Section | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
Prerequisites
- You will need a valid Microsoft Azure subscription
The frevvo.TenantAdmin and frevvo.Designer groups must be specified on your Active Directory server. The group names must be spelled as shown. Upper/lower case may be a factor for Open LDAP systems. These groups are required.
- Tenant admin users must be assigned to the frevvo.TenantAdmin group.
- Designer users must be assigned to the frevvo.Designer group.
- The frevvo.Publisher and the frevvo.ReadOnly groups are optional. Refer to the links provided for information about when these groups are used to help you decide whether or not you want to create them.
- Users with the frevvo.publishers role must be assigned to the frevvo.Publisher group. Refer to the Administrator Best Practices for an explanation of this role.
- Users with the frevvo.ReadOnly role must be assigned to frevvo.ReadOnly group.
- Users with the frevvo.publishers role must be assigned to the frevvo.Publisher group. Refer to the Administrator Best Practices for an explanation of this role.
Warning |
---|
|
Configuring the Azure SAML Security Manager
Follow these steps listed below to create a tenant using the Azure SAML Security Manager:
- Create an Application for Live Forms in Azure
- Create the Live Forms metadata file
- Create the Azure Tenant Idp metadata file
- Create/edit the Azure SAML tenant
- Log into your Live Forms Azure SAML tenant
Step 1 - Create an Application for Live Forms in Azure
frevvo assumes that customers have someone on staff that can successfully perform this step of the procedure. Information about is listed below to help you with this process.
Info |
---|
The Azure global administrator MUST create the application for in Azure. |
...
Login to the Microsoft Azure Management console: https://manage.windowsazure.com or https://portal.azure.com with your Azure global administrator account
...
Section | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
Prerequisites
- You will need a valid Microsoft Azure subscription
The frevvo.TenantAdmin and frevvo.Designer groups must be specified on your Active Directory server. The group names must be spelled as shown. Upper/lower case may be a factor for Open LDAP systems. These groups are required.
- Tenant admin users must be assigned to the frevvo.TenantAdmin group.
- Designer users must be assigned to the frevvo.Designer group.
- The frevvo.Publisher and the frevvo.ReadOnly groups are optional. Refer to the links provided for information about when these groups are used to help you decide whether or not you want to create them.
- Users with the frevvo.publishers role must be assigned to the frevvo.Publisher group. Refer to the Administrator Best Practices for an explanation of this role.
- Users with the frevvo.ReadOnly role must be assigned to frevvo.ReadOnly group.
- Users with the frevvo.publishers role must be assigned to the frevvo.Publisher group. Refer to the Administrator Best Practices for an explanation of this role.
Warning |
---|
|
Configuring the Azure SAML Security Manager
Follow these steps listed below to create a tenant using the Azure SAML Security Manager:
- Create an Application for Live Forms in Azure
- Create the Live Forms metadata file
- Create the Azure Tenant Idp metadata file
- Create/edit the Azure SAML tenant
- Log into your Live Forms Azure SAML tenant
Step 1 - Create an Application for Live Forms in Azure
frevvo assumes that customers have someone on staff that can successfully perform this step of the procedure. Information about is listed below to help you with this process.
Info |
---|
The Azure global administrator MUST create the application for in Azure. |
If you are familiar with the Microsoft Azure Legacy Portal, review this Microsoft Training Guide before setting up the Azure application for .
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
|
...
https://app.frevvo.com:443/frevvo/web/alias/mycompany.com
...
On-premise customers should use http://<server>:<port>/frevvo/web/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo in-house tenant.
Info |
---|
For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo in-house tenant named mycompany.com, the AP ID URL would be: |
...
Cloud Customers should use https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{t} - replace {t} with name of your frevvo tenant.
Info For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo Cloud tenant named mycompany.com, the REPLY URL would be:
https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/mycompany.com
On-premise customers should use http://<server>:<port>/frevvo/web/saml/SSO/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo in-house tenant.
Info For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo in-house tenant named mycompany.com, the REPLY URL would be:
https://<server:port>/frevvo/web/saml/SSO/alias/mycompany.com
...
Cloud Customers should use https://app.frevvo.com:443/frevvo/web/tn/{t}/login - replace {t} with the name of your frevvo Cloud tenant.
Info For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo Cloud tenant named mycompany.com, the SIGN-ON URL would be:
https://app.frevvo.com:443/frevvo/web/tn/mycompany.com/login
On-premise customers should use http://<server>:<port>/frevvo/web/tn/{t}/login - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo in-house tenant.
Info For example, if you were changing the Security Manager from the Default Security Manager to the Azure SAML Security Manager for a frevvo in-house tenant named mycompany.com, the SIGN-ON URL would be:
You will need the Azure tenant ID, the client id and client secret key that are created for the frevvo application when configuring your Azure SAML tenant.
Expand | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
|
Step 2 - Create the Live Forms metadata file
Follow these steps to generate the frevvo metadata for your Azure SAML tenant. You can do this even if the tenant has not been created yet.
Paste this URL into your browsr:
Cloud Customers: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{t} - replace {t} with the name of your tenant - Ex; azuread
On-premise customers: http://<server>:<port>/frevvo/web/saml/metadata/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo tenant.
When the metadata displays, save the page as an xml file.
- We will need to copy the entire metadata from this file to the Azure SAML Security Manager configuration screen.
- Metadata must be generated for each Azure SAML tenant. Each tenant will have a unique URL.
Step 3 - Create the Azure Tenant Idp metadata file
Follow these steps:
Browse the azure tenant (IdP) metadata at: https://login.microsoftonline.com/{azure-tenant-name}/FederationMetadata/2007-06/FederationMetadata.xml - replace {azure-tenant-name} with the id of your application in the Azure Active Directory. This can be obtained by viewing the endpoint URLS listed when you click Endpoints in your frevvo Azure application. In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the application id in Azure Active Directory.
code
Step 3 - Create the Azure Tenant Idp metadata file
Follow these steps:
Browse the Federation Metadata Document URL that you copied to your notepad when creating the Azure application for . It is located on the Endpoints tab in your frevvo Azure application.
Code Block title Example of Federation Metadata Document URL from Endpoints https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml
Save all the metadata returned as an xml file. We will need to copy the entire metadata from this file to the Azure SAML Security Manager configuration screen.
Step 4 - Create/edit the Azure SAML tenant
...
- Log onto as the superuser (on-premise) or the tenant admin (cloud).
- Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
- Select Azure SAML Security Manager from the Security Manager Class dropdown.
- Copy the Service Provider (frevvo) metadata into the Service Provider field. You can include the xml prolog when you paste the Service Provider (frevvo) metadata.
- Copy the metadata from the Azure tenant IDP file previously created and paste it into the Identity Provider field.
Enter the Federation Metadata Document URL that you used in Step 3 to generate the Azure IDP metadata into the URL field below the Identity Provider sectioncopied from Endpoints in your frevvo Azure application. The URL is needed to handle Signing key rollover in Azure Active Directory. This URL is polled and refreshes the Azure IDP metadata every 3 hours. The new metadata is stored and automatically used as backup in case the URL is not accessible.
In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the application id in Azure Active Directory. It was obtained by viewing the endpoint URLS listed when you click Endpoints in your frevvo Azure application.
Code Block in case the URL is not accessible.
Code Block title Example of Federation Metadata Document URL https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml
Check the Ignore Case checkbox if you are using LDAP for authentication and you want to ignore the case stored in LDAP systems for users/roles. The field is checked by default. Refer to the Mixed or Upper case User Names topic for more information.
Enter the User Id. This should be the User property name that identifies the user. A typical value is userPrincipalName, givenname etc.
- Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
- Enter the following information in the API Access section.
- Enter the Azure tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.
- Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.
- Configure a tenant admin account. This account does not require Azure SAML authentication. This tenant admin can log directly into providing a default security manager backdoor.
- The tenant admin id, password and email fields are required.
- When this tenant admin performs a form based login i.e. /frevvo/web/login, the password entered on this screen is used for authentication. This is also the URL used by the API.
- If the tenant based login url is used i.e. /frevvo/web/tn/{t}/login then the Azure SAML login is used.
The forgot password function works for an Azure SAML tenant admin user. For all others, it will display the error message about not being supported for the tenant. - Configure the Business Calendar for your tenant. The escalation feature will use this calendar to calculate deadlines and send notiifcation and reminder emails.
- Enter HTTP Auth credentials if required. Credentials for external secure web services accessed by the forms and flows in your tenant can be specified in this section.
- Click Submit.
...
Note |
---|
|
...
Logged in User Display in Azure SAML Live Forms tenant
If your Azure SAML userIds are in the format <username>@<domain name>, when you login to the tenant name is appended to the userId (ex: username@<domain name)is appended with the frevvo tenant name . This is as designed . You will see <username@domain name@domain name@frevvo tenant name> as the logged in user at the top of the screen.
Excerpt
Azure SAML Tenant backdoor admin user
Just a reminder that the tenant admin account can login directly into Live Forms or use the Azure SAML login.
When you create a new tenant you are prompted to set up a tenant admin user id and password. This tenant admin does not authenticate via your Azure SAML IDP. It only exists in Live Forms. If you experience an issue with your Azure SAML configuration such that you can't login as an Azure SAML authenticated user, this account provides a backdoor you can use to login to your tenant as a tenant admin in order to fix your Azure SAML configuration issue. Only one backdoor tenant admin account is supported.
If your tenant originally used the Default Security Manager and then you changed to the Azure SAML Security Manager, this tenant admin account has already been setup. If you have forgotten the password, you can change it by :
- Using the Live Forms Forgot Password? feature for the tenant admin account.
- Logging in as a Azure SAML authenticated tenant admin and changing the password via Manage Users.
What if you do not remember the userid of your original tenant admin? Follow these steps:
- Login as your authenticated Azure SAML tenant admin
- Click Manage Users and click the edit admin icon.
Session Timeout
Session timeouts are configured in and in your Azure SAML IDP. If a user's session ends before the IDP timeout is reached, they will automatically be logged back into if they try to access it again. It is recommended that the session timeout and the IDP session timeout be configured for the same value.
...
Code Block |
---|
Application error processing /frevvo/web/login?null java.lang.UnsupportedOperationException: null |
Accessing a Space in a AzureAD tenant on a mobile device will not display a logout button.
Skew error when logging into an Azure tenant
Users logging into a Live Forms Azure SAML tenant may encounter the error "Access Denied. Authorization Required". Examination of the frevvo.log shows the following entry:
Code Block |
---|
Response issue time is either too old or with date in the future, skew 60, time 2016-06-01T05:49:25.330Z |
Follow the instructions listed in the Installation Tasks chapter to add the parameter.
...