Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

supports the creation of a tenant using the SAML (Security Assertion Markup Language) Security Manager. Users in this tenant can log into
via  (SAML) version 2.0. SAML enables internet single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication.

The SAML Security manager can be used in on-premise installations but it is primarily meant for cloud tenants who use LDAP but do not want to expose it over the internet.

SAML requires the configuration and installation of an identify provider that supports SAML 2.0. Some examples are Google, Shibboleth, OpenSSO, ADFS, and PingFederate, OneLogin.

In a SAMLenvironment, integration with an LDAP server for authentication is common. In general, here's how it works:

  • User A attempts to access Live forms frevvo by typing the URL into the browser
  • Live forms frevvo sends a SAML request for authentication to the Identity Provider
  • The Identity Provider requires more information. The Identify Provider login screen is displayed.
  • User A logs into the Identity Provider.
  • The Identity Provider may communicate with your LDAP server if you are using Active Directory for authentication.
  • The Identity Provider builds and sends a SAML token to Live Forms frevvo containing the security information for User A.
  • Live forms frevvo processes the information. If User A has been authenticated, Live forms frevvo establishes a session and redirects User A to the correct Live Forms frevvo screen depending on User A's authorization level.

On this page:

Table of Contents


  1. Create the frevvo Metadata file.
  2. Configure your Identity Provider
  3. Create/edit the SAML tenant
  4. Manage Users/Roles for your SAML tenant
  5. Logging into Live Forms frevvo in a SAML Tenant

Section 1 - In-house Customers Only


  1. Stop
    if it is running.
  2. Copy the default <frevvo-home>\tomcat\lib\ frevvoKeystore.jks to another location as a backup
  3. Login as administrator.
  4. Make sure the path to the keytool application is configured in your system path. keytool is part of the standard Java distribution (JDK or JRE)). For example, keytool is located in the C:\Program Files\Java\jdkx.x.x\bin directory in the JDK.
  5. Navigate to <frevvo-home>\ tomcat\lib or to the new location of the keystore if you changed the property in the setenv or service.bat files
  6. Delete the existing certificate:

    Code Block
    keytool -delete -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd
  7. If you changed the password from the default, execute this keytool command to change the password in the keystore

    Code Block
    keytool -storepasswd -keystore frevvoKeystore.jks - it will ask for the old password - p@ssw0rd and then prompt for the new one - The keystore password must match whatever is in the line that we added to the setenv pr service.bat files.
  8. Generate a new certificate: Here is the command: Change the -dname value to the DNS name of your IDP.

    If you changed the values of the or properties in the setenv or service.bat files then change the alias in the command and the keypass and storepass password parameters to match those values. The key and store passwords need to be the same as there is only one password property.

    The dname in this keytool command specifies the X.500 Distinguished Name to be associated with the alias and is used as the issuer and subject fields in the self-signed certificate. While we provide a sample in the documentation, it is up to the customer (your security policy) to decide what the value should be when the certificate.for your installation is generated. Since this is a self-signed certificate - the dname really could be anything - but here is a link to the Oracle documentation to give you some idea of what you might want to set that too.

    Execute this command to create a new certificate and stores it in the keystore.

    Code Block
    keytool -genkey -dname "" -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd -keyalg rsa -keysize 2048 -validity 3650

  9. The certificate can be viewed by exporting it to a file. If you changed the password, substitute the new password in the command:

    Code Block
    keytool -exportcert -alias frevvo -file frevvo.rfc -rfc -keystore frevvoKeystore.jks -storepass p@ssw0rd

Section 2 - Create the


frevvo Metadata file

Follow these steps to generate the frevvo metadata for your SAML tenant. You can do this even if the tenant has not been created yet.


titleClick here for some tips when configuring ADFS

The information below applies to ADFS v2.0. If you are using a different version, your ADFS expert must locate the equivalent functions for that version.

  1. Save the frevvo tenant metadata as an xml file. Add Relying Party Metadata Trust. Use the 'Import data about the relying party from a file' option to upload the saved xml file.

  2. In Edit Claim Rules, create a rule to map AD attributes to the outgoing claim type as shown below.  Information about creating rules to send LDAP attributes as Claims can be found on this Microsoft support website

    1. samAccountName to NameID - If you rather generate an opaque identifier, you would need to create custom rules as described here.
    2. samAccountName to Windows Account Name
    3. givenName to Given Name
    4. Surname to Surname
    5. emailAddresses to Email Address
    6. Group membership is added using the wizard. Select Token-Groups Unqualified Names and map it to the Group claim.

  3. Extract the Manager's samAccountName. This can be done using the following 3 custom claim rules. This rule assumes that the CN of the manager DN contains the samAccountName:

    Code Block
    c:[Type == "", Issuer == "AD AUTHORITY"]
    => add(store = "Active Directory", types = (""), query = ";Manager;{0}", param = c.Value); 
    Manager SAM1
    c:[Type == ""]
    => add(Type = "", Value = RegExReplace(c.Value, ",[^\n]*", ""));
    c:[Type == ""]
    => issue(Type = "", Value = RegExReplace(c.Value, "^CN=", ""));
  4. In the

    tenant, map the attributes as shown: Refer to this website for more information about Claims.

    User Id

    First Name
    Last Name
    Manager User Id
  5. It is recommended that you turn on tracing in ADFS, so that the SAML response is visible. Compare the names of the attributes contained in the response to the names of the attributes configured on the tenant screen. If turning on ADFS tracing is not an option, the frevvo log can be searched for the name attribute values.

Configure Custom Attributes

Active directory attributes other than the standard First Name, Last Name or Email are considered custom attributes. You can retrieve custom attributes in addition to the standard ones from Active Directory and pull the data into your form/flow using Live Formsfrevvo business rules.
For example,let's say you want to extract the custom attribute, StaffId, from LDAP and populate fields in your form/flow using a business rule.

Perform these general steps:

  1. Make sure the custom attribute, in our example StaffID, is configured in Active Directory and assigned to the correct users.
  2. Expose StaffID as a SAML attribute by writing an ADFS claim rule.
    1. During this process, you assign the attribute a name, e.g.
  3. Map the attribute with this name in the Custom section of the tenant setup screen. Save the tenant configuration.

  4. Here is an example of a business rule that references the custom attribute, Staff Id, and populates a field in a form named StaffID.

    Code Block
    if (form.load) {
      StaffID.value =  _data.getParameter('subject.');

    Refer to Retrieving Custom Attributes from LDAP in a SAML Tenant for another example.

titleClick here for instructions to configure Google Apps as the SAML IDP

Follow these steps to setup Google as the Identity Provider and Live Forms frevvo as the Service Provider to configure Single Sign On. These instructions are for Cloud. On-Premise customers follow the same steps with one additional step to generate a certificate:

  1. On - Premise customers ONLY: Generate a certificate. 
  2. Configure Google as the Identity Provider
    1. Login to your Google domain as an admin, go to the admin portal and click through to Apps > SAML Apps. If you have any existing SAML apps, you’ll see them here. Click the big PLUS (+) sign at bottom right to add a new one. A wizard will appear.
    2. Click the “Setup My Own Custom App” link at the bottom of the screen.

    3. Choose Option 2 and Download the IDP metadata file.

    4. Provide a name for your application, a description and a logo.

    5. Enter the Service Provider (
      ) details.
      1. For ACS URL, type{tenant} - replace {tenant} with your cloud tenant.
      2. For Entity Id, type{tenant} - replace {tenant} with your cloud tenant.
      For example,
    6. Leave the built-in Name Id attribute configuration alone.

    7. Add a new Attribute Mapping: User Id | Basic Information | Primary Email

    8. Click Finish. The Setup Complete screen displays.
    9. Click OK.
    10. Your new SAML App will be displayed. Click the three dots at right and turn ON SSO. You can choose to turn it ON for everyone in your domain or for specific sub-domains.

  3. Create users in Google:
    1. Create your users in Google or move existing users into the appropriate sub-organization if you are limiting access to your SAML app in Google. You won’t have to create new users or move existing users if you enabled the SAML app for everyone in your Google domain.
    2. You’ll need a user in your Google domain to serve as the tenant administrator. Either, create a new one or choose an existing one (there’s nothing to do as long as you choose someone).
  4. Create users in
    1. You need to ensure that the user you chose/created as the tenant admin exists in frevvo. Once we switch over to SAML, all authentication will use Google Apps credentials and you won’t be able to login using your current tenant admin or other users. We’ll use CSV upload. The file syntax looks like this:

      Code Block

      The fields are your Google login (e.g., your frevvo tenant id (e.g., the first name, last name and email address. In the roles field, use the roles indicated above.

    2. Login as the current tenant admin user.
    3. Click on Manage Users.
    4. Click on Download CSV users file.
    5. Edit the file to setup at least one Google User (the one you chose/created as the tenant admin).
    6. Click on CSV Upload (the Excel looking icon) and upload the file to create this user.

  5. Configure 
    as the Service Provider:
    1. Generate the SP metadata file from frevvo. Visit the URL:{tenant} in your browser. Replace {tenant} with your cloud tenant. Right click to View Page Source and save as an XML file.
    2. Login to your Cloud account as tenant admin and click the Edit Tenant button.
    3. In the Security Manager section, click the Change button, choose SAML in the drop down that appears and click Ok. NOTE: Free Trial accounts do not show the Change button. If the Change button is not visible in your tenant, please contact customer support.
    4. The SAML configuration section will appear. In the Service Provider section, we must paste the SP metadata file we generated in Step 1 above. Unfortunately, the file contains an XML prolog (highlighted in the image below) which must be removed. Paste the contents of this SP metadata file without the prolog into the Service Provider text area of the configuration form.
    5. In the Identity Provider section, paste the IDP metadata file we generated and saved in the Google setup above. Once again, the file contains an XML prolog. Paste the contents of this IDP metadata file without the prolog into the Identity Provider text area of the configuration form.
    6. Check Authentication Only. This means SAML will authenticate the user but not retrieve any of the attributes. Users are not automatically discovered upon first login. Therefore, you must create users & roles using CSV upload.
      • If you do not wish to select the Authentication Only option, you’ll need to map other attributes in Google first before you can assign them in Frevvo. First Name, Last Name, and Email should be pretty straight forward since these attributes are surfaced by the Google SAML IdP app. The other attributes may be more difficult.
    7. With the Authentication Only option, attribute mapping only includes one attribute, the User Id. Since we mapped the email address to the User Id attribute in Google while setting up the SAML app, we can simply map the frevvo attribute to User Id in the configuration form.
    8. Submit the form and we’re done.


      Edit tenant.


      Setup SAML


      SP Metadata (paste without XML Prolog)


      IDP Metadata (paste without XML prolog)

  6. How to use your new SAML tenant
    1. Logout of all your Google accounts to test.
    2. Go to the tenant URL:{tenant}/login. Replace {tenant} with your tenant id.
    3. You will be redirected to the Google login page.
    4. Login to Google as the Google user you chose/created as the tenant admin.
    5. You will be redirected to frevvo to the Manage Tenant screen.

    The user id displayed in frevvo at the top will look like {user}@{domain}@{tenant} which is a bit confusing but is purely cosmetic.

  7. Load other users in frevvo

    Before your other Google users can login to 

    using their Google Apps credentials, they must first be created in frevvo. You can download users from Google Apps as a CSV file (uncheck the create a Google Sheet option), modify it to follow frevvo’s syntax as shown above and upload it. You can also login as the tenant admin Google user and create users and roles using the UI.

    Once the user exists in frevvo, he/she can login using Google credentials and the system will behave as expected according to the roles assigned to the user.



It is important to know that a SAML tenant with Authentication Only unchecked, means that authentication and authorization are handled by SAML/LDAP. Users are added/updated through discovery. If a tenant admin modifies user information in the

UI, for example, changes an email address or adds a role for a user, the changes will stay in effect until the user logs out of the tenant and then logs back in. When the user logs back in, the changes made in the
UI will be overwritten by the information in SAML/LDAP. In this case, make the changes in your Active Directory to make them permanent. A warning message will appear on the User List to alert the admin that they are in discovery mode and should make permanent changes in their IDP instead.

Discovery updates only occur when the user logs into the tenant. The admin "login as" feature will not execute a discovery update.

Section 6 - Logging into a


frevvo SAML Tenant

Browse the URL below to initiate the SAML authentication process by redirecting to the Identity Provider login page.  


  • Clicking the logout link in
    , logs the user out from
  • Accessing a Space in a SAML tenant on a mobile device will not display a logout button.
  • When a user logs in to Live Forms frevvo (non-space mode), the logout link will be visible
  • Cloud customers browsing or in-house customers browsing http://<servername>:<port>/frevvo/web/login attempting to log into a SAML tenant directly (user@saml tenant name) will automatically be redirected to the SAML IDP login page. For best performance, frevvo recommends using the login URL described above.


Just a reminder that the tenant admin account can login directly into Live Forms frevvo or use the SAML login.

When you create/edit a new tenant you are prompted to set up/modify a tenant admin user id, password and email address. This tenant admin does not authenticate via your SAML IDP. It only exists in Live Forms frevvo. If you experience an issue with your SAML configuration such that you can't login as an SAML authenticated user, use this this account to login to your tenant as a tenant admin in order to fix your SAML configuration issue. Only one built-in tenant admin account is supported.



The frevvo (Cloud customers) and in-house superuser can see the built-in tenant admin userid from the Edit Tenant page.

Logged in User Display in Azure SAML


frevvo tenant

If your SAML userIds are in the format <username>@<domain name>, when you login to 

tenant name is appended to the userId . This is as designed. You will see <username@domain name@frevvo tenant name> as the logged in user at the top of the screen. If your domain name is the same as your
tenant name, it will appear as if the domain name is listed twice.