supports the creation of a tenant using the SAML (Security Assertion Markup Language) Security Manager. Users in this tenant can log into via (SAML) version 2.0. SAML enables internet single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication.

The SAML Security manager can be used in on-premise installations but it is primarily meant for cloud tenants who use LDAP but do not want to expose it over the internet.

SAML requires the configuration and installation of an identify provider that supports SAML 2.0. Some examples are Shibboleth, OpenSSO, ADFS, and PingFederate.

In a SAMLenvironment, integration with an LDAP server for authentication is common. In general, here's how it works:

User A attempts to access Live forms by typing the URL into the browser
Live forms sends a SAML request for authentication to the Identity Provider
The Identity Provider requires more information. The Identify Provider login screen is displayed.
User A logs into the Identity Provider.
The Identity Provider may communicate with your LDAP server if you are using Active Directory for authentication.
The Identity Provider builds and sends a SAML token to Live Forms containing the security information for User A.
Live forms processes the information. If User A has been authenticated, Live forms establishes a session and redirects User A to the correct Live Forms screen depending on User A's authorization level.

On this page:

Prerequisites

Users must have the frevvo.User role to access .

Configuring the SAML Security Manager

In the directions given below, the Service Provider refers to frevvo . The metadata for your SAML tenant must be obtained first. Customers will need to configure the metadata when configuring the Identity Provider.

Generate your certificate (On-premise installations only)
Create the frevvo Metadata file.
Configure your Identity Provider
Create/edit the SAML tenant
Logging into Live Forms in a SAML Tenant
Upload Users and Roles to your SAML tenant.

Step 1 - Generate Your Certificate

Cloud customers can skip this step. These instructions are provided for On-premise customers only.

If you re using the frevvo tomcat bundle, the supplied keystore, frevvoKeystore.jks is located in the <frevvo-home>/tomcat/lib folder, The keystore contains a default certificate with alias=frevvo and password=p@ssw0rd. Replace this with a certificate for your installation.

The alias and password can be configured with the properties com.frevvo.security.saml.key and com.frevvo.security.saml.password in the <frevvo-home>\tomcat\conf\localhost\frevvo.xml file.

This certificate is used to sign/encrypt the SAML request. The use of a long-lived self-signed certificate is recommended.

Since the keystore is located outside the frevvo war, you can use the Java keytool to generate and store your certificates. Folllow these steps:

Delete the existing certificate:

keytool -delete -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd

Generate a new certificate: Here is the command: Change the -dname value to the DNS name of your IDP

keytool -genkey -dname "cn=app.frevvo.com" -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd -keyalg rsa -keysize 2048 -validity 3650

The certificate can be viewed (and used in the metadata XML) by exporting it to a file:

keytool -exportcert -alias frevvo -file frevvo.rfc -rfc -keystore frevvoKeystore.jks -storepass p@ssw0rd

Step 2 - Create the frevvo Metadata file

Follow these steps to generate the frevvo metadata for your SAML tenant. You can do this even if the tenant has not been created yet.

Paste this URL into your browsr:
1. Cloud Customers: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{t} - replace {t} with the tenant id of your SAML tenant.
2. On-premise customers: http://<server>:<port>/frevvo/web/saml/metadata/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your tenant id).
When the metadata displays, right click and select the browser option to View the Page source.
Save the page as an xml file.
Metadata must be generated for each SAML tenant. Each tenant will have a unique URL.

Step 3 - Configure Your Identity Provider

Configure the Service Provider metadata for your Identity Provider. For example, the Shiboleth Identity provider requires modification of a file to provide the path to the tenant metadata xml file created above.

Your Identity Provider must be configured to expose the attributes that requires. Attribute mapping is done when you create the SAML tenant. These are:

User Id
First Name
Last Name
Email
Manager Id (optional)
Groups
Custom Attributes (optional)

Click here for some tips when configuring ADFS

The information below applies to ADFS v2.0. If you are using a different version, your ADFS expert must locate the equivalent functions for that version.

Save the frevvo tenant metadata as an xml file. Add Relying Party Metadata Trust. Use the 'Import data about the relying party from a file' option to upload the saved xml file.
In Edit Claim Rules, create a rule to map AD attributes to the outgoing claim type as shown below. Information about creating rules to send LDAP attributes as Claims can be found on this website
1. samAccountName to NameID - If you rather generate an opaque identifier, you would need to create custom rules as described here.
2. samAccountName to Windows Account Name
3. givenName to Given Name
4. Surname to Surname
5. emailAddresses to Email Address
6. Group membership is added using the wizard. Select Token-Groups Unqualified Names and map it to the Group claim.

Extract the Manager's samAccountName. This can be done using the following 3 custom claim rules. This rule assumes that the CN of the manager DN contains the samAccountName:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDN"), query = ";Manager;{0}", param = c.Value); 

Manager SAM1
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDN"]
=> add(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerSam", Value = RegExReplace(c.Value, ",[^\n]*", ""));

ManagerAccountName
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerSam"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/manageraccountname", Value = RegExReplace(c.Value, "^CN=", ""));

In the tenant, map the attributes as shown: Refer to this website for more information about claims.

Attribute	Value
User Id	http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
First Name	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Email	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Manager User Id	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/manageraccountname
Roles	http://schemas.xmlsoap.org/claims/Group

It is recommended that you turn on tracing in ADFS, so that the SAML response is visible. The response contains the names of the attributes to be used in the tenant configuration. If tracing is not turned on, the frevvo log can be searched for the class of the debug log entry.

Configure Custom Attributes

Active directory attributes other than the standard First Name, Last Name or Email are considered custom attributes. You can retrieve custom attributes in addition to the standard ones from Active Directory and pull the data into your form/flow using Live Forms business rules.
For example,let's say you want to extract the custom attribute, StaffId, from LDAP and populate fields in your form/flow using a business rule.

Perform these general steps:

Make sure the custom attribute, in our example StaffID, is configured in Active Directory and assigned to the correct users.
Expose StaffID as a SAML attribute by writing an ADFS claim rule.
1. During this process, you assign the attribute a name, e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/staffid
Map the attribute with this name in the Custom section of the tenant setup screen. Save the tenant configuration.
Here is an example of a business rule that references the custom attribute, Staff Id, and populates a field in a form named StaffID.
```
if (form.load) {
  StaffID.value =  _data.getParameter('subject.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/staffid');
}
```
Refer to Retrieving Custom Attributes from LDAP in a SAML Tenant for another example.

Click here for instructions to configure Google Apps as the SAML IDP

Follow these steps to setup Google as the Identity Provider and Live Forms as the Service Provider to configure Single Sign On. These instructions are for Cloud. On-Premise customers follow the same steps with one additional step to generate a certificate:

On - Premise customers ONLY: Generate a certificate.
Configure Google as the Identity Provider
1. Login to your Google domain as an admin, go to the admin portal and click through to Apps > SAML Apps. If you have any existing SAML apps, you’ll see them here. Click the big PLUS (+) sign at bottom right to add a new one. A wizard will appear.
2. Click the “Setup My Own Custom App” link at the bottom of the screen.
3. Choose Option 2 and Download the IDP metadata file.
4. Provide a name for your application, a description and a logo.
5. Enter the Service Provider () details.
  1. For ACS URL, type https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{tenant} - replace {tenant} with your cloud tenant.
  2. For Entity Id, type https://app.frevvo.com:443/frevvo/web/alias/{tenant} - replace {tenant} with your cloud tenant.
  For example, https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/ashish-saml.com
6. Leave the built-in Name Id attribute configuration alone.
7. Add a new Attribute Mapping: User Id | Basic Information | Primary Email
8. Click Finish. The Setup Complete screen displays.
9. Click OK.
10. Your new SAML App will be displayed. Click the three dots at right and turn ON SSO. You can choose to turn it ON for everyone in your domain or for specific sub-domains.
Create users in Google:
1. Create your users in Google or move existing users into the appropriate sub-organization if you are limiting access to your SAML app in Google. You won’t have to create new users or move existing users if you enabled the SAML app for everyone in your Google domain.
2. you’ll need a user in your Google domain to serve as the tenant administrator. Either, create a new one or choose an existing one (there’s nothing to do as long as you choose someone).
Create users in :
1. You need to ensure that the user you chose/created as the tenant admin exists in frevvo. Once we switch over to SAML, all authentication will use Google Apps credentials and you won’t be able to login using your current tenant admin or other users. We’ll use CSV upload. The file syntax looks like this:
```
userId,tenant,password,firstName,lastName,email,enabled,reportsTo,roles,transaction
 {user}@{domain},{tenant},123,{first},{last},{email},true,,frevvo.Designer|frevvo.TenantAdmin,
```
  The fields are your Google login (e.g. prajakta.deshmukh@frevvo.com), your frevvo tenant id (e.g. ashish-saml.com), any password (it is not used), the first name, last name and email address. In the roles field, use the roles indicated above.
2. Login as the current tenant admin user.
3. Click on Manage Users.
4. Click on Download CSV users file.
5. Edit the file to setup at least one Google User (the one you chose/created as the tenant admin).
6. Click on CSV Upload (the Excel looking icon) and upload the file to create this user.
Configure as the Service Provider:
1. Generate the SP metadata file from frevvo. Visit the URL: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{tenant} in your browser. Replace {tenant} with your cloud tenant. Right click to View Page Source and save as an XML file.
2. Login to your Cloud account as tenant admin and click the Edit Tenant button.
3. In the Security Manager section, click the Change button, choose SAML in the drop down that appears and click Ok. NOTE: Free Trial accounts do not show the Change button. If the Change button is not visible in your tenant, please contact customer support.
4. The SAML configuration section will appear. In the Service Provider section, we must paste the SP metadata file we generated in Step 1 above. Unfortunately, the file contains an XML prolog (highlighted in the image below) which must be removed. Paste the contents of this SP metadata file without the prolog into the Service Provider text area of the configuration form.
5. In the Identity Provider section, paste the IDP metadata file we generated and saved in the Google setup above. Once again, the file contains an XML prolog. Paste the contents of this IDP metadata file without the prolog into the Identity Provider text area of the configuration form.
6. Check Authentication Only. This means SAML will authenticate the user but not retrieve any of the attributes. Users are not automatically discovered upon first login. Therefore, you must create users & roles using CSV upload.
  - If you do not wish to select the Authentication Only option, you’ll need to map other attributes in Google first before you can assign them in Frevvo. First Name, Last Name, and Email should be pretty straight forward since these attributes are surfaced by the Google SAML IdP app. The other attributes may be more difficult.
7. With the Authentication Only option, attribute mapping only includes one attribute, the User Id. Since we mapped the email address to the User Id attribute in Google while setting up the SAML app, we can simply map the frevvo attribute to User Id in the configuration form.
8. Submit the form and we’re done.
  
  Edit tenant.
  
  Setup SAML
  
  SP Metadata (paste without XML Prolog)
  IDP Metadata (paste without XML prolog)
How to use your new SAML tenant
1. Logout of all your Google accounts to test.
2. Go to the tenant URL: https://app.frevvo.com:443/frevvo/web/tn/{tenant}/login. Replace {tenant} with your tenant id.
3. You will be redirected to the Google login page.
4. Login to Google as the Google user you chose/created as the tenant admin.
5. You will be redirected to frevvo to the Manage Tenant screen.
The user id displayed in frevvo at the top will look like {user}@{domain}@{tenant} which is a bit confusing but is purely cosmetic.
Load other users in frevvo
Before your other Google users can login to using their Google Apps credentials, they must first be created in frevvo. You can download users from Google Apps as a CSV file (uncheck the create a Google Sheet option), modify it to follow frevvo’s syntax as shown above and upload it. You can also login as the tenant admin Google user and create users and roles using the UI.
Once the user exists in frevvo, he/she can login using Google credentials and the system will behave as expected according to the roles assigned to the user.

Step 4 - Create/edit the SAML tenant

Creating/editing the SAML tenant is performed by the superuser (on-premise) or the tenant admin (cloud). Refer to Configuring the SAML Security Manager for the details.

Step 5 - Logging into Live Forms in a SAML Tenant

Paste this URL into your browser:
1. Cloud Customers: https://app.frevvo.com:443/frevvo/web/tn/{t}/login - Replace {t} with the name of your SAML tenant.
2. On-premise Customers:http://<server>:<port>/frevvo/web/tn/{t}/login. Replace <server> and <port> with your server information and t with the name of your SAML tenant.
screens display depending on the level of authorization specified for the user. Designer users will see the Application Home Page while non-designer users will be directed to their Task List.

This URL redirects to /web/saml/login/alias/{t}. This initiates the SAML authentication process by redirecting to the Identity Provider login page. If the user is authenticated, the rest of the standard login processing is done (verify license, redirect on success etc).

Clicking the logout link in , logs the user out from only.

Logging into a SAML tenant directly (user@saml tenant name) displays an application error message.

On-premise customers using the tomcat bundle will see the following entry in the error log:

Application error processing /frevvo/web/login?null java.lang.UnsupportedOperationException: null

Step 6 - Adding Users/Roles to your SAML tenant

You must upload users & roles from your SAML server into your Live Forms tenant before using the Live Forms workflow feature. SAML does not support Live Forms requesting this information directly so this must be done manually.

Note that user/role information will be added to the Live Forms tenant the first time a user logs into the tenant and that user record will be updated each time the user logs in again after it exists. However this is not sufficient for the workflow feature as it needs to know users & roles prior to the user's first login.

Add the users/roles to your SAML tenant using the CSV Upload feature. This is the quickest way to do this, especially if you have many users. For example, if you are using Active Directory for authentication. You will have to:

Ensure all users have the frevvo.User role in Active Directory.
Export users/roles from Active Directory to a csv file.

Modify/delete the columns to match the requirements. Refer to the Download Users and Roles topic for a list of the field/column names that must be included in the csv upload file.

The csv upload feature requires a password for each record. This is not applicable to SAML as the password in the csv file is ignored. However, it is recommended that you provide a default password in your csv file so the CSV Upload feature will work.

Log in as the tenant admin. Perform the csv upload.

Configuring Active Directory Federation Services (ADFS)

LDAP customers choosing to use Active Directory Federation Services (ADFS) should follow the steps below to configure ADFS 2.0:

In ADFS 2.0 Management Console select "Add Relying Party Trust"
Select "Import data about the relying party from a file" and select the previously saved frevvo metadata XML file.
Select Next
The wizard may complain that some content of metadata is not supported. You can safely ignorethis warning.
Continue with the wizard. On the "Ready to Add Trust" make sure that tab endpoints contains multiple endpoint values. If not, verify that your metadata was generated with HTTPS protocol URLs.
Leave "Open the Edit Claim Rules dialog" checkbox checked and finish the wizard.
Select "Add Rule", choose "Send LDAP Attributes as Claims" and press Next.
1. Add NameID as "Claim rule name",
2. Choose "Active Directory" as Attribute store,
3. Choose "SAM-Account-Name" as LDAP Attribute and "Name ID" as "Outgoing claim type",
Finish the wizard and confirm the claim rules window,

In ADFS 3.0, you might need to configure the Name ID as a Pass Through claim.

Session Timeout

Session timeouts are configured in and in your IDP. If a user's session ends before the IDP timeout is reached, they will automatically be logged back into if they try to access it again. It is recommended that the session timeout and the IDP session timeout be configured for the same value

Embedding Forms/Flows in your website

Embedding forms and flows into your website when using the SAML Security Manager, will work in the following scenarios :

The visibility of the form is set to Public.
The visibility of the form is set to Public in Tenant and the user is already authenticated to SAML

Embedding forms and flows into your website is NOT supported if the the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.

Some Troubleshooting Tips

Login fails with illegal Key Size Error

After a failed login, this error message may appear in the <frevvo-home>\tomcat\logs\frevvo.log file:

org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size 
at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822) ~[xmlsec-1.5.7.jar:1.5.7]
…
org.opensaml.xml.encryption.DecryptionException?: Failed to decrypt EncryptedData? 
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:546) ~[xmltooling-1.4.4.jar:na]
…

Solution:

This error indicates the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are missing in the Java Development Kit (JDK) software of your on-premise installation. Follow these steps to install the JCE files into the JDK.

Go to the Oracle Java SE download page http://www.oracle.com/technetwork/java/javase/downloads/index.html
Scroll down … Under "Additional Resources" section you will find "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File"
Download the version that matches your installed JVM - for example, download UnlimitedJCEPolicyJDK8.zip if you are using JDK/JRE version 8
Unzip the downloaded zip.
Copy local_policy.jar and US_export_policy.jar to the <JAVA_HOME>/jre/lib/security (Note: these jars will be already there so you have to overwrite them)
Restart .

SAML Security Manager