...
| Note |
|---|
There are four special roles in : frevvo.Designer, frevvo.Publisher, frevvo.ReadOnly . Groups for each role must be specified on your LDAP/AD Server if you have users that will be assigned these roles. The group names must be frevvo.Designer, frevvo.Publisher, frevvo.ReadOnly . Upper/lower case may be a factor for Open LDAP systems. |
Configure frevvo.internal.baseurl in frevvo.xml for LDAP SSO
This parameter is needed in frevvo.xml for various activities like accessing ACL page , publishing templates , resetting tasks etc. Let's say you have a browser signed in via SSO to machine m1 (port 80). IIS is running on m1 (port 80) redirecting /frevvo/web to frevvo running on m2:8082. Browser submits form to m1, IIS redirects to m2:8082. The doc action is a frevvo:// URI which gets resolved to h ttp://m1/frevvo/... POSTs to this URI but m1 rejects the POST since it is not authenticated.
To avoid situations such as these, set frevvo.internal.baseurl to the actual host:port of the server. Follow these steps:
- edit <frevvo-home>/tomcat/conf/cstalina/localhost/frevvo.xml
- Add the parameter shown below with your information: Save the changes to the file.
| Code Block |
|---|
Parameter name="frevvo.internal.baseurl" value="http://<ip of the m/c where frevvo server is hosted>:<port>" override="false"/>
|
Check if the configuration is correct
Here are some quick tests to check if the LDAP configuration is correct:
- Login as the admin or the tenant admin for the LDAP tenant.
- Click on the icon manage users/roles for the LDAP tenant you created.
- Click Manage Users.
- Click All. You should see a list of LDAP users.
- Now, click Back To Manage Tenant.
- Click Manage Roles. You should see a list of groups.
- Log out from (you should be currently logged in as admin)
- Try to login with the user name and password of a user in LDAP. You need to specify the proper tenant when logging in. For instance, if john is a valid LDAP user you should log in as john@MYLDAP. The password would be john's password in LDAP.
| Info |
|---|
Since you are using LDAP to define users and roles (i.e., groups), you do not see an Add User icon or Add Role icon on the Manage Users or Manage Roles pages |
Live Forms and LDAP Use Cases
Single Sign On with Live Forms, IIS and Active Directory
In this scenario, a user authenticates to his windows account and tries to use . Since the user is already authenticated to the network, will recognize his credentials and automatically forward the user to his account, if he is a designer, or allow the user to use a form/flow if those resources are available to the tenant.
The basic deployment is IIS fronting and the authentication is done against LDAP. For that to work you need:
- Install Live Forms
- Configure Live Forms to work with IIS
- Configure Windows Authentication
- In IIS, Make sure that Anonymous Authentication or Basic Authentication is NOT configured in the Web Application (Default Web) that will be used to proxy requests to .
- Go though the LDAP configurations described in the beginning of this document.
Please also refer to the force auth property for forms and flows. Force auth lets you override SSO for an individual form or flow.
Once all is configured and running it is possible to test these scenarios:
Signing in from within the network
...
Check if the configuration is correct
Here are some quick tests to check if the LDAP configuration is correct:
- Login as the admin or the tenant admin for the LDAP tenant.
- Click on the icon manage users/roles for the LDAP tenant you created.
- Click Manage Users.
- Click All. You should see a list of LDAP users.
- Now, click Back To Manage Tenant.
- Click Manage Roles. You should see a list of groups.
- Log out from (you should be currently logged in as admin)
- Try to login with the user name and password of a user in LDAP. You need to specify the proper tenant when logging in. For instance, if john is a valid LDAP user you should log in as john@MYLDAP. The password would be john's password in LDAP.
| Info |
|---|
Since you are using LDAP to define users and roles (i.e., groups), you do not see an Add User icon or Add Role icon on the Manage Users or Manage Roles pages |
Live Forms and LDAP Use Cases
Single Sign On with Live Forms, IIS and Active Directory
In this scenario, a user authenticates to his windows account and tries to use . Since the user is already authenticated to the network, will recognize his credentials and automatically forward the user to his account, if he is a designer, or allow the user to use a form/flow if those resources are available to the tenant.
The basic deployment is IIS fronting and the authentication is done against LDAP. For that to work you need:
- Install Live Forms
- Configure Live Forms to work with IIS
- Configure Windows Authentication
- In IIS, Make sure that Anonymous Authentication or Basic Authentication is NOT configured in the Web Application (Default Web) that will be used to proxy requests to .
- Go though the LDAP configurations described in the beginning of this document.
Please also refer to the force auth property for forms and flows. Force auth lets you override SSO for an individual form or flow.
Once all is configured and running it is possible to test these scenarios:
Signing in from within the network
In this case the user is already authenticated to the windows network and points the browser to:
| Code Block | ||
|---|---|---|
| ||
http://[server]/frevvo/web/tn/[LDAP tenant]/login |
Substitute LDAP tenant above with the tenant name you configured with the LDAP Security Manager.
The user will automatically authenticate to . It is crucial that the LDAP user is known to , in other words, the user should be one of the entries retrieved by the LDAP expression configured in the property com.frevvo.security.ldap.allUsersFilter in frevvo.xml.
Signing in from outside the network
Very similar to the case above but in this case the user is trying to hit the URL below from outside the network.
| Code Block | ||
|---|---|---|
| ||
http http://[server]/frevvo/web/tn/[LDAP tenant]/login |
Substitute LDAP tenant above with the tenant name you configured with the LDAP Security Manager.
The user will automatically authenticate to . It is crucial that the LDAP user is known to , in other words, the user should be one of the entries retrieved by the LDAP expression configured in the property com.frevvo.security.ldap.allUsersFilter in frevvo.xml.
Signing in from outside the network
Very similar to the case above but in this case the user is trying to hit the URL below from outside the network.
| Code Block | ||
|---|---|---|
| ||
http://[server]/frevvo/web/tn/[LDAP tenant]/login |
...
|
Since the user is not authenticated in the windows Network, he will be prompted by the browser for credentials. IIS will authenticate the user in the network and forward the request to . The user will be automatically redirected to his initial page without having to re-enter his credentials.
Configure frevvo.internal.baseurl in frevvo.xml for LDAP SSO
This parameter is needed in frevvo.xml for various activities like accessing ACL page , publishing templates , resetting tasks etc. Let's say you have a browser signed in via SSO to machine m1 (port 80). IIS is running on m1 (port 80) redirecting /frevvo/web to frevvo running on m2:8082. The browser submits form to m1, IIS redirects to m2:8082. The doc action is a frevvo:// URI which gets resolved to http://m1/frevvo/... POSTs to this URI but m1 rejects the POST since it is not authenticated.
To avoid situations such as these, set frevvo.internal.baseurl to the actual host:port of the server. Follow these steps:
- edit <frevvo-home>/tomcat/conf/catalina/localhost/frevvo.xml
- Add the parameter shown below with your information: Save the changes to the file.
| Code Block |
|---|
Parameter name="frevvo.internal.baseurl" value="http://<ip of the m/c where frevvo server is hosted>:<port>" override="false"/>
|
Live Forms login page authenticating against LDAP
...