|
frevvo only supports/certifies the SAML Security Manager when frevvo is running in the tomcat container. Refer to our Supported Platforms for the list of Application Servers supported/certified by frevvo. |
When you create your SAML tenant, you can select Authentication Only mode. This is done by checking a checkbox when you configure your SAML tenant.
If Authentication Only is selected, SAML is used only for authentication. Authorization depends on the roles defined in frevvo. SAML will authenticate the user but not retrieve any of the attributes.
You may choose to use this mode if you:
you prefer to maintain groups/roles in frevvo rather than in your IDP or LDAP server.
you find the SAML mapping for the other required attributes complex. For example, retrieving the manager user id and role names may require writing custom rules.
In this mode, manual creation of users & roles in the frevvo tenant is required. The frevvo CSV upload feature makes this easy.
If Authentication Only is not selected, users will be added (discovery) at runtime when they log in for the first time. It is important to consider the following points before making your decision.
User discovery:
There is no guarantee that the first login will occur before a task is created for a specific user /role. If you have workflows, that are routed to users who have not logged in yet, your workflow may not do what you expect. If the user’s role changes after 1st login but before the next task is routed to their new role, the task will not appear on their Task List. For example, a user with the role of employee logs into frevvo. The user then gets promoted to manager. The user will not receive a task routed to the user's new role of manager if the workflow is initiated before the user logs out and logs in again and the user account is updated.
Manually creating/uploading users and roles ahead of time avoids this situation.
|
In the directions given below, the Service Provider refers to frevvo frevvo. The metadata for your frevvo SAML tenant must be obtained first. Customers will need to configure the frevvo metadata when creating the SAML tenant.
Cloud customers can skip the Generate Your Certificate and Install the Java Cryptography steps. These instructions are provided for On Premise customers only.
If you are using the frevvo tomcat bundle, the supplied keystore, frevvoKeystore.jks is located in the <frevvo-home>/tomcat/lib folder, The keystore contains a default certificate. Replace this with a certificate for your installation.
This certificate is used to sign/encrypt the SAML request. The use of a long-lived self-signed certificate for SAML is recommended because a CA certificate is usually only valid for 1 to 2 years and you have to keep replacing it. Since the keystore is located outside the frevvo war, you can use the Java keytool to generate and store your certificates
The alias, password, and path to the keystore are configured in the <frevvo-home>\tomcat\bin\setenv.bat and the service.bat files for the Windows OS or setenv.sh for UNIX/Linux OS. The properties listed below are used in the setenv and service.bat files to set the default values:
rem SAML keystore configuration set CATALINA_OPTS=%CATALINA_OPTS% -Dcom.frevvo.security.saml.keystore=file:${catalina.home}/lib/frevvoKeystore.jks -Dcom.frevvo.security.saml.key=frevvo -Dcom.frevvo.security.saml.password=p@ssw0rd |
# SAML keystore configuration export CATALINA_OPTS="${CATALINA_OPTS} -Dcom.frevvo.security.saml.keystore='file://${CATALINA_BASE}/lib/frevvoKeystore.jks' -Dcom.frevvo.security.saml.key=frevvo -Dcom.frevvo.security.saml.password=p@ssw0rd" |
set SAML_ARGS=-Dcom.frevvo.security.saml.keystore=file:${catalina.home}/lib/frevvoKeystore.jks;-Dcom.frevvo.security.saml.key=frevvo;-Dcom.frevvo.security.saml.password=p@ssw0rd |
Follow these steps to generate and import the certificate for your installation:
Delete the existing certificate:
keytool -delete -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd |
If you changed the password from the default, execute this keytool command to change the password in the keystore
keytool -storepasswd -keystore frevvoKeystore.jks |
You will be prompted for the old password. Enter p@ssw0rd. Then when prompted, enter the new one. The keystore password must match whatever is in the line that you added to the setenv or service.bat files.
Generate a new certificate: Here is the command: Change the -dname value to the DNS name of your IDP.
If you changed the values of the com.frevvo.security.saml.key or com.frevvo.security.saml.password properties in the setenv or service.bat files then change the alias in the command and the keypass and storepass password parameters to match those values. The key and store passwords need to be the same as there is only one password property.
The dname in this keytool command specifies the X.500 Distinguished Name to be associated with the alias and is used as the issuer and subject fields in the self-signed certificate. While we provide a sample in the documentation, it is up to the customer (your security policy) to decide what the value should be when the certificate for your installation is generated. Since this is a self-signed certificate, the dname could be anything. Here is a link to the Oracle documentation to give you some ideas.
Execute this command to create a new certificate and store it in the keystore.
keytool -genkey -dname "cn=app.frevvo.com" -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd -keyalg rsa -keysize 2048 -validity 3650 |
The certificate can be viewed by exporting it to a file. If you changed the password, substitute the new password in the command:
keytool -exportcert -alias frevvo -file frevvo.rfc -rfc -keystore frevvoKeystore.jks -storepass p@ssw0rd |
For added security, you may also store the keystone password as an OS Environment Variable instead. Please see Secure Passwords in Tomcat for details. |
Follow these steps to generate the frevvo metadata for your SAML tenant. You can do this even if the tenant has not been created yet.
Paste this URL into your browser:
Cloud Customers: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{t} - replace {t} with the tenant id of your SAML tenant.
On-premise customers: http://<server>:<port>/frevvo/web/saml/metadata/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your tenant id).
When the metadata displays, right-click and select the browser option to View the Page source.
We know that your IDP software of choice is outside of the frevvo server software and that you have the expertise in-house to install, configure and maintain your IDP software. But here are some tips we have found that may assist you.
Configure Custom AttributesActive Directory attributes other than the standard First Name, Last Name, or Email are considered custom attributes. You can retrieve custom attributes in addition to the standard ones from your IDP and pull the data into your form/workflow using frevvo business rules. For example, let's say you want to extract the custom attribute, StaffId, from LDAP and populate fields in your form/workflow using a business rule. Perform these general steps:
|
Follow these steps to setup Google as the Identity Provider and frevvo as the Service Provider to configure Single Sign-On. These instructions are for Cloud. On-Premise customers follow the same steps with one additional step to generate a certificate:
|
To successfully create a frevvo tenant using the SAML Security manager, you will need the following:
frevvo SAML Security Manager#Step2-CreatetheMetadatafile
frevvo cloud customers, migrating your tenant to the SAML Security Manager, will make the changes via the Edit Tenant screen. Once accessed, follow these steps beginning with step 2.
Log onto frevvo as the superuser (on-premise) or the tenant admin (cloud).
Check the Authentication Only checkbox if you want SAML to handle authentication and provide user identification but all other user attributes come from the frevvo database.
When checked, the screen display changes as attribute mapping, other than the mapping for the user id and custom attributes, is no longer necessary.
SAML Security Manager#Prerequisites:
|
Map the attributes configured in your Identity Provider by entering the name for each attribute in the corresponding field on the frevvo screen. Be sure to provide the attribute name - not the friendly name. For example, if you are using Shibboleth for your Identity Provider the attribute information is located in the attribute-resolver.xml file. The image shows the section of the file where the attributes are defined.
The image below shows the attribute mapping on the frevvo screen with the attribute names from the Shibboleth file:
If Authentication Only mode is enabled for your tenant, mapping is only required for the User Id. Refer to step 8 for the details |
Choosing the Authentication only option in your SAML tenant implies that the user and roles will be managed from frevvo. You may choose this mode if:
When Authentication Only is selected (checked) there is no discovery of Users & Roles. They must be created in your tenant manually. The CSV upload is a good way to do this.
When Authentication Only is not selected (unchecked) frevvo will discover new users at run-time. However, users are only discovered when the person tries to log in. They are not discovered nor is their user data (email, name, report-to) kept in sync automatically. It requires the user to log in. So, this does not necessarily remove the need for manually creating/uploading users and roles ahead of time nor does it remove the need to continuously update the users when changes are made in LDAP.
If you have workflows that are routed to users/roles there is no guarantee that the required users will log in before a task is created for that user (specifically or via a role). For example, if a workflow is routed to a specific user and it is performed before the first login of that user, frevvo will send an email to the tenant admin indicating that the user is unknown. Routing based on the user's manager will fail. Routing based on a role will succeed but the user will receive no notification.
Manually creating/uploading users/roles in frevvo ahead of time avoids this situation. Be sure to review CSV Upload Considerations first.
A SAML tenant with Authentication Only unchecked means that authentication and authorization are handled by SAML IDP. Users are added/updated through discovery. If a tenant admin modifies user information in the frevvo UI, for example, changes an email address or adds a role for a user, the changes will stay in effect until the user logs out of the tenant and then logs back in. When the user logs back in, the changes made in the frevvo UI will be overwritten by the information in SAML IDP. In this case, make the changes in your IDP to make them permanent. A warning message will appear on the User List to alert the admin that they are in discovery mode and should make permanent changes in their IDP instead. Discovery updates only occur when the user logs into the tenant. The admin "login as" feature will not execute a discovery update. |
Browse the URL below to initiate the SAML authentication process by redirecting to the Identity Provider login page.
Cloud Customers: https://app.frevvo.com:443/frevvo/web/tn/{t}/login. Replace {t} with the name of your SAML tenant.
|
sameSiteCookies attributePlease see this documentation on the use of the sameSiteCookies attribute to ensure compatibility with your SAML configuration. |
Just a reminder that the tenant admin account can log in directly into frevvo or use the SAML login.
When you create/edit a new tenant you are prompted to set up/modify a tenant admin user id, password, and email address. This tenant admin does not authenticate via your SAML IDP. It only exists in frevvo. If you experience an issue with your SAML configuration such that you can't log in as a SAML authenticated user, use the built-in admin to log in to your tenant as a tenant admin in order to fix your SAML configuration issue. Only one built-in tenant admin account is supported.
Browse this URL to login as the built-in: <base_URL>/frevvo/web/admin/login. When specified, frevvo will prepend the base URL to the URLs in your Form/Document Actions. The <base_URL> is typically http(s)://<your servername>:<port>.
If your tenant originally used the Default Security Manager and then you changed to the SAML Security Manager, this tenant admin account has already been set up. If you have forgotten the password, you can change it by:
The frevvo superuser admin (Cloud customers) and the On Premise superuser can change the password for the built-in userid from the Edit Tenant page. |
What if you do not remember the userid of your original tenant admin? Follow these steps:
The frevvo (Cloud customers) and On Premise superuser can see the built-in tenant userid from the Edit Tenant page. |
If your SAML userIds are in the format <username>@<domain name>, when you log in to frevvo the frevvo tenant name is appended to the userId. This is as designed. You will see <username@domain name@frevvo tenant name> as the logged-in user at the top of the screen. If your domain name is the same as your frevvo tenant name, it will appear as if the domain name is listed twice, for example, tom@frevvo.com@frevvo.com.
Session timeouts are configured in frevvo and in your IDP. If a user's session ends before the IDP timeout is reached, they will automatically be logged back into frevvo if they try to access it again. It is recommended that the frevvo session timeout and the IDP session timeout be configured for the same value.
Embedding forms and workflows into your website when using the SAML Security Manager, will work in the following scenarios :
Embedding forms and workflows into your website (and other use of the Link (Email/Webpage) share URL) is NOT supported if the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe. Users will see an error like this one if you open your browser's console: Refused to display 'https://....' in a frame because it set 'X-Frame-Options' to 'deny'. |
If the tenant is using a SAML security manager, always use the Raw form link (see this documentation) to access your forms. This link will not load the form in a frame and login will work as expected. If you are embedding your forms inside another website, then make certain that user has to login to IDP before they can see that web page. If the user is already logged in, the form will load correctly (even inside a frame). |
Customers using the SAML Security Manager, often want to schedule a daily upload batch job to automatically handle the synchronization of users between their IDP and frevvo. The Java Client API is one way to do this. Refer to the How do I batch upload users from the api? topic for the details.
Custom properties in LDAP server for the logged-in user can be made available so you can pull them into your form/workflow using a frevvo business rule. Attributes have to be configured and released in your IDP configuration for them to be available on login. There are several steps that have to happen to accomplish this:
Configure and release the custom attributes as SAML attributes in your IDP.
The procedure to expose custom attributes will differ depending on the IDP you have selected. Refer to your IDP documentation or your on-staff IDP expert to complete this step. |
Let's take a look at a frevvo installation using a SAML tenant, Shibboleth as the IDP and Active Directory for authentication. When the user logs into the SAML tenant, you want to populate these fields in your form with the information from the LDAP server:
These attributes must be configured and released in your IDP. The process to expose the attributes varies for each Identity Provider. In our example, which uses the Shibboleth IDP, configuration and release of the attributes is done in two files, attribute-resolver.xml and attribute-filter.xml. You may need to confer with your on-staff IDP expert to complete this step.
Here is an example of the section of the attribute-resolver.xml file that was added for the employeeType and employeeNumber custom attributes:
When the attributes are configured in the IDP, add them to the Custom section for attribute mapping by editing/creating your SAML tenant :
Note the friendly name for the employeeType is listed here while the name of the employeeNumber attribute is used. This was done to match the configuration of the attributes in the IDP.
Next, create your form with fields to collect the attribute information. Include a Dropdown control that will be populated with the groups (roles) that are assigned to the designer user in Active Directory. Add a rule to pull the information into your form:
|
After a failed login, if this error message appears in the <frevvo-home>\tomcat\logs\frevvo.log file:
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822) ~[xmlsec-1.5.7.jar:1.5.7] … org.opensaml.xml.encryption.DecryptionException?: Failed to decrypt EncryptedData? at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:546) ~[xmltooling-1.4.4.jar:na] … |
This error indicates the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are missing in the Java Development Kit (JDK) software of your on-premise installation. Ensure you have the supported version of JDK installed which includes the JCE.
On Premise customers may see a blank page when browsing the URL to access your SAML tenant in the Microsoft Edge browser. There is a known issue with the Edge browser and untrusted self-signed certificates, especially where redirect is concerned. Registering the certificates in Windows will not work. The workaround is to:
Chrome browser: - You may see "Connection is not private" messages -skip these warnings and the login page displays
This error typically occurs if the login is invalid, but may also occur if the max concurrent user limit has been reached. The max concurrent user limit can be configured by the server admin for On Premise installations.
The table below lists errors you may encounter when configuring your tenant with the SAML Security Manager. Verify the recommended values to resolve.
Parameters | Value to Verify | Error on Edit Tenant Page | Error While Accessing Tenant |
---|---|---|---|
SP Metadata | random | org.opensaml.xml.parse.XMLParserException: Invalid XML | NA |
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="http___example.com_8082_frevvo_web_alias_saml" entityID="http://example.com:8082/frevvo/web/alias/saml"> </md:EntityDescriptor> | No error while adding/editing tenant | Application Error when accessing the login URL javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: No local entity found for alias saml, verify your configuration. Logs: Same exception with stack | |
Change domain name to something else e.g. example.com to localhost in the original metadata generated | No error while adding/editing tenant | UI: Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service. Logs: No Error | |
In case the certificates in metadata are invalid and we need to regenerate the metadata. | No error while adding/editing tenant | Web Login Service - Message Security Error | |
IdP metadata | Some syntax error in xml | org.opensaml.xml.parse.XMLParserException: Invalid XML | NA |
Removed certificates(tag : <ds:X509Certificate>) from IdP metadata xml | No error while adding/editing tenant | UI: Access Denied. Authentication required. Logs : 2017-11-02 16:54:25.904 WARN saml 9c539fc6-1afb-4bb7-987f-6fd38b8e260f 7584 --- [http-nio-8082-exec-1] com.frevvo.forms.web.LoginResource : Login failure org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid | |
User Id | Wrong value | No error while adding/editing tenant | The IdP login page appears. After login following error on UI: Application Error Could not save user null; SQL []; Cannot insert the value NULL into column 'userId', table 'frevvo74.dbo.users'; column does not allow nulls. INSERT fails.; nested exception is com.microsoft.sqlserver.jdbc.SQLServerException: Cannot insert the value NULL into column 'userId', table 'frevvo74.dbo.users'; column does not allow nulls. INSERT fails. Logs: Same exception with stack trace |
First Name | Wrong value | No error while adding/editing tenant | No Error in accessing and using tenant. The firstname remains blank in the edit user page. NULL in firstname colum in users table |
Last Name | Wrong value | No error while adding/editing tenant | No Error in accessing and using tenant. The firstname remains blank in the edit user page. NULL in firstname column in users table |
Wrong value | No error while adding/editing tenant | Application Error Could not update user (not password): dl in tenant: saml (id=1020); SQL []; Cannot insert the value NULL into column 'email', table 'frevvo74.dbo.users'; column does not allow nulls. UPDATE fails.; nested exception is com.microsoft.sqlserver.jdbc.SQLServerException: Cannot insert the value NULL into column 'email', table 'frevvo74.dbo.users'; column does not allow nulls. UPDATE fails. Logs: Same Error with stack | |
Manager User Id | Wrong value | No error while adding/editing tenant | reportsTo column in DB set to NULL. No error anywhere. |
Groups | Wrong value | No error while adding/editing tenant | IdP login appears. After entering credentials, the following error is seen and the user can not log in: Access Denied. Either you are not authenticated or you do not have the proper permissions/role. Logs: 2017-11-02 15:48:38.836 WARN saml 15805e17-2a04-43dc-9d91-298da764a915 7584 --- [http-nio-8082-exec-9] com.frevvo.forms.web.LoginResource: Could not login dl: Access Denied. Either you are not authenticated or you do not have the proper permissions/role. |