Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You will need a valid Microsoft Azure subscription.

Authentication Only

When you create an Azure SAML tenant in

Frevvoproduct
, the Authentication Only option is unchecked by default. frevvo assumes that most customers will want to use Active Directory for users and roles so this option is hidden on the Tenant screen. In Authentication Only mode, users and roles have to be defined in your AD.  

For example, customers Customers using Azure Active Directory must ensure that the frevvo.TenantAdmin and frevvo.Designer roles are specified for tenant admin and designer users.

...

  1. Log onto
    Frevvoproduct
    as the superuser (on-premise) or the tenant admin (cloud).
  2. Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
  3. Select Azure SAML Security Manager from the Security Manager Class dropdown.
  4. Copy the Service Provider (frevvo) metadata into the Service Provider field. You can include the xml prolog when you paste the Service Provider (frevvo) metadata.



  5. Copy the metadata from the Azure tenant IDP file previously created and paste it into the Identity Provider field.



  6. Enter the URL that you used in Step 3 to generate the Azure IDP metadata into the URL field below the Identity Provider section. The URL is needed to handle Signing key rollover in Azure Active Directory. This URL is polled and refreshes the Azure IDP metadata every 3 hours. The new metadata is stored and automatically used as backup in case the URL is not accessible.

    In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the 

    Frevvoproduct
    application id in Azure Active Directory. It was obtained by viewing the endpoint URLS listed when you click View Endpoints in your frevvo Azure application.

    Code Block
    https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml  
  7. Check the Ignore Case checkbox if you are using LDAP for authentication and you want

    Frevvoproduct
    to ignore the case stored in LDAP systems for users/roles. The field is checked by default. Refer to the Mixed or Upper case User Names topic for more information

    .

    The Authentication Only checkbox enables SAML to handle authentication only when checked. In this mode, authorization happens based on the roles defined in Azure AD.  Authentication Only mode is recommended if you are using the Azure SAML Security Manager. It is checked by default and the field is hidden on the screen.

  8. Enter the User Id. This should be the User property name that identifies the user. A typical value is userPrincipalName, givenname etc.

  9. Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
  10. Enter the following information in the API Access section.
    1. Enter the Azure tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.
    2. Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.

  11. Configure a tenant admin account. This account  does not require Azure SAML authentication. This tenant admin can log directly into
    Frevvoproduct
    providing a default security manager backdoor.

    1. The tenant admin id, password and email fields are required.
    2. When this tenant admin performs a form based login i.e. /frevvo/web/login, the password entered on this screen is used for authentication. This is also the URL used by the API.
    3. If the tenant based login url is used i.e. /frevvo/web/tn/{t}/login then the Azure SAML login is used.



    The forgot password function works for an Azure SAML tenant admin user. For all others, it will display the error message about not being supported for the tenant.

  12. Configure the Business Calendar for your tenant. The
    Frevvoproduct
    escalation feature will use this calendar to calculate deadlines and send notiifcation and reminder emails.
  13. Enter HTTP Auth credentials if required. Credentials for external secure web services accessed by the forms and flows in your tenant can be specified in this section.
  14. Click Submit.


...