|
In this scenario, a user authenticates to his windows account and tries to use frevvo. Since the user is already authenticated to the network, frevvo will recognize his credentials and automatically forward the user to his frevvo account, if he is a designer, or allow the user to use a form/flow if those resources are available to the tenant.
The basic deployment is IIS fronting frevvo and the authentication is done against LDAP. For that to work you need to:
Please also refer to the force auth property for forms and workflows. Force auth lets you override SSO for an individual form or flow.
If you are using LDAP and SSO, and you want to embed the frevvo in your website, refer to Embedding the Task List for important information. |
Once all is configured and running it is possible to test these scenarios:
In this case, the frevvo server and the Active Directory server are running on the same network. The user is already authenticated to the windows network and points the browser to:
http://[server]/frevvo/web/tn/[LDAP tenant]/login |
Substitute LDAP tenant above with the tenant name you configured with the LDAP Security Manager. The server variable should be the ip address of the machine where IIS is installed.
The user will automatically authenticate to frevvo. It is crucial that the LDAP user is known to frevvo, in other words, the user should be one of the entries retrieved by the LDAP expression configured in the All Users Filter on the LDAP configuration screen.
In this case, the frevvo server and the Active Directory server are running on different networks. The user is trying to hit the URL below from outside the network.
http://[server]/frevvo/web/tn/[LDAP tenant]/login |
Substitute LDAP tenant above with the tenant name you configured with the LDAP Security Manager and the server variable with the ip address of the machine where IIS is installed.
Since the user is not authenticated in the windows Network, he will be prompted by the browser for credentials. IIS will authenticate the user in the network and forward the request to frevvo. The user will be automatically redirected to his initial page without having to re-enter his credentials.
If you are still being prompted for Windows authentication after SSO is configured, the security settings for your browser may be too high. Configure your browser to authenticate using the "system logon credentials" (Kerberos authentication mechanism) by adding the frevvo server to the browser's trusted sites.
Follow these steps for the specified browsers:
If you are using either the IisLoginModule or NtlmLoginModule option, your Firefox users may want to modify their browser settings. By default, Firefox will prevent automatic login. Browsing the frevvo SSO URL will cause a windows dialog box to popup requesting login information. This popup can be avoided by having your users modify their Firefox settings as described below.
To configure chrome you need to start the application with following parameter: auth-server-whitelist - <Allowed fully qualified domain name>.
For example: In Windows,
No additional configuration is needed.
If a proxy is configured (see this documentation) all share dialogs for forms and workflows will use this as the external URL. This may be needed when using a proxy if that external url is not also accessible from the form server machine.
If your system is configured for LDAP SSO, the upload control may display the "uploading..." image continuously when uploading an image to an upload control in a form, accessed from a space, on a mobile device. To workaround this issue, configure IIS so that it does not require re-authentication for every single request.
IIS configuration is a complex task. The integration steps below relating to your IIS web server should be performed by your IIS Web System Administrator.
It is very important that you first follow the basic frevvo Quick Start Guide and verify that frevvo works by itself by pointing a browser to http://localhost:8082/frevvo/web/login. |
It is necessary to configure Tomcat to receive proxied requests from IIS.
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" useBodyEncodingForURI="true" tomcatAuthentication="false" address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/> |
netstat -na | findstr 8009 |
When the tomcat server configuration is completed, install the IIS to Tomcat Connector.
2. Customers using LDAP SSO that see a "Value update failed" or “Update control failed" error intermittently occur on forms should reconfigure the AJP (IIS to Tomcat) connector with these settings to resolve the error: