Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • You will need a valid Microsoft Azure subscription
  • The frevvo.TenantAdmin and frevvo.Designer groups must be specified on your Active Directory server. The group names must be spelled as shown. Upper/lower case may be a factor for Open LDAP systems.  These groups are required. 

    • Tenant admin users must be assigned to the frevvo.TenantAdmin group.
    • Designer users must be assigned to the frevvo.Designer group.
  • The frevvo.Publisher and the frevvo.ReadOnly groups are optional. Refer to the links provided for information about when these groups are used to help you decide whether or not you want to create them.
    • Users with the frevvo.publishers role must be assigned to the frevvo.Publisher group. Refer to the Administrator Best Practices for an explanation of this role.
    • Users with the frevvo.ReadOnly role must be assigned to frevvo.ReadOnly group.

Refer to Manage Roles for a description of these roles in

Frevvoproduct
.

Configuring the Azure SAML Security Manager

Frevvoproduct
tenant using the Azure SAML Security Manager:


Warning
  • The group names for these three special roles must be frevvo.TenantAdmin, and frevvo.Designer. Upper/lower case may be a factor for Open LDAP systems.
  • frevvo Best Practice recommends that you create a user account in your Active Directory or IDP that will house all of your deployed Production forms/flows. This user can be named anything i.e.frevvoProduction but it must be a member of the frevvo.Designer group
  • If you want to preserve Applications/Forms/flows developed in your trial/starter tenant, download them to your desktop as a backup BEFORE changing the Security Manager
  • frevvo only supports the Azure SAML Security Manager when
    Frevvoproduct
    is running in the tomcat container. Refer to our Supported Platforms for the list of Application Servers supported/certified by frevvo.

Configuring the Azure SAML Security Manager

Frevvoproduct
tenant using the Azure SAML Security Manager:

Step 1 - Create an Application for Live Forms in Azure

frevvo assumes that customers have someone on staff that can successfully perform this step of the procedure. Information about 

Frevvoproduct
 is listed below to help you with this process.

Info

The Azure global administrator MUST create the application for

Frevvoproduct
in Azure.

...

If you are familiar with the Microsoft Azure Legacy Portal, review this Microsoft Training Guide before setting up the Azure application for 

Frevvoproduct
.

...

Expand
titleClick here for some more tips....
Info

Do not include the curly braces in the URLs discussed below.

  1. Login to the Microsoft Azure Management console: https://manage.windowsazure.com or https://portal.azure.com with your Azure global administrator account.

...

  1. Click on the Azure Active directory link on the left side of the screen.
  2. Click on the App Registrations link.
  3. Click on the New application registration link for creating a new application.
  4. Enter the following details:
    1. Name:- Name of your frevvo Azure application
    2. Select who can use this application or access this API
  5. Configure the Redirect URL:
    1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{t} - replace {t} with

...

    1. name of your frevvo tenant.

      Info

      For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo Cloud tenant named mycompany.

...

    1. com, the REPLY URL would be:

      https://

...

    1. app.frevvo.com:443/frevvo/web/saml/SSO/alias/mycompany.com 

    2. On-premise customers should use http://<server>:<port>/frevvo/web/saml/SSO/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo

...

    1. in-house tenant

...

    1. .

...

Cloud Customers should use https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{t} - replace {t} with the tenant id of your frevvo Azure SAML tenant.

...

    1. Info

      For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo in-house tenant named mycompany.com, the REPLY URL would be:

      https://<server:port>/frevvo/web/saml/SSO/alias/

...

    1. mycompany.com 

    2. Click Register.
  1. Select the frevvo application from the list.
  2. Click the Branding tab
  3. Configure the Home Page URL:
    1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/tn/{t}/login - replace {t} with the

...

    1. name of your frevvo

...

    1. Cloud tenant.

...

    1. Info

      For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo Cloud tenant named mycompany.com, the SIGN-ON URL would be:

      https://app.frevvo.com:443/frevvo/web/tn/mycompany.com/login

    2. On-premise customers should use http://<server>:<port>/frevvo/web/tn/{t}/login - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo

...

    1. in-house tenant

...

Expand
titleClick here for some more tips....
  1. Login to the Microsoft Azure Management console: https://manage.windowsazure.com or https://portal.azure.com with your Azure global administrator account
  2. Click on Azure Active directory link present on the left side of the screen.
  3. Click on App Registrations link.
  4. Click on New application registration link for creating a new application.
  5. Enter the following details a
  6. Name:<frevvo_test>-Name of application
  7. Application type:-Web app/API
  8. SIGN-ON URL
    1. .

You will need the Azure tenant ID, the client id and client secret key that are created for the frevvo application when configuring your

Frevvoproduct
Azure SAML tenant.

Click the Overview tab.
  1. Copy the Application ID into your notepad. This is the value of the Client ID on the frevvo configuration screen.
  2. Copy the Directory ID into your notepad. This is the value of the Tenant ID on the frevvo configuration screen.
    Click Endpoints at the top of the screen. Copy the Federation Metadata Document URL from the list to your notepad. This is the URL that you will use to generate the Azure metadata

    1. Info

      For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo in-house tenant named mycompany.com, the SIGN-ON URL would be:

      https://<server:port>frevvo/web/tn/mycompany.com/login


    2. Click Save.
  1. Click on the API Permissions tab.
    1. Click Add a Permission.
    2. Select Azure Active Directory Graph from the Supported legacy APIs section.
    3. For Application Permissions, select Read and write directory data (under Directory).
    4. For Delegated Permissions, select Sign in and read user profile (under User) AND Read directory data under (under Directory).
    5. Click on the Grant Permissions button select "Yes" option  and click on the Save button.
  2. Click on the Expose an API tab.
    1. Configure the Application ID URI:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/

  3. tn
      1. alias/{t}

  4. /login
      1. - replace {t} with the

  5. tenant id
      1. name of your frevvo Cloud tenant.

        Info

        For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo Cloud tenant named mycompany.com,the AP ID URL would be:

        https://app.frevvo.com:443/frevvo/web/alias/mycompany.com 

      2. On-premise customers should use http://<server>:<port>/frevvo/web/

  6. tn
      1. alias/{t}

  7. /login -
      1. - replace <server> with the ip of your server, <port> with the port number (if

  8. applicable) and t with your frevvo Azure SAML tenant id.
  9. Click on the Settings link then click on the Properties link.
  10. Configure the App ID URL and Home page URL as follows:
    1. AP ID URI:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/alias/{t} - replace {t} with the tenant id of your frevvo Azure SAML tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

    2. Home page URL:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/tn/{t}/login - replace {t} with the tenant id of your frevvo Azure SAML tenant.
      2. On-premise customers should use - http://<server>:<port>/frevvo/web/tn/{t}/login - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

  11. Click on Save button at the top of screen.
  12. Navigate to the Settings column then click on the Reply URLS link.
  13. Enter one of the following to create the reply URLs:
    1. REPLY URL:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{t} - replace {t} with the tenant id of your frevvo Azure SAML tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/saml/SSO/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

  14. Click on Save button.
  15. Navigate to the Settings column then click on the Required permissions link.
  16. Click API
  17. Select Read and write directory data under Application permissions.
  18. Select Sign in and read user profile AND Read directory data under Delegated permissions
  19. Navigate to the Required permissions column:
    1. Click on the Grant Permissions button select "Yes" option  and click on the Save button.
  20. Navigate to the Registered app column and click on Manifest.
    1. Check the value of the Home Page
  21. Click on the Settings link then click on the Keys link
  22. Enter the following details:
    1. Description- Enter any Text here.
    2. Expires-<Select any value from the dropdown>
  23. Click on Save button.
  24. After clicking on Save button copy the value of "Value" column. This is the Client secret that you will need when configuring the
    Frevvoproduct
    tenant screen.
      1. applicable) and {t} with the name of your frevvo in-house tenant.

        Info

        For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo in-house tenant named mycompany.com, the AP ID URL would be:

        https://<server:port>/frevvo/web/alias/mycompany.com

      2. Click Save.

  25. Click the Certifiates & secrets tab.
    1. Generate the Client Secret. COPY/SAVE the VALUE in a notepad - you will need this for the frevvo tenant screen.  
      There is only one chance to retrieve the client secret key when you create the application for
      Frevvoproduct
      in Azure. Once you leave this screen the value will be hidden.
    Warning

    You will need the Azure tenant ID, the client id and client secret key that are created for the frevvo application when configuring your

    Frevvoproduct
    Azure SAML tenant.

  26. To find the client id - same as the Application ID:
    1. Click on App registrations
    2. Click on your application-
    3. Copy the application ID shown for your application
  27. To find the tenant id:
    1. Select Azure Active Directory.
    2. Select Properties for your Azure AD tenant
    3. The value in the Directory ID field is the tenant ID for your Azure application.
  28. OR click the Endpoints button under App registrations. The value in between the login.microsoftonline.com and federationmetadata is the tenant id

Code Block
Code Block
titleExample of the Federation Metadata Document URL
https://login.microsoftonline.com/3d532ac1-a43c-45c7-b0e9-cc814400ca11/federationmetadata/2007-06/federationmetadata.xml

 

  • Proceed to Step 2 - Create the Live Forms metadata file
  • Warning

    Just a reminder - you will need the Azure tenant ID, the client id and client secret for the frevvo application when configuring your

    Frevvoproduct
    Azure SAML tenant.

    Step 2 - Create the Live Forms metadata file

    Follow these steps to generate the frevvo metadata for your Azure SAML tenant. You can do this even if the tenant has not been created yet.

    1. Paste this URL into your browsr:

      1. Cloud Customers: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{t} - replace {t} with the tenant id name of your

        Frevvoproduct
        Azure SAML tenant - Ex; azuread

      2. On-premise customers: http://<server>:<port>/frevvo/web/saml/metadata/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with with the name of your frevvo tenant id).

    2. When the metadata displays, right click and select the browser option to View the Page source.
      Image Removed

      Save

      save the page as an xml file.

    3. Metadata must be generated for each Azure SAML tenant. Each tenant will have a unique URL.

    Step 3 - Create the Azure Tenant Idp metadata file

    Follow these steps:

    1. Browse the azure tenant (IdP) metadata at: https://login.microsoftonline.com/{azure-tenant-name}/FederationMetadata/2007-06/FederationMetadata.xml - replace {azure-tenant-name} with the id of your

      Frevvoproduct
       application in the Azure Active Directory. This can be obtained by viewing the endpoint URLS listed when you click Endpoints in your frevvo Azure application. In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the application id in Azure Active Directory.

      code



      Image Added

    2. We will need to copy the entire metadata from this file to the Azure SAML Security Manager configuration screen.
    3. Metadata must be generated for each Azure SAML tenant. Each tenant will have a unique URL.

    Step 3 - Create the Azure Tenant Idp metadata file

    Follow these steps:

    1. Browse the Federation Metadata Document URL that you copied to your notepad when creating the Azure application for 

      Frevvoproduct
      . It is located on the Endpoints tab in your frevvo Azure application.

      Code Block
      titleExample of Federation Metadata Document URL from Endpoints
       https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml

    ...

    1. Save all the metadata returned as an xml file.

    ...

    1.  We will need to copy the entire metadata from this file to the Azure SAML Security Manager configuration screen.

    Step 4 - Create/edit the Azure SAML tenant

    ...

    1. Log onto
      Frevvoproduct
      as the superuser (on-premise) or the tenant admin (cloud).
    2. Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
    3. Select Azure SAML Security Manager from the Security Manager Class dropdown.
    4. Copy the Service Provider (frevvo) metadata into the Service Provider field. You can include the xml prolog when you paste the Service Provider (frevvo) metadata.



    5. Copy the metadata from the Azure tenant IDP file previously created and paste it into the Identity Provider field.



    6. Enter the Federation Metadata Document URL that you used in Step 3 to generate the Azure IDP metadata into the URL field below the Identity Provider sectioncopied from Endpoints in your frevvo Azure application. The URL is needed to handle Signing key rollover in Azure Active Directory. This URL is polled and refreshes the Azure IDP metadata every 3 hours. The new metadata is stored and automatically used as backup in case the URL is not accessible.

      In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the 

      Frevvoproduct
      application id in Azure Active Directory. It was obtained by viewing the endpoint URLS listed when you click Endpoints in your frevvo Azure application.

      Code Block

       

      Code Block
      titleExample of Federation Metadata Document URL
      https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml  
    7. Check the Ignore Case checkbox if you are using LDAP for authentication and you want

      Frevvoproduct
      to ignore the case stored in LDAP systems for users/roles. The field is checked by default. Refer to the Mixed or Upper case User Names topic for more information.

    8. Enter the User Id. This should be the User property name that identifies the user. A typical value is userPrincipalName, givenname etc.

    9. Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
    10. Enter the following information in the API Access section.
      1. Enter the Azure tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.
      2. Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.

    11. Configure a tenant admin account. This account  does not require Azure SAML authentication. This tenant admin can log directly into
      Frevvoproduct
      providing a default security manager backdoor.

      1. The tenant admin id, password and email fields are required.
      2. When this tenant admin performs a form based login i.e. /frevvo/web/login, the password entered on this screen is used for authentication. This is also the URL used by the API.
      3. If the tenant based login url is used i.e. /frevvo/web/tn/{t}/login then the Azure SAML login is used.



      The forgot password function works for an Azure SAML tenant admin user. For all others, it will display the error message about not being supported for the tenant.

    12. Configure the Business Calendar for your tenant. The
      Frevvoproduct
      escalation feature will use this calendar to calculate deadlines and send notiifcation and reminder emails.
    13. Enter HTTP Auth credentials if required. Credentials for external secure web services accessed by the forms and flows in your tenant can be specified in this section.
    14. Click Submit.


    Step 5 - Logging into a Live Forms Azure SAML Tenant

    ...

    Frevvoproduct

    ...

    1. Paste this tenant specific URL into your browser:
      1. Cloud Customers: https://app.frevvo.com:443/frevvo/web/tn/{t}/login - Replace {t} with the name of your Azure SAML tenant.

      2. On-premise Customers:http://<server>:<port>/frevvo/web/tn/{t}/login. Replace <server> and <port> with your server information and t with the name of your Azure SAML tenant.
      3. The user is redirected to the Azure login screen.



      4. If the user is authenticated,

        Frevvoproduct
         screens display depending on the level of authorization specified for the user. Designer users will see the Application Home Page while non-designer users will be directed to their Task List.
        Image Removed

      You will see this redirection when logging into a
      Frevvoproduct
      space as well.

    ...

    Frevvoproduct

    ...

    Frevvoproduct

    ...

      1. -designer users will be directed to their Task List.

        Image Added

      You will see this redirection when logging into a

      Frevvoproduct
      space as well.

    Note
    • Clicking the logout link in
      Frevvoproduct
      , logs the user out from
      Frevvoproduct
      only.
    • When a user logs in to space, the logout link will not be visible in an Azure AD (SSO) tenant.
    • When a user logs in to
      Frevvoproduct
      (non-space mode), the logout link will  be visible in an Azure AD (SSO) tenant.

    Logged in User Display in Azure SAML Live Forms tenant

    If your Azure SAML userIds are in the format <username>@<domain name>, when you login to 

    Frevvoproduct
    the
    Frevvoproduct
    tenant name is appended to the userId (ex: username@<domain name). This is as designed . You will see <username@domain name@frevvo tenant name> as the logged in user at the top of the screen. If your domain name is the same as your
    Frevvoproduct
    tenant name, it will appear as if the domain name is listed twice.

    Image Added

    Azure SAML Tenant backdoor admin user

    ...