Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • You will need a valid Microsoft Azure subscription
  • The frevvo.TenantAdmin and frevvo.Designer groups must be specified on your Active Directory server. The group names must be spelled as shown. Upper/lower case may be a factor for Open LDAP systems. These groups are required.

    • Tenant admin users must be assigned to the frevvo.TenantAdmin group.
    • Designer users must be assigned to the frevvo.Designer group.
  • The frevvo.Publisher and the frevvo.ReadOnly groups are optional. Refer to the links provided for information about when these groups are used to help you decide whether or not you want to create them.
    • Users with the frevvo.publishers role must be assigned to the frevvo.Publisher group. Refer to the Administrator Best Practices for an explanation of this role.
    • Users with the frevvo.ReadOnly role must be assigned to frevvo.ReadOnly group.


  • The group names for these three special roles must be frevvo.TenantAdmin, and frevvo.Designer. Upper/lower case may be a factor for Open LDAP systems.
  • frevvo Best Practice recommends that you create a user account in your Active Directory or IDP that will house all of your deployed Production forms/flows. This user can be named anything i.e.frevvoProduction but it must be a member of the frevvo.Designer group
  • If you want to preserve Applications/Forms/flows developed in your trial/starter tenant, download them to your desktop as a backup BEFORE changing the Security Manager
  • frevvo only supports the Azure SAML Security Manager when
    is running in the tomcat container. Refer to our Supported Platforms for the list of Application Servers supported/certified by frevvo.


  1. Log onto
    as the superuser (on-premise) or the tenant admin (cloud).
  2. Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
  3. Select Azure SAML Security Manager from the Security Manager Class dropdown.
  4. Copy the Service Provider (frevvo) metadata into the Service Provider field. You can include the xml prolog when you paste the Service Provider (frevvo) metadata.

  5. Copy the metadata from the Azure tenant IDP file previously created and paste it into the Identity Provider field.

  6. Enter the URL that you used in Step 3 to generate the Azure IDP metadata into the URL field below the Identity Provider section. The URL is needed to handle Signing key rollover in Azure Active Directory. This URL is polled and refreshes the Azure IDP metadata every 3 hours. The new metadata is stored and automatically used as backup in case the URL is not accessible.

    In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the 

    application id in Azure Active Directory. It was obtained by viewing the endpoint URLS listed when you click Endpoints in your frevvo Azure application.

    Code Block  
  7. Check the Ignore Case checkbox if you are using LDAP for authentication and you want

    to ignore the case stored in LDAP systems for users/roles. The field is checked by default. Refer to the Mixed or Upper case User Names topic for more information.

  8. Enter the User Id. This should be the User property name that identifies the user. A typical value is userPrincipalName, givenname etc.

  9. Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
  10. Enter the following information in the API Access section.
    1. Enter the Azure tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.
    2. Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.

  11. Configure a tenant admin account. This account  does not require Azure SAML authentication. This tenant admin can log directly into
    providing a default security manager backdoor.

    1. The tenant admin id, password and email fields are required.
    2. When this tenant admin performs a form based login i.e. /frevvo/web/login, the password entered on this screen is used for authentication. This is also the URL used by the API.
    3. If the tenant based login url is used i.e. /frevvo/web/tn/{t}/login then the Azure SAML login is used.

    The forgot password function works for an Azure SAML tenant admin user. For all others, it will display the error message about not being supported for the tenant.

  12. Configure the Business Calendar for your tenant. The
    escalation feature will use this calendar to calculate deadlines and send notiifcation notification and reminder emails.
  13. Enter HTTP Auth credentials if required. Credentials for external secure web services accessed by the forms and flows in your tenant can be specified in this section.
  14. Click Submit.


  1. Paste this tenant specific URL into your browser:
    1. Cloud Customers:{t}/login - Replace {t} with the name of your Azure SAML tenant.

    2. On-premise Customers:http://<server>:<port>/frevvo/web/tn/{t}/login. Replace <server> and <port> with your server information and t with the name of your Azure SAML tenant.
    3. The user is redirected to the Azure login screen.

    4. If the user is authenticated,

       screens display depending on the level of authorization specified for the user. Designer users will see the Application Home Page while non-designer users will be directed to their Task List.

    You will see this redirection when logging into a

    space as well.

  • Clicking the logout link in
    , logs the user out from
  • When a user logs in to space, the logout link will not be visible in an Azure AD (SSO) tenant.
  • When a user logs in to
    (non-space mode), the logout link will  be visible in an Azure AD (SSO) tenant.


If your Azure SAML userIds are in the format <username>@<domain name>, when you login to 

tenant name is appended to the userId (ex: username@<domain name). This is as designed. You will see <username@domain name@frevvo tenant name> as the logged in user at the top of the screen. If your domain name is the same as your
tenant name, it will appear as if the domain name is listed twice.