex roles documented and approved by the business.
  • 5. SLO tested: signing out of the IdP also ends the Dokuflex session.
  • 6. Logs wired into the SIEM: authentication events streamed to the security operations centre.
  • 7. Session policy: token lifetime, re-authentication for sensitive actions, IP allowlist if applicable.

Frequently asked questions

Which authentication standards does Dokuflex support? +

Active Directory (LDAP/LDAPS), ADFS, SAML 2.0, OAuth 2.0, OpenID Connect, Microsoft Entra ID, Google Workspace, Okta, CAS, Kerberos/SPNEGO, digital certificate + eID and SCIM 2.0 for provisioning. On top of any of them, 2FA/MFA via TOTP, WebAuthn/FIDO2, SMS, email and push.

How long does it take to integrate Dokuflex with our AD? +

A standard AD/LDAP integration is set up in under 1 hour. For ADFS or SAML a typical rollout takes 2 to 4 hours including metadata exchange, certificates and tests with pilot users. An engineer joins you during the session.

Can 2FA be enabled only for administrators or specific roles? +

Yes. MFA policies by role, group, network origin (IP/CIDR) and action sensitivity (sign, approve a payment, export data). By default MFA is mandatory for administrators.

Does SSO work for external users or partners? +

Yes. Multiple IdPs in parallel: internal AD for employees, OIDC with Google or Microsoft for external collaborators, local authentication for one-off vendors. Each flow with its own MFA policy, role mapping and audit trail.

What compliance value does Dokuflex SSO bring? +

Aligned with ENS High, ISO/IEC 27001, NIS2 (strong access control), GDPR (data minimisation and access control) and eIDAS2 combined with qualified signature. Everything recorded in the immutable audit log.

Can local authentication be disabled once SSO is in place? +

Yes. Once SSO is validated, you can force 100% of access through the corporate IdP, leaving only a break-glass account with strong MFA and usage logging. It is the recommended setup for organisations under NIS2 or ENS High.

Next step

Connect Dokuflex to your corporate identity this week

We deliver a sandbox with SAML/OIDC metadata in 24h plus a 60-minute session with our identity engineer to wire it against your Entra ID, ADFS, AD, Google Workspace, Okta or CAS.

Request sandbox + technical session See security architecture Start free