Versions Compared

Old Version 3

changes.mady.by.user Megan Ellis

Saved on

compared with

New Version Current

changes.mady.by.user Megan Ellis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Section


Column


Warning

While it is possible to integrate with IIS for LDAP SSO, frevvo recommends SAML or Azure Security Managers when the Single Sign On feature is required. 


This page describes how to configure Microsoft's IIS web server and frevvo such that IIS forwards requests on to frevvo, and responds back to the user.

frevvo is written in Java, and needs a Java Application Server (servlet container) to run. As IIS does not provide services of a Java Application Server, it is not possible to deploy frevvo directly into IIS. It is possible, however, to configure IIS to proxy requests for frevvo to an application server where frevvo is deployed. If you are not using the standalone frevvo distribution with Tomcat, please consult your application server's documentation to determine whether it is possible to integrate with IIS and how to achieve it. Also, note that this is a guideline on how to enable the interaction between frevvo and IIS.


Column
width240px

On this page:

Table of Contents
maxLevel23


Single Sign On with IIS

In this scenario, a user authenticates to his windows account and tries to use frevvo. Since the user is already authenticated to the network, frevvo will recognize his credentials and automatically forward the user to his frevvo account, if he is a designer, or allow the user to use a form/flow if those resources are available to the tenant.

The basic deployment is IIS fronting frevvo and the authentication is done against LDAP.  For that to work you need to:

  1. Install frevvo 
  2. Configure frevvo to work with IIS
  3. Configure Windows Authentication 
    1. Configure Windows Authentication on IIS7
    2. Configure Windows Authentication on IIS6
  4. In IIS, Make sure that Anonymous Authentication or Basic Authentication is NOT configured in the Web Application (Default Web) that will be used to proxy requests to frevvo

Please also refer to the force auth property for forms and workflows. Force auth lets you override SSO for an individual form or flow.

Info

If you are using LDAP and SSO, and you want to embed the frevvo in your website, refer to Embedding the Task List for important information.

...

Signing in from within the network

In this case, the frevvo server and the Active Directory server are running on the same network. The user is already authenticated to the windows network and points the browser to:

...

The user will automatically authenticate to frevvo. It is crucial that the LDAP user is known to frevvo, in other words, the user should be one of the entries retrieved by the LDAP expression configured in the All Users Filter on the LDAP configuration screen.

Signing in from outside the network

In this case, the frevvo server and the Active Directory server are running on different networks. The user is trying to hit the URL below from outside the network. 

...

Since the user is not authenticated in the windows Network, he will be prompted by the browser for credentials. IIS will authenticate the user in the network and forward the request to frevvo. The user will be automatically redirected to his initial page without having to re-enter his credentials.

...

  • Stop Tomcat. 
  • In a text editor open FREVVO_HOME/tomcat/conf/server.xml 
  • Ensure that the AJP Connector is enabled by uncommenting out the section.   
  • Specify a value for the secret attribute (recommended) or if you are using the connector on a trusted network you can set secretRequired="false" instead. 
    • If you are using the recommended boncode connector, when you set the secret attribute you also need to set the RequestSecret attribute in the boncode connector file, BonCodeAJP13.settings, to the same value. (Refer to this article for additional details and troubleshooting.)
Code Block
languagehtml/xml
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
               useBodyEncodingForURI="true" tomcatAuthentication="false"
               address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/>

...

2. Customers using LDAP SSO that see a "Value update failed" or “Update control failed" error intermittently occur on forms should reconfigure the AJP (IIS to Tomcat) connector with these settings to resolve the error:

Image Modified