This documentation is for frevvo v10.0. Not for you? Earlier documentation is available too.

Security Managers

About

frevvo has a pluggable security framework and offers a variety of built-in Security Managers. If you use the frevvo Default Security Manager, a tenant admin can create users and roles directly in your frevvo tenants. See the Manage Users and the Manage Roles for instructions on creating users and roles. Note that with LDAP Security Manager and Delegating Security Manager, groups are the equivalent of frevvo roles.

frevvo also supports two types of LDAP Security Managers that pull users and groups from your external Active Directory or Open LDAP system; a Delegating Security Manager when you are integrating frevvo with Confluence; and a SAML Security manager that allows enterprises to take advantage of Internet Single sign On.

  • frevvo Security Managers are an Add on feature with additional costs.
  • frevvo only supports/certifies Security Managers when frevvo is running in the Apache Tomcat container. Refer to our Supported Platforms for the list of Application Servers supported/certified by frevvo.


  • frevvo Default Security Manager - frevvo is responsible for authentication/authorization and managing users/roles. This is the default option. Your tenant will be created with this security manager if no other choice is selected.
  • LDAP Active Directory Security Manager - The user is authenticated outside frevvo. Typically, SSO or frevvo performs the authentication using LDAP directly.
  • SAML Security Manager - This security manager allows the exchange of authentication and authorization data between an identity provider of your choice (ex:Shiboleth) and a service provider (frevvo). SSO is supported. Although this security manager can be used on-premise it is primarily meant for cloud tenants who use LDAP but do not want to expose it over the internet.
  • Azure SAML Security Manager - This security manager uses SAML in Authentication Only mode and the Active Directory available in the Microsoft Cloud solution, Azure. Integration with the Azure API enables frevvo queries. On-premise AD services can be exposed via Azure providing a clean way to integrate with the frevvo cloud. 
  • Delegating Security Manager - this is the Security Manger needed for Confluence integration.

Which Security Manager do I choose?

Many frevvo customers use the Default Security Manager. All tenants are initially created with this Security Manager. It is the simplest security manager because it does not require integration with an external IDP. Users/roles are managed by the tenant admin.

frevvo offers additional Security Managers, implemented to industry standards, that may be more compatible with your environment. You must have the expertise for setting up your security infrastructure in such a way that whatever choice you make  (cloud, ldap, saml, azure) is in fact secure and in compliance with any/all of your auditing requirements.

Selecting a Security Manager for your frevvo tenant is a very important decision. The table helps you make the choice.


LDAP

SAML

Azure

Cloud or on-premiseBoth - Some organizations do not want to expose LDAP to the internet so they choose on-premise. Read how LDAPs in the cloud is secure.Both - Primarily used for cloud tenants who do not want to expose their LDAP directly to the internetBoth - provides a simple and secure way to access identity management (azure AD) in the cloud

Are Users/Roles automatically synchronizied with your frevvo tenant(s) ?

Yes - Manual user/role sync (via frevvo csv upload for example) is not required. The frevvo server automatically gets users & roles from LDAP.

No - if “auth only” mode selected - Users/Roles must be created in your tenant manually. The CSV upload is a good way to do this.


Partial sync if discovery mode ( “auth only” off). User details and user’s roles are automatically discovered each time the user logs into the tenant. Thus the tenant can get out of sync with your IDP therefore manual or automated csv uploads on a regular basis are still recommended.

Yes - Manual user/role sync (via frevvo csv upload for example) is not required. The frevvo server automatically gets users & roles from Azure AD.
Single Sign On

Cloud - not available

YesYes
Authentication Only Mode ChoiceNo - You must change your IDP (LDAP in this case) to have roles you need in your frevvo workflow if they do not already exist. All user information is maintained in LDAPYesYes
Authentication Only = YesNot Supported

SAML handles authentication only - roles/users managed & maintained via the tenant Users/Roles UI.

Changes made via the tenant Users/Roles UI do not get overridden when user logs in/out.

You may choose this mode if:

  • You do not want to add frevvo roles to your LDAP.
  • LDAP has many roles that have no relevance to your workflow.
  • Find the SAML mapping for the other required attributes complex. For some IDPs, retrieving the manager user id and role names may require writing custom rules.

Con - (1) All user information (email address) must be managed by the frevvo tenant admin. This can get out of sync with your IDP.

You cannot pull custom attributes from your AD into your forms/workflows in this mode.

Pro - You can add roles for frevvo workflow without having to edit your IDP

Users and roles are defined in Azure AD.


Authentication Only = No

This is the only mode allowed in this SM and this property does not even exist to change it.

Groups needed for these user types in your IDP:

  • Designer users must be members of the frevvo.Designer group
  • Tenant Admins must be members of the frevvo.TenantAdmin group

Users are discovered immediately the first time the tenant connects to the IDP and are automatically and always kept in sync without any manual intervention.

Groups needed for these user types in your IDP:

  • All Users that will have access to frevvo must be members of the frevvo.user group.
  • Designer users must be members of the frevvo.user and frevvo.Designer groups
  • Tenant Admins must be members of the frevvo.User and frevvo.TenantAdmin groups

Users discovered when they log in.

Changes made via the the tenant Users/Roles UI are overwritten if user logs out then in again.

Users and roles are defined in Azure AD.


If your company uses LDAP as your IDP, do you need to install additional software to use this frevvo Security Manager?NoYes -  (Either install one of the SAML 2.0 Implementations such as ADFS or use a cloud provider such as Okta, and configure it to talk to your LDAP server)Yes (You must purchase Azure AD in the cloud)
Can I embed frevvo forms/workflows into my website with this Security Manager?Yes

Yes - if the visibility of the form is set to Public.

Yes - if the visibility of the form is set to Public in Tenant and the user is already authenticated to SAML

No - if the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.

Yes - if the visibility of the form is set to Public.

Yes - if the visibility of the form is set to Public in Tenant and the user is already authenticated to Azure SAML.

No - if the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to Azure SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.

What does frevvo support?Microsoft AD, Open LDAPShibboleth, ADFS, Okta, Centrify, Google and any other software that implements the SAML 2.0 protocolThere is no other implementation of Azure AD then Azure AD
What does frevvo certify?Microsoft ADnoneAzure AD
Do you need your own Configuration Specialist for your IDPYesYesYes

Changing the Security Manager for your Tenant

frevvo trial tenants are configured with the default security manager.  Once you have purchased a license for your frevvo tenant the original security manager can be changed. This allows you to keep the submissions and the name of your existing tenant.

Cloud customers planning to switch the Security Manager of your tenant from the default to the LDAP, SAML or Azure SAML Security Managers or a tenant using the SAML security manager on a trial basis should contact sales@frevvo.com to initiate the process.


Tenants using the Default Security Manager can be migrated to:
 

  • Default Security Manager → LDAP
  • Default Security Manager → SAML  
  • Default Security Manager → Azure SAML

Tenants using the LDAP Security Manager can migrate to:

  • LDAP → SAML
  • LDAP → Azure SAML

If you are planning on changing the Security Manager from the Default Security Manager to LDAP(s), SAML or Azure SAML, and you want to preserve Projects/Forms/Workflows developed in your trial/starter frevvo tenant, here's what we recommend:

  • Make sure the users created in the Default Security Manager tenant have the same user names as the users in your Active Directory or IDP. 
  • Download the Projects/Forms/Workflows that you want to preserve to your desktop as a backup BEFORE changing the Security Manager.
frevvo customers should be aware that changing the Security Manager of your tenant is a ONE-WAY operation. Once you click the Change button, you cannot revert back to the original security manager.

Preserve Access to Forms and Workflows

Projects, forms, workflows, submissions, and spaces are maintained in users' accounts. If your usernames will change as a result of changing security managers, the original designer user(s)/owner(s) will not be able to access them. Before you change your Security Manager, you must take steps to ensure continued access to your existing resources.

We recommend that you download the Projects/Forms/Workflows that you want to preserve to your desktop as a backup BEFORE changing the Security Manager.

Production User

frevvo Best Practice recommends that you create a user account in your Active Directory/IDP that will house all of your deployed Production forms/workflows. This user can be named anything (e.g., frevvoProduction) but it must be a member of the frevvo.Designer group.

Evaluate User/Role Set Up

First, answer these questions.

  • Are the users/roles in your LDAP(s)/SAML/Azure tenant the same as the ones that exist in your Default Security Manager tenant?
    • If your new user/role id's are exactly the same as your current (default Security Manager) user/role id's, you do not need to take these actions. Your resources will remain accessible after the Security Manager change. 
    • If No, answer the remaining questions.
  • If users/roles are not the same, are you able to create user(s) accounts in your IDP that are identical to the one(s) that currently (default Security Manager) contain your current default production forms/workflows/spaces?
    • If Yes, see Option 2 below.
    • If No, see Option 1 or Option 3 below.
  • Do you need access to frevvo submissions in your existing tenant?
    • If Yes, see Option 2 or Option 3 below.
    • If No, see Option 1 below.
  • Do your form/workflow Access Control settings, Step Assignments, Business Rules, or controls (e.g. a dropdown control) refer to hard-coded user/role assignments?
    • See Other Considerations below.

Option 1 Migrate Forms and Workflows, Leave Behind Submissions and Spaces

Preserve Projects/Forms/Workflows developed in your trial/starter tenant with three easy migration steps. These steps will not preserve submissions. 

  1. Download the Projects or individual Forms/Workflows that you want to preserve to your desktop as a backup. Do this for all frevvo user accounts that have Projects/Forms/Workflows that you want to keep. See this documentation on downloading projects.
  2. When the backup of all Projects/Forms/Workflows is completed, delete the user accounts in your Default Security Manager tenant.
  3. After changing your security manager, log in as the new production user and upload the Projects/Forms/Workflows.

Option 2 Create a Production User in your IDP and Give them Access to Forms and Workflows

Preserve access to your production Projects/Forms/Workflows and submissions by creating a generic user in your IDP who will have access to the existing resources.

  1. Create a generic production user in your IDP with the exact same username as your current frevvo production user. This user must have the frevvo.Designer role. 

Option 3 Access Original Designer User via Admin User

Preserve access to your original designer user's resources by accessing their designer home page via a saved URL (only available to logged-in Admin users.)

  1. Log in as the tenant admin.
  2. Go to the Manage Users page.
  3. Locate the designer user and click "Login As" for that user.
  4. Copy and save the URL for this user's homepage.

After you change Security Managers, the tenant admin will be able to access this URL in order to view or edit existing resources. The admin user must be logged in to access the URL.

Other Considerations

If your form/workflow Access Control settings, Step Assignments, Business Rules, or controls (e.g. a dropdown control) refer to hard-coded user/role assignments, you will need to update those to use the new LDAP(s)/SAML/Azure user/role IDs immediately after changing the Security Manager. "Old" user/role id references can lead to invalid task assignments and can limit user access to your forms/workflows.

Pending tasks assigned to “old” users/roles will need to be modified and reassigned by the workflow or tenant admin.