frevvo v9.0 Documentation

Software Download Directory

Versions Compared

Old Version 14

changes.mady.by.user Nancy Admin

Saved on

compared with

New Version 15

changes.mady.by.user MaryAnn Rapuano

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
  2. Select SAML Security Manager from the Security Manager Class dropdown.
  3. Copy the Service Provider (frevvo) metadata into the Service Provider field. The xml should be pasted without the prolog. For example, the image shows an example of the frevvo metadata file before pasting:



  4. Retrieve the metadata for your Identity Provider. For example, for the Shiboleth product the metadata is located in the idp-metadata file.

  5. Paste the metadata into the Identity Provider field. This metadata should also be pasted without the prolog.



  6. Check the Ignore Case checkbox if you are using LDAP for authentication and you want
    Frevvoproduct
    to ignore the case stored in LDAP systems for users/roles. It is checked by default. Refer to the Mixed or Upper case User Names topic for more information.

  7. Check the Authentication Only checkbox if you want SAML to handle authentication and provide user identification but all other user attributes come from the

    Frevvoproduct
     database.

    When checked, the screen display changes as attribute mapping, other than the mapping for the user id and custom attributes, is no longer necessary.



    Note

    Authentication Only:

    • If Authentication Only is checked:
      • SAML will authenticate the user but not retrieve any of the attributes. Authorization depends on the roles defined in 
        Frevvoproduct
        . Changes made in the
        Frevvoproduct
        UI will not be overridden if the user logs out and then logs in again.
      • Manual creation of users & roles in the
        Frevvoproduct
        SAML tenant is required. This can be done with a csv upload.

    • If Authentication Only is unchecked:

      • All users requiring access to

        Frevvoproduct
        must be assigned to the frevvo.User group in Active Directory. Tenant Admins must be assigned to the frevvo.User and frevvo.TenantAdmin groups. Designer users must be assigned to the frevvo.User and frevvo.Designer groups.

      • Users are added (discovered) when they log in. 
      • It is important to know that a SAML tenant in this mode (SAML/LDAP handles authentication and authorization) that users and tenant admins can modify user information in the
        Frevvoproduct
        UI. If user information/role assignment is changed in the
        Frevvoproduct
        UI, the changes will be overwritten by the information in SAML the next time the user logs out and then logs back in again. In this case, make the changes in your Active Directory to make them permanent.

  8. Map the attributes configured in your Identity Provider by entering the name for each attribute in the corresponding field on the

    Frevvoproduct
    screen. Be sure to provide the attribute name - not the friendly name. For example, if you are using Shibboleth for your Identity Provider the attribute information is located in the attribute-resolver.xml file. The image shows the section of the file where the attributes are defined.


    The image below shows the attribute mapping on the
    Frevvoproduct
    screen with the attribute names from the Shibboleth file:



    Note

    If Authentication Only mode is enabled for your tenant, mapping is only required for the User Id. Refer to step 8 for the details

  9. Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
  10. Configure a tenant admin account. This account does not require SAML authentication. This tenant admin can log directly into
    Frevvoproduct
    providing a default security manager built-in admin.
    1. The tenant admin id, password and email fields are required. The Change password on next login field is optional. It is checked by default.
    2. When this tenant admin performs a form based login i.e. /frevvo/web/login, the password entered on this screen is used for authentication. This is also the URL used by the API. For cloud customers the <base> is always https://app.frevvo.com.
    3. If the tenant based login url is used i.e. /frevvo/web/tn/{t}/login then SAML login is used. 

    Image Modified

    The forgot password function works for a SAML tenant admin user. For all others, it will display the error message about not being supported for the tenant.

    Image Modified

  11. Configure the Business Calendar for your tenant and HTTP Authorization Credentials if required.
  12. Click Submit.

...