Live Forms v6.2 is no longer supported. Click here for information about upgrading to our latest GA Release.

Security Managers

 

 has a plugable security framework and offers a variety of built-in Security Managers. If you use the  Default Security Manager, a tenant admin can create users and roles directly in your  tenants. See the Manage Users and the Manage Roles for instructions on creating users and roles. Note that with LDAP Security Manager and Delegating Security Manager, groups are the equivalent of  roles.

 also supports two types of LDAP Security Managers that pulls users and groups from your external Active Directory or Open LDAP system; a Delegating Security Manager when you are integrating with Confluence ; a Database Security Manager that pulls users and groups from your external users database; a SAML Security manager that allows enterprises to take advantage of Internet Single sign On and custom security managers that lets you integrate with a security manager that you build yourself.

On This Page:

 

  • frevvo Default Security Manager -  is responsible for authentication/authorization and managing users/roles. This is the default option. Your tenant will be created with this security manager if no other choice is selected. 
  • LDAP Active Directory Security Manager - The user is authenticated outside . Typically, SSO or  performs the authentication using LDAP directly.
  • Delegating Security Manager - this is the Security Manger needed for Confluence integration.
  • DB Container Security Manager - Authentication is the container's responsibility, but  provides a database interface to fetch users/roles for design time functionality from an external database.   
  • LDAP Container Security Manager - This is exactly the same as the DB Container Security Manager but LDAP instead of DB. Authentication is the container's responsibility. 
  • Custom - Container managed security manager used when there is a requirement for a container to handle authentication.
  • SAML Security Manager - This security manager allows the exchange of authentication and authorization data between an identity provider of your choice (ex:Shiboleth) and a service provider (frevvo). SSO is supported. Although this security manager can be used on-premise it is primarily meant for cloud tenants who use LDAP but do not want to expose it over the internet.

Which Security Manager do I choose?

Many frevvo customers use the Default Security Manager. All tenants are initially created with this Security Manager. It is the simplest security manager because it does not require integration with an external IDP. Users/roles are managed by the tenant admin.

Live Forms offers additional Security Managers, implemented to industry standards, that may be more compatible with your environment. You must have the expertise for setting up your security infrastructure in such a way that whatever choice you make  (cloud, ldap, saml) is in fact secure and in compliance with any/all of your auditing requirements.

Selecting a Security Manager for your Live Forms tenant is a very important decision. The table helps you make the choice.

 LDAP

SAML

 
Cloud or on-premiseBoth - Some organizations do not want to expose LDAP to the internet so they choose on-premise. Read how LDAPs in the cloud is secure.Both - Primarily used for cloud tenants who do not want to expose their LDAP directly to the internet 

Are Users/Roles automatically synchronizied with your Live Forms tenant(s) ?

Yes - Manual user/role sync (via frevvo csv upload for example) is not required. The frevvo server automatically gets users & roles from LDAP.

No - if “auth only” mode selected - Manual or automated csv uploads required on a regular basis


Partial sync if discovery mode ( “auth only” off). User details and user’s roles are automatically discovered each time the user logs into the tenant. Thus the tenant can get out of sync with your IDP therefore manual or automated csv uploads on a regular basis are still recommended.

 
Single Sign On

Cloud - not available

Yes 
Authentication Only Mode ChoiceNo - You must change your IDP (LDAP in this case) to have roles you need in your frevvo workflow if they do not already exist. All user information is maintained in LDAPYes 
Authentication Only = YesNot Supported

SAML handles authentication only - roles/users managed & maintained via the tenant Users/Roles UI.

Changes made via the tenant Users/Roles UI do not get overridden when user logs in/out.

You may choose this mode if:

  • You do not want to add  roles to your LDAP.
  • LDAP has many roles that have no relevance to your workflow.
  • Find the SAML mapping for the other required attributes complex. For some IDPs, retrieving the manager user id and role names may require writing custom rules.

Con - (1) All user information (email address) must be managed by the frevvo tenant admin. This can get out of sync with your IDP.

Pro - You can add roles for frevvo workflow without having to edit your IDP

 
Authentication Only = No

This is the only mode allowed in this SM and this property does not even exist to change it.

Groups needed for these user types in your IDP:

  • All Users that will have access to Live Forms must be members of the frevvo.user group.
  • Designer users must be members of the frevvo.user and frevvo.Designer groups
  • Tenant Admins must be members of the frevvo.User and frevvo.TenantAdmin groups

Users are discovered immediately the first time the tenant connects to the IDP and are automatically and always kept in sync without any manual intervention.

Groups needed for these user types in your IDP:

  • All Users that will have access to Live Forms must be members of the frevvo.user group.
  • Designer users must be members of the frevvo.user and frevvo.Designer groups
  • Tenant Admins must be members of the frevvo.User and frevvo.TenantAdmin groups

Users discovered when they log in.

Changes made via the the tenant Users/Roles UI are overwritten if user logs out then in again.

 
If your company uses LDAP as your IDP, do you need to install additional software to use this frevvo Security Manager?NoYes -  (Either install one of the SAML 2.0 Implementations such as ADFS or use a cloud provider such as Okta, and configure it to talk to your LDAP server) 
Can I embed frevvo forms/flows into my website with this Security Manager?Yes

Yes - if the visibility of the form is set to Public.

Yes - if the visibility of the form is set to Public in Tenant and the user is already authenticated to SAML

No - if the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.

Yes - if the visibility of the form is set to Public.

Yes - if the visibility of the form is set to Public in Tenant and the user is already authenticated to Azure SAML.

No - if the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to Azure SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.

What does frevvo support?Microsoft AD, Open LDAPShibboleth, ADFS, Okta, Centrify, Google and any other software that implements the SAML 2.0 protocol 
What does frevvo certify?Microsoft ADnone 
Do you need your own Configuration Specialist for your IDPYesYes 

Changing the Security Manager for your Tenant

trial tenants are configured with the default security manager. The security manager could not be changed for existing tenants in prior releases. A new tenant had to be created if you wanted to change the Security Manager of your tenant for your production environment. Submissions would be lost and you would have to use a new tenant name.

Once you have purchased a license for your tenant the original security manager can be changed. This allows you to keep the submissions and the name of your existing tenant.

Tenants using the Default Security Manager can be migrated to:

  • Default Security Manager → LDAP
  • Default Security Manager → SAML
  • LDAP → SAML

Cloud customers, planning to switch the Security Manager of your tenant to the LDAP Security Manager or a tenant using the SAML security manager on a trial basis should contact sales@frevvo.com to initiate the process.

 If you are are using LDAP for authentication, here's what we recommend:

  • Make sure the users created in the default security manager tenant have the same user names as the users in your LDAP server..
  • Users need the frevvo.User role to access . This should be configured in Active Directory on your LDAP server.

customers should be aware that changing the Security Manager of your tenant is a ONE-WAY operation. Once completed you cannot change it back to the original security manager.