Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Column

supports the creation of a tenant using the Azure SAML (Security Assertion Markup Language) Security Manager. Users in this tenant are redirected to the Microsoft Azure login screen and then to when that login screen is submitted.

The Azure SAML Security manager can be used in cloud and on-premise installations.

  • Allows on-premises AD to be exposed to the frevvo cloud via synchronization with Azure AD
  • Uses the graph API to access users and groups from AD.
  • SAML is used for authentication only, providing single sign on.
  • SAML is built into Azure AD. It is not necessary to setup an identity provider.
Column
width240px

On this page:

Table of Contents
maxLevel2

...

Section
Column

supports the creation of a tenant using the Azure SAML (Security Assertion Markup Language) Security Manager. Users in this tenant are redirected to the Microsoft Azure login screen and then to when that login screen is submitted.

The Azure SAML Security manager can be used in cloud and on-premise installations.

  • Allows on-premises AD to be exposed to the frevvo cloud via synchronization with Azure AD
  • Uses the graph API to access users and groups from AD.
  • SAML is used for authentication only, providing single sign on.
  • SAML is built into Azure AD. It is not necessary to setup an identity provider.

The Azure SAML Security Manager pulls users/roles from Azure AD. frevvo recommends using the SAML Security Manager for customers who want to manage users/roles from the  UI.

Column
width450px

On this page:

Table of Contents
maxLevel2

Prerequisites

  • You will need a valid Microsoft Azure subscription.
    • The frevvo.TenantAdmin and frevvo.Designer groups must be specified on your Active Directory server. The group names must be spelled as shown. Upper/lower case may be a factor for Open LDAP systems. . 

    • Tenant admin users must be assigned to the frevvo.TenantAdmin group.
    •  Designer users must be assigned to the frevvo.Designer group. 
    • Users with the frevvo.publishers role must be assigned to the frevvo.Publisher group. 
    • Users with the frevvo.ReadOnly role must be assigned to frevvo.ReadOnly group.

Refer to Manage Roles for a description of these roles in .

Authentication Only

When you create an Azure SAML tenant in , the Authentication Only option is checked by default. frevvo assumes that most customers will want to use Active Directory for users and roles. In Authentication Only mode, users and roles have to be defined in your AD.  

For example, customers using Azure Active Directory must ensure that the frevvo.TenantAdmin and frevvo.Designer roles are specified for tenant admin and designer users.

Note

The group names for these special roles must be frevvo.TenantAdmin, and frevvo.Designer. Upper/lower case may be a factor for Open LDAP systems. 

...

  1. Login to the Microsoft Azure Management console: https://manage.windowsazure.com
  2. Add a new application under the Active Directory tab.
  3. In order to complete the single sign-on fields:
    1. AP ID URI:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/alias/{t} - replace {t} with the tenant id of your frevvo Azure SAML tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

    2. REPLY URL:
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{t} - replace {t} with the tenant id of your frevvo Azure SAML tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/saml/SSO/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

    3. SIGN-ON URL
      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/tn/{t}/login - replace {t} with the tenant id of your frevvo Azure SAML tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/tn/{t}/login - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your frevvo Azure SAML tenant id.

  4. Browse the azure tenant (IdP) metadata at:
    Expand
    titleClick here for some more tips.

     

    1. Be sure to set up the application permissions to allow the graph API to read the directory in order to retrieve users and groups. Click here to see an example.



    2. You will need the Azure tenant ID, and the client id and client secret key that are created for the frevvo application when configuring your Azure SAML tenant.

      The client id is displayed on the Confiigure screen of the application for in Azure. An example is shown in the image:
      Image RemovedThe tenant id for application that you created in Azure for can be obtained by viewing the endpoint Urls listed when you click View Endpoints icon at the bottom of the page. See the example in the image:
      Image RemovedThere is only one chance to retrieve the client secret key when you create the application for in Azure. In the keys section on the CONFIGURE screen, select an option for the application duration. Click the SAVE icon on the bottom menu to display the client secret key. Copy the key and save it so you have it available when you create your Azure SAML tenant in .
      Image Removed
    3. One way to restrict access to for specific Azure AD users only, is to:
      • Make sure the USER ASSIGNMENT REQUIRED TO ACCESS APP is set to YES
      • Add users to the application under the USERS tab.
      1. Groups listed under the GROUPS tab in Active Directory map to roles. Refer to Prerequisites for more information.

Step 2 - Create the Live Forms metadata file

Follow these steps to generate the frevvo metadata for your Azure SAML tenant. You can do this even if the tenant has not been created yet.

  1. Paste this URL into your browsr:

    1. Cloud Customers: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{t} - replace {t} with the tenant id of your Azure SAML tenant. Ex: azuread

    2. On-premise customers: http://<server>:<port>/frevvo/web/saml/metadata/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your tenant id).

  2. When the metadata displays, right click and select the browser option to View the Page source.
    Image Removed

  3. Save the page as an xml file.
  4. Metadata must be generated for each Azure SAML tenant. Each tenant will have a unique URL.

Step 3 - Create the Azure Tenant Idp metadata file

Follow these steps:

    1. created for the frevvo application when configuring your Azure SAML tenant.

      1. The client id is displayed on the Confiigure screen of the application for in Azure. An example is shown in the image:

        Image Added
      2. The tenant id for application that you created in Azure for can be obtained by viewing the endpoint Urls listed when you click View Endpoints icon at the bottom of the page. See the example in the image:

        Image Added
      3. There is only one chance to retrieve the client secret key when you create the application for in Azure. In the keys section on the CONFIGURE screen, select an option for the application duration. Click the SAVE icon on the bottom menu to display the client secret key. Copy the key and save it so you have it available when you create your Azure SAML tenant in .

        Image Added

      4. One way to restrict access to for specific Azure AD users only, is to:
      • Make sure the USER ASSIGNMENT REQUIRED TO ACCESS APP is set to YES
      • Add users to the application under the USERS tab.
      1. Groups listed under the GROUPS tab in Active Directory map to roles. Refer to Prerequisites for more information.

Step 2 - Create the Live Forms metadata file

Follow these steps to generate the frevvo metadata for your Azure SAML tenant. You can do this even if the tenant has not been created yet.

  1. Paste this URL into your browsr:

    1. Cloud Customers: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{t} - replace {t} with the tenant id of your Azure SAML tenant. Ex: azuread

    2. On-premise customers: http://<server>:<port>/frevvo/web/saml/metadata/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your tenant id).

  2. When the metadata displays, right click and select the browser option to View the Page source.
    Image Added

  3. Save the page as an xml file.
  4. Metadata must be generated for each Azure SAML tenant. Each tenant will have a unique URL.

Step 3 - Create the Azure Tenant Idp metadata file

Follow these steps:

  1. Browse the azure tenant (IdP) metadata at: https://login.microsoftonline.com/{azure-tenant-name}/FederationMetadata/2007-06/FederationMetadata.xml - replace {azure-tenant-name} with the id of your  application tenant id in the Azure application.. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application. In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the Azure tenant id.

    Code Block
     https://login.microsoftonline.com/
    {azure-tenant-name}
    fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.
    xml - replace {azure-tenant-name} with the id of your  application tenant id in the Azure application.. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application. In this example, fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2 is the Azure tenant id.
    Code Block
     https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml
    Copy the source of the IdP metadata XML into an XML editor (do not include the XML prolog)
    1. Remove the Signature and RoleDescriptor sections.

      Code Block
      <ds:Signature>…</ds:Signature>
      <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">…</RoleDescriptor>
      <RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">…</RoleDescriptor>
  2. Save the remaining metadata as an xml file.

Step 4 - Create/edit the Azure SAML tenant

To successfully create a tenant using the Azure SAML Security manager, you will need the following:

cloud customers, migrating your tenant to the Azure SAML Security Manager, will make the changes via the Edit Tenant screen. Once accessed, follow these steps beginning with step 3.

...

  1. Enter the Azure  tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.
  2. Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.

...

Image Removed

Step 5 - Logging into a Live Forms Azure SAML Tenant

  1. Paste this tenant specific URL into your browser:
  2. Cloud Customers: https://app.frevvo.com:443/frevvo/web/tn/{t}/login - Replace {t} with the name of your Azure SAML tenant.

  3. On-premise Customers:http://<server>:<port>/frevvo/web/tn/{t}/login. Replace <server> and <port> with your server information and t with the name of your Azure SAML tenant.
  4. The user is redirected to the Azure login screen.
    Image Removed
    If the user is authenticated,  screens display depending on the level of authorization specified for the user. Designer users will see the Application Home Page while non-designer users will be directed to their Task List.
    Image Removed
    You will see this redirection when logging into a space as well.
    xml
  5. Copy the source of the IdP metadata XML into an XML editor (do not include the XML prolog)

    1. Remove the Signature and RoleDescriptor sections.

      Code Block
      <ds:Signature>…</ds:Signature>
      <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">…</RoleDescriptor>
      <RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">…</RoleDescriptor>
  6. Save the remaining metadata as an xml file.

Step 4 - Create/edit the Azure SAML tenant

To successfully create a tenant using the Azure SAML Security manager, you will need the following:

cloud customers, migrating your tenant to the Azure SAML Security Manager, will make the changes via the Edit Tenant screen. Once accessed, follow these steps beginning with step 3.

  1. Log onto as the superuser (on-premise) or the tenant admin (cloud).
  2. Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
  3. Select Azure SAML Security Manager from the Security Manager Class dropdown.
  4. Copy the Service Provider (frevvo) metadata into the Service Provider field. The xml should be pasted without the prolog. For example, the image shows an example of the frevvo metadata file before pasting:

    Image Added

  5. Copy the metadata from the Azure tenant IDP file previously created and paste it into the Identity Provider field. Do NOT paste the prolog. Here is an example of the file with the prolog:

    Image Added
  6. Check the Ignore Case checkbox if you are using LDAP for authentication and you want to ignore the case stored in LDAP systems for users/roles. Refer to the Mixed or Upper case User Names topic for more information.

  7. Check the Authentication Only checkbox to enable SAML to handle authentication only. In this mode, authorization happens based on the roles defined in Azure AD.  Authentication Only mode is recommended if you are using the Azure SAML Security Manager. It is checked by default.

    When checked, the screen display changes as attribute mapping, other than the mapping for the user id and custom attributes, is no longer necessary.

    Image Added

    If the option is not selected, users and roles can be managed via the UI.

  8. Enter the User Id. This should be the User property name that identifies the user. A typical value is userPrincipalName, givenname etc.
  9. Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
  10. Enter the following information in the API Access section.
    1. Enter the Azure  tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.
    2. Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.
  11. Configure the Business Calendar for your tenant. The escalation feature will use this calendar to calculate deadlines and send notiifcation and reminder emails.
  12. Enter HTTP Auth credentials if required. Credentials for external secure web services accessed by the forms and flows in your tenant can be specified in this section.
  13. Click Submit.

Image Added

Step 5 - Logging into a Live Forms Azure SAML Tenant

Paste this tenant specific URL into your browser:

  1. Cloud Customers: https://app.frevvo.com:443/frevvo/web/tn/{t}/login - Replace {t} with the name of your Azure SAML tenant.

  2. On-premise Customers:http://<server>:<port>/frevvo/web/tn/{t}/login. Replace <server> and <port> with your server information and t with the name of your Azure SAML tenant.
  3. The user is redirected to the Azure login screen.

    Image Added

  4. If the user is authenticated,  screens display depending on the level of authorization specified for the user. Designer users will see the Application Home Page while non-designer users will be directed to their Task List.

    Image Added

You will see this redirection when logging into a space as well.

Session Timeout

Session timeouts are configured in and in the Azure SAML IDP.  If a user's session ends before the IDP timeout is reached, they will automatically be logged back into if they try to access it again. It is recommended that the session timeout and the IDP session timeout be configured for the same value.

Embedding Forms/Flows in your website

Embedding forms and flows into your website when using the Azure/SAML Security Manager, will work in the following scenarios :

Info

Embedding forms and flows into your website is NOT supported if the the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to Azure SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.

Troubleshooting

Logging into a Azure SAML tenant directly (user@Azure SAML tenant name) displays an application error message.

...