Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Column

Frevvoproduct
supports the creation of a tenant using the Azure SAML (Security Assertion Markup Language) Security Manager. Users in this tenant are redirected to the Microsoft Azure login screen and then to
Frevvoproduct
when that login screen is submitted.

The Azure SAML Security manager can be used in cloud and on-premise installations.

  • Allows on-premises AD to be exposed to the frevvo cloud via synchronization with Azure AD
  • Uses the graph API to access users and groups from AD.
  • SAML is used for authentication only, providing single sign on.
  • SAML is built into Azure AD. It is not necessary to setup an identity provider.

The Azure SAML Security Manager pulls users/roles from Azure AD. frevvo recommends using the SAML Security Manager for customers who want to manage users/roles from the 

Frevvoproduct
UI.

Column
width300px400px

On this page:

Table of Contents
maxLevel2

Prerequisites

Configuring the Azure SAML Security Manager

Frevvoproduct
tenant using the Azure SAML Security Manager:

...

    • The frevvo.TenantAdmin and frevvo.Designer groups must be specified on your Active Directory server. The group names must be spelled as shown. Upper/lower case may be a factor for Open LDAP systems. . 

      • Tenant admin users must be assigned to the frevvo.TenantAdmin group.
      • Designer users must be assigned to the frevvo.Designer group.
      • Users with the frevvo.publishers role must be assigned to the frevvo.Publisher group.
      • Users with the frevvo.ReadOnly role must be assigned to frevvo.ReadOnly group.

Refer to Manage Roles for a description of these roles in

Frevvoproduct
.

Configuring the Azure SAML Security Manager

Frevvoproduct
tenant using the Azure SAML Security Manager:

...

Step 1 - Create an Application for Live Forms in Azure

frevvo assumes that customers have someone on staff that can successfully perform this step of the procedure. Information about

Frevvoproduct
is listed below to help you with this process.

...

  1. Log onto
    Frevvoproduct
    as the superuser (on-premise) or the tenant admin (cloud).
  2. Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
  3. Select Azure SAML Security Manager from the Security Manager Class dropdown.
  4. Copy the Service Provider (frevvo) metadata into the Service Provider field. You can include the xml prolog when you paste the Service Provider (frevvo) metadata.



  5. Copy the metadata from the Azure tenant IDP file previously created and paste it into the Identity Provider field.



  6. Enter the URL that you used in Step 3 to generate the Azure IDP metadata into the URL field below the Identity Provider section. The URL is needed to handle Signing key rollover in Azure Active Directory. This URL is polled and refreshes the Azure IDP metadata every 3 hours. The new metadata is stored and automatically used as backup in case the URL is not accessible.

    In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the 

    Frevvoproduct
    application id in Azure Active Directory. It was obtained by viewing the endpoint URLS listed when you click View Endpoints in your frevvo Azure application.

    Code Block
    https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml  
  7. Check the Ignore Case checkbox if you are using LDAP for authentication and you want

    Frevvoproduct
    to ignore the case stored in LDAP systems for users/roles. The field is checked by default. Refer to the Mixed or Upper case User Names topic for more information.

  8. Enter the User Id. This should be the User property name that identifies the user. A typical value is userPrincipalName, givenname etc.

  9. Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
  10. Enter the following information in the API Access section.
    1. Enter the Azure tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.
    2. Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.


  11. Configure a tenant admin account. This account  does not require Azure SAML authentication. This tenant admin can log directly into Live Forms providing a default security manager backdoor.
    1. The tenant admin id, password and email fields are required.
    2. When this tenant admin performs a form based login i.e. /frevvo/web/login, the password entered on this screen is used for authentication. This is also the URL used by the API.
    3. If the tenant based login url is used i.e. /frevvo/web/tn/{t}/login then the Azure SAML login is used.



      The forgot password function works for an Azure SAML tenant admin user. For all others, it will display the error message about not being supported for the tenant.



  12. Configure the Business Calendar for your tenant. The
    Frevvoproduct
    escalation feature will use this calendar to calculate deadlines and send notiifcation and reminder emails.
  13. Enter HTTP Auth credentials if required. Credentials for external secure web services accessed by the forms and flows in your tenant can be specified in this section.
  14. Click Submit. 

Step 5 - Logging into a Live Forms Azure SAML Tenant

...

  1. Login as your authenticated Azure SAML tenant admin
  2. Click Manage Users and click the edit admin icon.

Troubleshooting

Logging into a Azure SAML tenant as (user@Azure SAML tenant name)

Logging into a Azure SAML tenant as (user@Azure SAML tenant name) displays an application error message.

...

On-premise customers using the tomcat bundle will see the following entry in the 

Frevvoproduct
 error log:

Code Block
Application error processing /frevvo/web/login?null java.lang.UnsupportedOperationException: null

Accessing a Space in a AzureAD tenant on a mobile device will not display a logout button.

 

Session Timeout

 

...

Frevvoproduct

...

Session Timeout

Session timeouts are configured in

Frevvoproduct
and in the Azure SAML IDP.  If a user's session ends before the IDP timeout is reached, they will automatically be logged back into
Frevvoproduct
if they try to access it again. It is recommended that the
Frevvoproduct
session timeout and the IDP session timeout be configured for the same value.

...

Embedding Forms/Flows in your website

...

Embedding forms and flows into your website when using the Azure/SAML Security Manager, will work in the following scenarios :

Info

Embedding forms and flows into your website

...

is NOT supported if the the visibility of the form is set

...

Info

Embedding forms and flows into your website is NOT supported if the the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to Azure SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.

Troubleshooting 

to Public in Tenant and the user is NOT already authenticated to Azure SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.

Troubleshooting

Logging into a Azure SAML tenant as (user@Azure SAML tenant name)

Logging into a Azure SAML tenant as (user@Azure SAML tenant name) displays an application error message
Image Added

On-premise customers using the tomcat bundle will see the following entry in the 

Frevvoproduct
 error log:

Code Block
Application error processing /frevvo/web/login?null java.lang.UnsupportedOperationException: null

Accessing a Space in a AzureAD tenant on a mobile device will not display a logout button.

 Skew error when logging into an Azure tenant

Users logging into a Live Forms Azure SAML tenant may encounter the error "Access Denied.  Authorization Required". Examination of the frevvo.log shows the following entry:

Code Block
Response issue time is either too old or with date in the future, skew 60, time 2016-06-01T05:49:25.330Z

This error is typically caused by a clock synchronization issue between the SP (frevvo) and the Idp (Azure) or a genuine delay in the connection. If you get this error, you can change the value of the context parameter, com.frevvo.security.saml.response.skew, to specify the time in seconds allowed between the SAML request and response to a value greater than the default value of 60 seconds.

...

If the login into your Azure SAML tenant fails and the

Frevvoproduct
log reports the following error, you may have to edit your Azure SAML tenant to add the metadata URL. T

Code Block
org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid.Response issue time is either too old or with date in the future, skew 60, time 2016-06-01T05:49:25.330Z

The URL is needed to handle Signing key rollover in Azure Active Directory. This URL is polled and refreshes the Azure IDP metadata every 3 hours. The new metadata is stored and used as backup in case the URL is not accessible. Refer to Step 6 above for the details.

...

The Azure AD Graph API allows access to users, groups etc... in Azure AD. User entity attribute data exposed by the API for the logged in user can be pulled into fields in your form/flow with a business rule. If the attribute that you are looking for is not already exposed, you can:

  • Sync Azure AD to your in-house AD via the Microsoft provided connector

  • Add an extension property

Once the custom attributes are made available, add them to the Custom section of your Azure SAML tenant.

  1. Login to your Azure SAML tenant as the as the tenant admin.

  2. Click the Edit Tenant link

  3. Add the custom attributes to the Custom section as a comma separated list. The image shows the department and displayName attributes listed in the custom attribute section.

    Image Modified

  4. Design your form/flow with fields to collect the information.

  5. Write a business rule to populate the controls with the custom attribute information.

Section
Column
width50%

 

Column
width50%

Here is an example of a rule that will retrieve the custom attributes, department and displayName, plus the standard attributes, First Name, Last Name and Email address.

Code Block
languagejs
if if (form.load) {
    FirstName.value = _data.getParameter('subject.first.name');
    LastName.value = _data.getParameter('subject.last.name');
    EMail.value = _data.getParameter('subject.email'); 
    department.value = _data.getParameter('subject.department');
    displayName.value = _data.getParameter('subject.displayName');
}