Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Column

Live Forms supports the Azure Security Manager for Single Sign On. Users/roles are automatically pulled from Azure AD into Live Forms cloud tenants and on-premise installations. Users are redirected to the Microsoft Azure login screen for authentication.

frevvo recommends using the SAML Security Manager for customers who want to manage users/roles from the  UI.

Column
width450px

On this page:

Table of Contents
maxLevel2

...

  • You will need a valid Microsoft Azure subscription
  • The frevvo.TenantAdmin and frevvo.Designer groups must be specified on your Active Directory server. The group names must be spelled as shown. Upper/lower case may be a factor for Open LDAP systems. These groups are required.

    • Tenant admin users must be assigned to the frevvo.TenantAdmin group.
    • Designer users must be assigned to the frevvo.Designer group
Warning
  • Contact the frevvo Customer Success team to schedule your Security Manager configuration.
  • frevvo Best Practice recommends that you create a user account in your Active Directory that will house all of your deployed Production forms/flows. This user can be named anything i.e.frevvoProduction but it must be a member of the frevvo.Designer group
  • If you want to preserve Applications/Forms/Flows developed in your trial/starter tenant to your desktop, perform these steps BEFORE changing the Security Manager. :
    1. Download the Applications/Forms/Flows that you want to preserve to your desktop as a backup. Do this for all user accounts that have Applications/Forms/flows that you want to keep.
    2. When the backup of all Applications/Forms/flows is completed, delete the user accounts in your Default Security Manager tenant.
  • There are two additional roles in - frevvo.Publisher and frevvo.ReadOnly.  These roles are optional.
    • In order to give a user the frevvo.publishers role, create the  frevvo.Publisher  group in your AD and assign users to it. Refer to the Administrator Best Practices for an explanation of this role.
    • In order to give a user the frevvo.ReadOnly role, create the frevvo.ReadOnly group in your AD and assign users to it. Following frevvo Best Practice eliminates the need for this role.
  • frevvo only supports the Azure Security Manager when is running in the tomcat container. Refer to our Supported Platforms for the list of supported/certified Application Servers.

...

Expand
titleClick here for some more tips....
  1. Login to the Microsoft Azure Management console: https://manage.windowsazure.com or https://portal.azure.com with your Azure global administrator account
  2. Click on Azure Active directory link present on the left side of the screen.
  3. Click on App Registrations link.
  4. Click on New application registration link for creating a new application.
  5. Enter the following details:
    1. Name:- Name of your frevvo Azure application
    2. Application type:-Web app/API
    3. SIGN-ON URL - Refer to Step1 - Create an Application for Live Forms in Azure for an example.
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/tn/{t}/login - replace {t} with the name of your frevvo Cloud tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/tn/{t}/login - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo in-house tenant.

  6. Click on the Settings link then click on the Properties link.
  7. Configure the App ID URL and Home page URL as follows:
    1. AP ID URI: - Refer to Step1 - Create an Application for Live Forms in Azure for an example.
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/alias/{t} - replace {t} with the name of your frevvo Cloud tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your in-house frevvo tenant.
    2. Home page URL:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/tn/{t}/login - replace {t} with the name of your frevvo Cloud tenant.
      2. On-premise customers should use - http://<server>:<port>/frevvo/web/tn/{t}/login - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo in-house tenant.

  8. Click on Save button at the top of screen.
  9. Navigate to the Settings column then click on the Reply URLS link.
  10. Enter one of the following to create the reply URLs:
    1. REPLY URL: - Refer to Step1 - Create an Application for Live Forms in Azure for an example.
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{t} - replace {t} with the name of your frevvo Cloud tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/saml/SSO/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo in-house tenant.

  11. Click on Save button.
  12. Navigate to the Settings column then click on the Required permissions link.
  13. Click API
  14. Select Read and write directory data under Application permissions.
  15. Select Sign in and read user profile AND Read directory data under Delegated permissions
  16. Navigate to the Required permissions column:
    1. Click on the Grant Permissions button select "Yes" option  and click on the Save button.
  17. Navigate to the Registered app column and click on Manifest.
    1. Check the value of the Home Page
    2. Check the code at the end of the Manifest. Make sure the "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04" has "Role,Scope" for the type. Modify if necessary.

      Code Block
      requiredResourceAccess": [                                {
                                          "resourceAppId": "00000002-0000-0000-c000-000000000000",
                                          "resourceAccess": [
                                      {
                                          "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
                                          "type": "Role,Scope"
                                      },
                                      {
                                          "id": "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175",
                                          "type": "Role"
                                      },
                                      {
                                          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
                                          "type": "Scope"
                                      }
    3. If you made changes, click the Save button at the top of the screen.
  18. Click on the Settings link then click on the Keys link
  19. Enter the following details:
    1. Description- Enter any Text here.
    2. Expires-<Select any value from the dropdown>
  20. Click on Save button.
  21. After clicking on Save button copy the value of "Value" column. This is the Client secret that you will need when configuring the tenant screen. There is only one chance to retrieve the client secret key when you create the application for in Azure. Once you leave this screen the value will be hidden.

    Warning

    You will need the Azure tenant ID, the client id and client secret key that are created for the frevvo application when configuring your Azure SAML tenant.

  22. To find the client id - same as the Application ID:
    1. Click on App registrations
    2. Click on your application-
    3. Copy the application ID shown for your application
  23. To find the tenant id:
    1. Select Azure Active Directory.
    2. Select Properties for your Azure AD tenant
    3. The value in the Directory ID field is the tenant ID for your Azure application.
  24. OR click the Endpoints button under App registrations. The value in between the login.microsoftonline.com and federationmetadata is the tenant id

    Code Block
    https://login.microsoftonline.com/3d532ac1-a43c-45c7-b0e9-cc814400ca11/federationmetadata/2007-06/federationmetadata.xml

Step 2 - Create the Live Forms metadata file

Follow these steps to generate the frevvo metadata for your Azure SAML tenant. You can do this even if the tenant has not been created yet.

...

  1. Log onto as the superuser (on-premise) or the tenant admin (cloud).
  2. Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
  3. Select Azure SAML Security Manager from the Security Manager Class dropdown.
  4. Copy the Service Provider (frevvo) metadata into the Service Provider field. You can include the xml prolog when you paste the Service Provider (frevvo) metadata.



  5. Copy the metadata from the Azure tenant IDP file previously created and paste it into the Identity Provider field.



  6. Enter the URL that you used in Step 3 to generate the Azure IDP metadata into the URL field below the Identity Provider section. The URL is needed to handle Signing key rollover in Azure Active Directory. This URL is polled and refreshes the Azure IDP metadata every 3 hours. The new metadata is stored and automatically used as backup in case the URL is not accessible.

    In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the  tenant id in Azure Active Directory. It was obtained by viewing the endpoint URLS listed when you click Endpoints in your frevvo Azure application.

    Code Block
    https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml  
  7. Check the Ignore Case checkbox if you are using LDAP for authentication and you want to ignore the case stored in LDAP systems for users/roles. The field is checked by default. Refer to the Mixed or Upper case User Names topic for more information.

  8. Enter the User Id. This should be the User property name that identifies the user. A typical value is userPrincipalName, givenname etc.

  9. Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
  10. Enter the following information in the API Access section.
    1. Enter the Azure tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.
    2. Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.

  11. Configure a tenant admin account. This account  does not require Azure SAML authentication. This tenant admin can log directly into providing a default security manager backdoor.
    1. The tenant admin id, password and email fields are required.
    2. When this tenant admin performs a form based login i.e. /frevvo/web/login, the password entered on this screen is used for authentication. This is also the URL used by the API.
    3. If the tenant based login url is used i.e. /frevvo/web/tn/{t}/login then the Azure SAML login is used.



    The forgot password function works for an Azure SAML tenant admin user. For all others, it will display the error message about not being supported for the tenant.

  12. Configure the Business Calendar for your tenant. The escalation feature will use this calendar to calculate deadlines and send notification and reminder emails.
  13. Enter HTTP Auth credentials if required. Credentials for external secure web services accessed by the forms and flows in your tenant can be specified in this section.
  14. Click Submit.


...

Logged in User Display in Azure SAML Live Forms tenant

If your Azure SAML userIds are in the format <username>@<domain name>, when you login to  the tenant name is appended to the userId . This is as designed. You will see <username@domain name@frevvo tenant name> as the logged in user at the top of the screen. If your domain name is the same as your tenant name, it will appear as if the domain name is listed twice.

Image Modified

Azure SAML Tenant backdoor admin user

Just a reminder that the tenant admin account can login directly into Live Forms or use the Azure SAML login.

When you create a new tenant you are prompted to set up a tenant admin user id and password. This tenant admin does not authenticate via your Azure SAML IDP. It only exists in Live Forms. If you experience an issue with your Azure SAML configuration such that you can't login as an Azure SAML authenticated user, this account provides a backdoor you can use to login to your tenant as a tenant admin in order to fix your Azure SAML configuration issue. Only one backdoor tenant admin account is supported.

Image Modified

If your tenant originally used the Default Security Manager and then you changed to the Azure SAML Security Manager, this tenant admin account has already been setup. If you have forgotten the password, you can change it by :

  • Using the Live Forms Forgot Password? feature for the tenant admin account.
  • Logging in as a Azure SAML authenticated tenant admin and changing the password via Manage Users.

What if you do not remember the userid of your original tenant admin? Follow these steps:

...

Code Block
Application error processing /frevvo/web/login?null java.lang.UnsupportedOperationException: null

Accessing a Space in a AzureAD tenant on a mobile device will not display a logout button.

Skew error when logging into an Azure tenant

Users logging into a Live Forms Azure SAML tenant may encounter the error "Access Denied.  Authorization Required". Examination of the frevvo.log shows the following entry:

Code Block
Response issue time is either too old or with date in the future, skew 60, time 2016-06-01T05:49:25.330Z
This error is typically caused by a clock synchronization issue between the SP (frevvo) and the Idp (Azure) or a genuine delay in the connection. If you get this error, you can change the value of the context parameter, com.frevvo.security.saml.response.skew, to specify the time in seconds allowed between the SAML request and response to a value greater than the default value of 60 seconds.

Follow the instructions listed in the Installation Tasks chapter to add the parameter.

...