Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Column

Frevvoproduct
supports the creation of a tenant using the Azure SAML (Security Assertion Markup Language) Security Manager. Users in this tenant are redirected to the Microsoft Azure login screen and then to
Frevvoproduct
when that login screen is submitted.

The Azure SAML Security manager can be used in cloud and on-premise installations.

  • Allows on-premises AD to be exposed to the frevvo cloud via synchronization with Azure AD
  • Uses the graph API to access users and groups from AD.
  • SAML is used for authentication only, providing single sign on.
  • SAML is built into Azure AD. It is not necessary to setup an identity provider.

The Azure SAML Security Manager pulls users/roles from Azure AD. frevvo recommends using the SAML Security Manager for customers who want to manage users/roles from the 

Frevvoproduct
UI.

Column
width400px

On this page:

Table of Contents
maxLevel2

...

  1. Login to the Microsoft Azure Management console: https://manage.windowsazure.com

  2. Add a new application under the Active Directory tab.
  3. In order to complete the single sign-on fields:
    1. AP ID URI:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/alias/{t} - replace {t} with the tenant id of your frevvo Azure SAML tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

    2. REPLY URL:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{t} - replace {t} with the tenant id of your frevvo Azure SAML tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/saml/SSO/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

    3. SIGN-ON URL
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/tn/{t}/login - replace {t} with the tenant id of your frevvo Azure SAML tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/tn/{t}/login - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

    Excerpt
    hiddentrue
    Be sure to set up the application permissions to allow the graph API to read the directory in order to retrieve users and groups.

    You will need the Azure tenant ID, the client id and client secret key that are created for the frevvo application when configuring your

    Frevvoproduct
    Azure SAML tenant.

    1. One way to restrict access to
      Frevvoproduct
      for specific Azure AD users only, is to:
    • Make sure the USER ASSIGNMENT REQUIRED TO ACCESS APP is set to YES
    • Add users to the application under the USERS tab.
    1. Groups listed under the GROUPS tab in Active Directory map to
      Frevvoproduct
      roles. Refer to Prerequisites for more information.

     

    Expand
    titleClick here for some more tips.

    You must be in the Azure classic portal view to see the screens shown below:

    1. Be sure to set up the application permissions to allow the graph API to read the directory in order to retrieve users and groups.



    2. You will need the Azure tenant ID, and the client id and client secret key that are created for the frevvo application when configuring your

      Frevvoproduct
      Azure SAML tenant.

      1. The client id is displayed on the Configure screen of the application for
        Frevvoproduct
        in Azure. An example is shown in the image:
      2. The tenant id for application that you created in Azure for
        Frevvoproduct
        can be obtained by viewing the endpoint Urls listed when you click View Endpoints icon at the bottom of the page. See the example in the image:

      3. There is only one chance to retrieve the client secret key when you create the application for
        Frevvoproduct
        in Azure. In the keys section on the CONFIGURE screen, select an option for the application duration. Click the SAVE icon on the bottom menu to display the client secret key. Copy the key and save it so you have it available when you create your Azure SAML tenant in
        Frevvoproduct
        .



      4. One way to restrict access to
        Frevvoproduct
        for specific Azure AD users only, is to:
      • Make sure the USER ASSIGNMENT REQUIRED TO ACCESS APP is set to YES
      • Add users to the application under the USERS tab.
      1. Groups listed under the GROUPS tab in Active Directory map to
        Frevvoproduct
        roles. Refer to Prerequisites for more information.

...