WorkflowGen workflow automation. Windows containers only. PostgreSQL or SQL Server 2025.
10K+
This image contains a WorkflowGen Server using IIS and WorkflowGen's Windows Services. Use this image to run WorkflowGen's web application, Windows services, or both.
WorkflowGen application: Windows containers only (all versions)
Database options for production:
| WorkflowGen Version | Production Database | Container Type |
|---|---|---|
| v10 | PostgreSQL 17 | Windows or Linux |
| v10 | SQL Server 2025 | Linux only |
| v9.3.1+ | SQL Server 2022 | Linux only |
| v9.3.0 and earlier | SQL Server 2019 | Linux only |
| v8 | SQL Server 2019 | Linux only |
Development/Testing database options:
| WorkflowGen Version | Dev/Test Database | Notes |
|---|---|---|
| All versions | SQL Server Express 2017 (Windows) | 10GB limit, not for production |
| v10 only | SQL Server 2025 Express (Windows) | 50GB limit, not for production |
🚨 IMPORTANT - Production Deployments
Production-ready combinations:
- ✅ v10: WorkflowGen Windows + PostgreSQL (Windows or Linux)
- ✅ v10: WorkflowGen Windows + SQL Server 2025 Linux
- ✅ v9.3.1+: WorkflowGen Windows + SQL Server 2022 Linux
- ✅ v9.3.0 and earlier: WorkflowGen Windows + SQL Server 2019 Linux
- ✅ v8: WorkflowGen Windows + SQL Server 2019 Linux
Hybrid deployments (WorkflowGen Windows container + Database Linux container) are fully supported for production.
See advantys/workflowgen-sql and advantys/workflowgen-postgres for database details.
Latest Dockerfiles:
Example tags:
10.3.0-win-ltsc2019 - WorkflowGen v10.3.09.6.0-win-ltsc2019 - WorkflowGen v9.6.08.3.5-win-ltsc2019 - WorkflowGen v8.3.5latest - Current default tag-onbuild suffix - Customizable variant10.3.0-win-ltsc2019C:\wfgen\licenses volumeWFGEN_APP_SETTING_ApplicationSerialNumberBefore running, ensure the database is initialized with provided SQL scripts.
docker run -it --env-file .\workflowgen.env -v C:\path\to\licenses:C:\wfgen\licenses --name wfgen advantys/workflowgen:{version}-win-ltsc2019
Replace {version} with your version (e.g., 10.3.0, 9.6.0).
Prerequisites:
# Create volumes
docker volume create licenses
docker volume create wfgdata
docker volume create pgdata
# Copy license
$licensesPath = docker volume inspect --format "{{.Mountpoint}}" licenses
Copy-Item ~\Desktop\license.lic $licensesPath
# Generate symmetric encryption key (32 characters)
[guid]::NewGuid().ToString("N")
# Example: ca8e4e2b04254aeeadbcfc0724e3b62a
docker-compose.yml:
services:
workflowgen:
image: advantys/workflowgen:10.3.0-win-ltsc2019
depends_on:
- database
environment:
- WFGEN_DATABASE_CONNECTION_STRING=Host=database;Port=5432;Database=wfgen;Username=wfgen_user;Password=yourStrong(!)Password;
- WFGEN_DATABASE_CONNECTION_STRING_PROVIDER_NAME=Npgsql
- WFGEN_APP_SETTING_ApplicationUrl=http://localhost:8888/wfgen
- WFGEN_APP_SETTING_ApplicationSerialNumber=YOUR_WORKFLOWGEN_SERIAL_NUMBER
- WFGEN_APP_SETTING_ApplicationSecurityPasswordSymmetricEncryptionKey=ca8e4e2b04254aeeadbcfc0724e3b62a
ports:
- 8888:80
volumes:
- licenses:C:\wfgen\licenses:RO
- wfgdata:C:\wfgen\data
database:
image: advantys/workflowgen-postgres:10.3.0-postgres-win-ltsc2019
container_name: database
environment:
- PGDATA=C:\pgsql\data
- POSTGRES_INITDB_ARGS=--username=postgres
- POSTGRES_PASSWORD=yourStrong(!)Password
- WFGEN_DATABASE_USER_PASSWORD=yourStrong(!)Password
- WFGEN_ADMIN_PASSWORD=yourStrong(!)Password
volumes:
- pgdata:C:\pgsql\data
ports:
- 5432:5432
volumes:
licenses:
external: true
wfgdata:
pgdata:
Run:
docker compose up -d
Access: http://localhost:8888/wfgen (username: wfgen_admin, password: yourStrong(!)Password)
Prerequisites:
# Create volumes
docker volume create licenses
docker volume create wfgdata
docker volume create sqldata
# Copy license
$licensesPath = docker volume inspect --format "{{.Mountpoint}}" licenses
Copy-Item ~\Desktop\license.lic $licensesPath
# Generate symmetric encryption key
[guid]::NewGuid().ToString("N")
# Example: ca8e4e2b04254aeeadbcfc0724e3b62a
docker-compose.yml:
services:
workflowgen:
image: advantys/workflowgen:10.3.0-win-ltsc2019
depends_on:
- database
environment:
- WFGEN_DATABASE_CONNECTION_STRING=Data Source=database;Network Library=DBMSSOCN;Initial Catalog=WFGEN;User ID=WFGEN_USER;Password=yourStrong(!)Password;TrustServerCertificate=True;
- WFGEN_APP_SETTING_ApplicationUrl=http://localhost:8888/wfgen
- WFGEN_APP_SETTING_ApplicationSerialNumber=YOUR_WORKFLOWGEN_SERIAL_NUMBER
- WFGEN_APP_SETTING_ApplicationSecurityPasswordSymmetricEncryptionKey=ca8e4e2b04254aeeadbcfc0724e3b62a
ports:
- 8888:80
volumes:
- licenses:C:\wfgen\licenses:RO
- wfgdata:C:\wfgen\data
database:
image: advantys/workflowgen-sql:10.3.0-express-win-ltsc2019
container_name: database
environment:
- SA_PASSWORD=yourStrong(!)Password
- WFGEN_DATABASE_USER_PASSWORD=yourStrong(!)Password
- WFGEN_ADMIN_PASSWORD=yourStrong(!)Password
volumes:
- sqldata:C:\wfgen\sql
ports:
- 1433:1433
volumes:
licenses:
external: true
wfgdata:
sqldata:
Run:
docker compose up -d
Access: http://localhost:8888/wfgen (username: wfgen_admin, password: yourStrong(!)Password)
docker-compose.yml:
services:
database:
image: advantys/workflowgen-postgres:10.3.0-postgres-debian-bookworm
container_name: database
environment:
- PGDATA=/var/lib/postgresql/data
- POSTGRES_INITDB_ARGS=--username=postgres
- POSTGRES_PASSWORD=yourStrong(!)Password
- WFGEN_DATABASE_USER_PASSWORD=yourStrong(!)Password
- WFGEN_ADMIN_PASSWORD=yourStrong(!)Password
volumes:
- pgdata:/var/lib/postgresql/data
ports:
- 5432:5432
volumes:
pgdata:
Connection string for WorkflowGen:
WFGEN_DATABASE_CONNECTION_STRING=Host=database;Port=5432;Database=wfgen;Username=wfgen_user;Password=yourStrong(!)Password;
WFGEN_DATABASE_CONNECTION_STRING_PROVIDER_NAME=Npgsql
docker-compose.yml:
services:
database:
image: advantys/workflowgen-sql:10.3.0-ubuntu-24.04
container_name: database
environment:
- ACCEPT_EULA=Y
- SA_PASSWORD=yourStrong(!)Password
- WFGEN_DATABASE_USER_PASSWORD=yourStrong(!)Password
- WFGEN_ADMIN_PASSWORD=yourStrong(!)Password
- MSSQL_PID=Express # FREE for production use
volumes:
- sqldata:/var/opt/mssql
ports:
- 1433:1433
volumes:
sqldata:
Connection string for WorkflowGen:
WFGEN_DATABASE_CONNECTION_STRING=Data Source=database;Initial Catalog=WFGEN;User ID=WFGEN_USER;Password=yourStrong(!)Password;TrustServerCertificate=True
WFGEN_DATABASE_CONNECTION_STRING=Host=database;Port=5432;Database=wfgen;Username=wfgen_user;Password=<password>;
WFGEN_DATABASE_CONNECTION_STRING_PROVIDER_NAME=Npgsql
WFGEN_DATABASE_CONNECTION_STRING=Data Source=database;Initial Catalog=WFGEN;User ID=WFGEN_USER;Password=<password>;TrustServerCertificate=True
Note:
TrustServerCertificate=Trueis required for SQL Server 2025 (both Linux and Windows) due to enforced SSL encryption with self-signed certificates- SQL Server provider is
System.Data.SqlClient(default, no need to specify)
WFGEN_DATABASE_CONNECTION_STRING=Data Source=database;Network Library=DBMSSOCN;Initial Catalog=WFGEN;User ID=WFGEN_USER;Password=<password>;TrustServerCertificate=True;
Note:
Network Library=DBMSSOCNforces TCP/IP protocol (required for containers)TrustServerCertificate=Trueis recommended for forward compatibility (optional for SQL Server 2017/2019/2022, required for 2025)- For production: Use Linux SQL Server containers (v9.3.1+: SQL Server 2022, v8/v9.3.0 and earlier: SQL Server 2019)
- For dev/test: Use Windows SQL Server Express 2017 containers
Configure settings via environment variables: WFGEN_APP_SETTING_<name>
Example:
WFGEN_APP_SETTING_ApplicationUrl=https://example.com/wfgen
Configure IISNode: WFGEN_IISNODE_<app name>_<setting name>
Replace <app name> with the node child application name, such as AUTH, HOOKS, GRAPHQL, MCP, or SCIM.
Example:
WFGEN_IISNODE_AUTH_loggingEnabled=true
WFGEN_ENABLE_IISNODE_OPTION_<app name> - exposelogs value exposes logs via HTTP (debugging only)
Starting with WorkflowGen v10.3.0 images, the WorkflowGen MCP child application (/wfgen/mcp) accepts direct OAuthServer* and Mcp* environment variables. During container startup, the Docker entrypoint projects those values into the root wfgen\web.config appSettings so the MCP child app sees the same centralized configuration under IIS/iisnode.
MCP OAuth browser login requires WorkflowGen to be configured with OIDC or SAML authentication. If the container is using another authentication mode for a quick development site, keep OAuthServerEnabled=false unless you are explicitly running an internal fixed-user development smoke test.
The standard WorkflowGen Docker image deploys the portal under /wfgen, so the supported MCP endpoint is /wfgen/mcp. Do not override McpResourceUri to a root /mcp URL while the portal still runs under /wfgen; root /mcp is intended for no-virtual-directory deployments that use the root deployment configuration.
Minimum MCP OAuth configuration:
OAuthServerEnabled=true
OAuthServerKeyEncryptionKey=<base64-or-base64url-32-byte-key>
OAuthServerBridgeTokenSigningSecret=<strong-random-secret>
Optional overrides:
OAuthServerAccessTokenLifetimeSeconds=3600
OAuthServerAuthorizationCodeLifetimeSeconds=600
OAuthServerRefreshTokenLifetimeSeconds=7776000
McpResourceUri=https://<public-host>/wfgen/mcp
McpAllowedScopes=mcp:read mcp:write mcp:process_admin mcp:admin
McpDiagnosticLogLevel=INFO
McpResourceUri should normally be ApplicationUrl + "/mcp". If it is explicitly overridden, it must be an absolute HTTPS URL without a query string or fragment, and its path must end with /mcp. Because MCP OAuth metadata requires HTTPS, expose the container through HTTPS and set WFGEN_APP_SETTING_ApplicationUrl to the public HTTPS WorkflowGen URL.
The Docker image uses the durable WorkflowGen OAuth store automatically when the MCP child app runs in production mode, so no extra store setting is normally required.
For internal/local development smoke tests without a real IdP, you can also enable the fixed-user bridge shortcut. Do not use this shortcut for client preview, staging, or production environments; those environments should validate real OIDC/SAML login. This mode is blocked when the MCP child app runs in production mode, so set the MCP iisnode environment to development. Publish container port 443 to the host; if you map HTTPS to a non-default host port, include that port in WFGEN_APP_SETTING_ApplicationUrl and McpResourceUri.
WFGEN_ENABLE_LOCALHOST_HTTPS=Y
WFGEN_APP_SETTING_ApplicationUrl=https://localhost/wfgen
McpResourceUri=https://localhost/wfgen/mcp
WFGEN_IISNODE_MCP_node_env=development
McpDevAuthBridgeMode=fixeduser
McpDevAuthBridgeUsername=<active-workflowgen-user>
OAuthServerAllowLocalhostRedirects=true
OAuthServerAllowLocalhostRedirects=true only enables OAuth redirect URI exceptions for loopback development clients such as http://localhost, http://127.0.0.1, and http://[::1]; it does not allow arbitrary HTTP redirect URIs.
Add custom connection strings: WFGEN_CUSTOM_CONNECTION_STRING_<name>=<connection_string>
This adds the connection string with default provider System.Data.SqlClient.
Specify custom provider:
WFGEN_CUSTOM_CONNECTION_STRING_<name>_PROVIDER_NAME=<provider_name>
Example (PostgreSQL):
WFGEN_CUSTOM_CONNECTION_STRING_MyCustomDB=Host=myserver;Port=5432;Database=mydb;Username=user;Password=pass;
WFGEN_CUSTOM_CONNECTION_STRING_MyCustomDB_PROVIDER_NAME=Npgsql
For Docker Secrets and Kubernetes Secrets, any environment variable can be suffixed with _FILE. Its value is a path to a file containing the real value.
Note: Variables with and without _FILE suffix are mutually exclusive.
Docker Swarm example:
# Create secrets
docker secret create ApplicationSecurityPasswordSymmetricEncryptionKey "84c953d4eac14da2ba93c010e85c76e0"
docker secret create WFGEN_DATABASE_CONNECTION_STRING "Host=database;Port=5432;Database=wfgen;Username=wfgen_user;Password=secretPassword;"
docker secret create ApplicationSerialNumber "YOUR_SERIAL_NUMBER"
# Create WorkflowGen service (v10 with PostgreSQL)
docker service create `
--env WFGEN_APP_SETTING_ApplicationSecurityPasswordSymmetricEncryptionKey_FILE=C:\ProgramData\Docker\secrets\ApplicationSecurityPasswordSymmetricEncryptionKey `
--env WFGEN_DATABASE_CONNECTION_STRING_FILE=C:\ProgramData\Docker\secrets\WFGEN_DATABASE_CONNECTION_STRING `
--env WFGEN_DATABASE_CONNECTION_STRING_PROVIDER_NAME=Npgsql `
--env WFGEN_APP_SETTING_ApplicationSerialNumber_FILE=C:\ProgramData\Docker\secrets\ApplicationSerialNumber `
--secret ApplicationSecurityPasswordSymmetricEncryptionKey `
--secret WFGEN_DATABASE_CONNECTION_STRING `
--secret ApplicationSerialNumber `
--mount "type=volume,src=licenses,dst=C:\wfgen\licenses,readonly" `
advantys/workflowgen:10.3.0-win-ltsc2019
| Name | Description |
|---|---|
WFGEN_ADMIN_USERNAME | The username for the WorkflowGen administrator account. Useful when configuring with an OpenID provider. Set to a username that exists on the provider to authenticate with administrative access. Note: If you change this, update the database as well. Default: wfgen_admin |
WFGEN_DATABASE_CONNECTION_STRING | Required. The connection string of the main database source. Container will exit with error if not present. |
WFGEN_DATABASE_CONNECTION_STRING_PROVIDER_NAME | Required for PostgreSQL (v10). Database provider name. Set to Npgsql for PostgreSQL or System.Data.SqlClient for SQL Server. Default: System.Data.SqlClient |
WFGEN_DATABASE_READONLY_CONNECTION_STRING | The connection string of the readonly database source for database setups with replicas. |
WFGEN_AUTH_MODE | Authentication method to be used by WorkflowGen. Possible Values: application, basic, windows, adfs, azure-v1, auth0, okta. Default: application |
WFGEN_GEN_APP_SYM_ENCRYPT_KEY | Indicates whether ApplicationSecurityPasswordSymmetricEncryptionKey should be auto-generated. If Y, key is re-generated on restart (not production-compatible). Use Y only for dev/testing. Possible Values: Y, N. Default: Y |
WFGEN_LICENSE_FILE_NAME | License file name (including extension) in C:\wfgen\licenses volume. If not specified, first file found is used. |
WFGEN_START_SERVICE | What the container should run. For clusters, run multiple containers in different modes. Possible Values: win_services, web_apps, engine, dir_sync, all. Default: all |
WFGEN_MACHINE_KEY_VALIDATION_KEY | validationKey property of machineKey element in web.config. Recommended to share machine key between instances (e.g., web farm). See Microsoft docs. |
WFGEN_MACHINE_KEY_DECRYPTION_KEY | decryptionKey property of machineKey element in web.config. Recommended for web farms. See Microsoft docs. |
WFGEN_MACHINE_KEY_VALIDATION_ALG | Validation algorithm for machine key. Default: HMACSHA256 |
WFGEN_MACHINE_KEY_DECRYPTION_ALG | Decryption algorithm for machine key. Default: AES |
WFGEN_DEPENDENCY_CHECK_INTERVAL | Time between dependency check retries in milliseconds. Default: 1000 |
WFGEN_DEPENDENCY_CHECK_RETRIES | Number of retries for each dependency check. Default: 10 |
WFGEN_DEPENDENCY_CHECK_ENABLED | Enable/disable dependency checks. Default: Y |
When you have multiple environment variables, use --env-file with docker run.
Example with Azure AD authentication (v10 with PostgreSQL):
WFGEN_AUTH_MODE=azure-v1
WFGEN_APP_SETTING_ApplicationUrl=https://example.com/wfgen
WFGEN_APP_SETTING_ApplicationSecurityAuthProvider=azure-v1
WFGEN_APP_SETTING_ApplicationSecurityAuthMetadataUrl=https://login.microsoftonline.com/<Directory ID>/.well-known/openid-configuration
WFGEN_APP_SETTING_ApplicationSecurityAuthClientId=SomeClientId
WFGEN_APP_SETTING_ApplicationSecurityAuthClientSecret=SomeClientSecret
WFGEN_APP_SETTING_ApplicationSecurityAuthUsernameClaim=upn
WFGEN_APP_SETTING_ApplicationSecurityAuthAppIdClaim=appid
WFGEN_APP_SETTING_ApplicationSecurityAuthSessionTokenSigningSecret=SomethingVerySecret
WFGEN_APP_SETTING_ApplicationSecurityPasswordSymmetricEncryptionKey=84c953d4eac14da2ba93c010e85c76e0
WFGEN_DATABASE_CONNECTION_STRING=Host=database;Port=5432;Database=wfgen;Username=wfgen_user;Password=secretPassword;
WFGEN_DATABASE_CONNECTION_STRING_PROVIDER_NAME=Npgsql
For v9, v8 with SQL Server:
WFGEN_AUTH_MODE=azure-v1
WFGEN_APP_SETTING_ApplicationUrl=https://example.com/wfgen
WFGEN_APP_SETTING_ApplicationSecurityAuthProvider=azure-v1
WFGEN_APP_SETTING_ApplicationSecurityAuthMetadataUrl=https://login.microsoftonline.com/<Directory ID>/.well-known/openid-configuration
WFGEN_APP_SETTING_ApplicationSecurityAuthClientId=SomeClientId
WFGEN_APP_SETTING_ApplicationSecurityAuthClientSecret=SomeClientSecret
WFGEN_APP_SETTING_ApplicationSecurityAuthUsernameClaim=upn
WFGEN_APP_SETTING_ApplicationSecurityAuthAppIdClaim=appid
WFGEN_APP_SETTING_ApplicationSecurityAuthSessionTokenSigningSecret=SomethingVerySecret
WFGEN_APP_SETTING_ApplicationSecurityPasswordSymmetricEncryptionKey=84c953d4eac14da2ba93c010e85c76e0
WFGEN_DATABASE_CONNECTION_STRING=Data Source=database;Network Library=DBMSSOCN;Initial Catalog=WFGEN;User ID=WFGEN_USER;Password=secretPassword;
Supports Azure Active Directory, Auth0, ADFS, and Okta. See WorkflowGen docs for provider configuration.
For Docker deployments:
WFGEN_AUTH_MODE (e.g., azure-v1, auth0, okta)WFGEN_APP_SETTING_ApplicationSecurityAuthProviderWFGEN_APP_SETTING_* environment variablesNo special setup required. WFGEN_AUTH_MODE=application (default).
Set WFGEN_AUTH_MODE=windows or basic. Requires Active Directory environment (container host must be domain joined).
| Container Path | Description |
|---|---|
C:\wfgen\data | All WorkflowGen data including App_Data and workflow applications |
C:\wfgen\licenses | License files. Container uses first file found. |
Example:
docker run ... -v C:\Path\To\Licenses:C:\wfgen\licenses ... advantys/workflowgen:10.3.0-win-ltsc2019
Note: Map all volumes to persist data. Unmapped volumes lose data when container is removed.
# Set offline
docker container exec -i wfgen powershell C:\set-state.ps1 Offline
# Set online
docker container exec -i wfgen powershell C:\set-state.ps1 Online
Customize offline page:
Add your HTML file at <wfgen appdata>\Templates\server\offline.htm:
$offlinePath = ".\offline.htm"
$serverTemplatePath = [io.path]::Combine(
$(docker volume inspect --format "{{ .Mountpoint }}" appdata),
"Template", "server"
)
if (-not (Test-Path $serverTemplatePath)) {
New-Item $serverTemplatePath -ItemType Directory -Force
}
Copy-Item $offlinePath $serverTemplatePath
When no environment variables are supplied:
ApplicationUrl defaults to localhost/wfgenWFGEN_APP_SETTING_ApplicationSecurityPasswordSymmetricEncryptionKeyUse the onbuild variant to customize files in C:\inetpub\wwwroot or C:\Program Files\Advantys\WorkflowGen.
Example: Customize web.config, banner, and add custom library
File structure:
context-dir\
inetpub\
wwwroot\
wfgen\
web.config
bin\MyCustomLib.dll
App_Themes\Default\portal\banner\banner.htm
Program Files\
Advantys\WorkflowGen\Services\Bin\MyCustomLib.dll
Dockerfile:
#escape=`
FROM advantys/workflowgen:10.3.0-win-ltsc2019-onbuild
Build:
docker build -t mycorporation/workflowgen:10.3.0-win-ltsc2019 .
Update by changing the version in your Dockerfile and rebuilding:
- FROM advantys/workflowgen:10.0.4-win-ltsc2019-onbuild
+ FROM advantys/workflowgen:10.3.0-win-ltsc2019-onbuild
docker build -t mycorporation/workflowgen:10.3.0-win-ltsc2019 .
By using this image, you agree to the WorkflowGen End User License Agreement. Visit workflowgen.com for details.
Content type
Image
Digest
sha256:536841060…
Size
3.4 GB
Last updated
about 1 month ago
docker pull advantys/workflowgen