Live Forms v6.3 is no longer supported. Click here for information about upgrading to our latest GA Release.
SAML Security Manager
supports the creation of a tenant using the SAML (Security Assertion Markup Language) Security Manager. Users in this tenant can log into via (SAML) version 2.0. SAML enables internet single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication.
The SAML Security manager can be used in on-premise installations but it is primarily meant for cloud tenants who use LDAP but do not want to expose it over the internet.
SAML requires the configuration and installation of an identify provider that supports SAML 2.0. Some examples are Shibboleth, OpenSSO, ADFS, and PingFederate.
In a SAMLenvironment, integration with an LDAP server for authentication is common. In general, here's how it works:
- User A attempts to access Live forms by typing the URL into the browser
- Live forms sends a SAML request for authentication to the Identity Provider
- The Identity Provider requires more information. The Identify Provider login screen is displayed.
- User A logs into the Identity Provider.
- The Identity Provider may communicate with your LDAP server if you are using Active Directory for authentication.
- The Identity Provider builds and sends a SAML token to Live Forms containing the security information for User A.
- Live forms processes the information. If User A has been authenticated, Live forms establishes a session and redirects User A to the correct Live Forms screen depending on User A's authorization level.
On this page:
Prerequisites
Authentication Only mode:
When you create your SAML tenant, you can select Authentication Only mode..This is done by checking a checkbox when you configure your SAML tenant.
If Authentication Only is selected, SAML is used only for authentication. Authorization depends on the roles defined in . SAML will authenticate the user but not retrieve any of the attributes.
You may choose to use this mode if you:
do not want to add roles to your LDAP.
LDAP has many roles that have no relevance to your workflow.
Find the SAML mapping for the other required attributes complex. For example, retrieving the manager user id and role names may require writing custom rules.
In this mode, manual creation of users & roles in the tenant is required. The CSV upload feature makes this easy.
If Authentication Only is not selected, users will be added (discovery) at runtime when they log in for the first time. It is important to consider the following points before making your decision.
User discovery:
There is no guarantee that the first login will occur before a task is created for a specific user /role. If you have workflows, that are routed to users who have not logged in yet, your workflow may not do what you expect. If the user’s role changes after 1st login but before the next task is routed to their new role, the task will not appear on their Task List. For example, a user with the role of employee, logs into . The user then gets prompted to manager. The user will not receive a task routed to the user's new role of manager. workflow is initiated before the user logs out and logs in again and the user account is updated.
Manually creating/uploading users and roles ahead of time avoids this situation.
- Active Directory:
- Customers using LDAP must ensure that the frevvo.User, frevvo.TenantAdmin and frevvo.Designer roles are specified on their LDAP/AD server.
- All users requiring access to must be assigned to the frevvo.User group.
- Tenant admin users must be assigned to the frevvo.User and frevvo.TenantAdmin groups,
- Designer users must be assigned to the frevvo.User and frevvo.Designer groups.
- Customers using LDAP must ensure that the frevvo.User, frevvo.TenantAdmin and frevvo.Designer roles are specified on their LDAP/AD server.
The group names for these three special roles must be frevvo.User, frevvo.TenantAdmin, and frevvo.Designer. Upper/lower case may be a factor for Open LDAP systems.
Configuring the SAML Security Manager
In the directions given below, the Service Provider refers to frevvo . The metadata for your SAML tenant must be obtained first. Customers will need to configure the metadata when creating the SAML tenant.
- Generate your certificate (On-premise installations only)
- Create the frevvo Metadata file.
- Configure your Identity Provider
- Create/edit the SAML tenant
- Manage Users/Roles for your SAML tenant
- Logging into Live Forms in a SAML Tenant
Step 1 - Generate Your Certificate
Cloud customers can skip this step. These instructions are provided for On-premise customers only.
If you re using the frevvo tomcat bundle, the supplied keystore, frevvoKeystore.jks is located in the <frevvo-home>/tomcat/lib folder, The keystore contains a default certificate with alias=frevvo and password=p@ssw0rd. Replace this with a certificate for your installation.
- The alias and password can be configured with the properties, com.frevvo.security.saml.key and com.frevvo.security.saml.password in the <frevvo-home>\tomcat\conf\localhost\frevvo.xml file.
This certificate is used to sign/encrypt the SAML request. The use of a long-lived self-signed certificate is recommended.
Since the keystore is located outside the frevvo war, you can use the Java keytool to generate and store your certificates. Folllow these steps:
Login as Administrator.
Delete the existing certificate:
keytool -delete -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd
Generate a new certificate: Here is the command: Change the -dname value to the DNS name of your IDP
keytool -genkey -dname "cn=app.frevvo.com" -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd -keyalg rsa -keysize 2048 -validity 3650
The certificate can be viewed (and used in the metadata XML) by exporting it to a file:
keytool -exportcert -alias frevvo -file frevvo.rfc -rfc -keystore frevvoKeystore.jks -storepass p@ssw0rd
Step 2 - Create the Metadata file
Follow these steps to generate the frevvo metadata for your SAML tenant. You can do this even if the tenant has not been created yet.
Paste this URL into your browsr:
Cloud Customers: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{t} - replace {t} with the tenant id of your SAML tenant.
On-premise customers: http://<server>:<port>/frevvo/web/saml/metadata/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with your tenant id).
When the metadata displays, right click and select the browser option to View the Page source.
- Save the page as an xml file.
- Metadata must be generated for each SAML tenant. Each tenant will have a unique URL.
Step 3 - Configure Your Identity Provider
- Configure the Service Provider metadata for your Identity Provider. For example, the Shiboleth Identity provider requires modification of a file to provide the path to the tenant metadata xml file created above.
- Your Identity Provider must be configured to expose the attributes that requires. Attribute mapping is done when you create the SAML tenant. These are:
- User Id
- First Name
- Last Name
- Manager Id (optional)
- Groups
- Custom Attributes (optional)
We know that your IDP software of choice is outside of the frevvo server software and that you have the expertise in house to install, configure and maintain your IDP software. But here are some tips we have found that may assist you.
Step 4 - Create/edit the SAML tenant
To successfully create a tenant using the SAML Security manager, you will need the following:
- The metadata for your Identity Provider
- Attribute mapping information
cloud customers, migrating your tenant to the SAML Security Manager, will make the changes via the Edit Tenant screen. Once accessed, follow these steps beginning with step 3.
Log onto as the superuser (on-premise) or the tenant admin (cloud).
- Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.
- Select SAML Security Manager from the Security Manager Class dropdown.
- Copy the Service Provider (frevvo) metadata into the Service Provider field. The xml should be pasted without the prolog. For example, the image shows an example of the frevvo metadata file before pasting:
- Retrieve the metadata for your Identity Provider. For example, for the Shiboleth product the metadata is located in the idp-metadata file.
- Paste the metadata into the Identity Provider field. This metadata should also be pasted without the prolog.
- Check the Ignore Case checkbox if you are using LDAP for authentication and you want to ignore the case stored in LDAP systems for users/roles. Refer to the Mixed or Upper case User Names topic for more information.
- Check the Authentication Only checkbox if you want SAML to handle authentication and provide user identification but users and roles are managed through the UI.
- When checked, the screen display changes as attribute mapping, other than the mapping for the user id and custom attributes, is no longer necessary.
- If Authentication Only is checked:
- SAML will authenticate the user but not retrieve any of the attributes. Authorization depends on the roles defined in . Changes made in the UI will not be overridden if the user logs out and then logs in again.
- Manual creation of users & roles in the SAML tenant is required. This can be done with a csv upload.
- SAML will authenticate the user but not retrieve any of the attributes. Authorization depends on the roles defined in . Changes made in the UI will not be overridden if the user logs out and then logs in again.
- If Authentication Only is unchecked:
All users requiring access to must be assigned to the frevvo.User group in Active Directory. Tenant Admins must be assigned to the frevvo.User and frevvo.TenantAdmin groups. Designer users must be assigned to the frevvo.User and frevvo.Designer groups.
- Users are added (discovered) when they log in.
- It is important to know that a SAML tenant in this mode (SAML/LDAP handles authentication and authorization) that users and tenant admins can modify user information in the UI. If user information/role assignment is changed in the UI, the changes will be overwritten by the information in SAML the next time the user logs out and then logs back in again. In this case, make the changes in your Active Directory to make them permanent.
Map the attributes configured in your Identity Provider by entering the name for each attribute in the corresponding field on the screen. Be sure to provide the attribute name - not the friendly name. For example, if you are using Shibboleth for your Identity Provider the attribute information is located in the attribute-resolver.xml file. The image shows the section of the file where the attributes are defined.
The image below shows the attribute mapping on the screen with the attribute names from the Shibboleth file:If Authentication Only mode is enabled for your tenant, mapping is only required for the User Id. Refer to step 8 for the details
- Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.
- Configure the Business Calendar for your tenant and HTTP Authorization Credentials if required.
- Click Submit.
Step 5 - Users/Roles in a SAML tenant
Choosing the Authentication only option in your SAML tenant implies that the user and roles will be managed from . You may choose this mode if:
- You do not want to add roles to your LDAP.
- LDAP has many roles that have no relevance to your workflow.
- Find the SAML mapping for the other required attributes complex. For some IDPs, retrieving the manager user id and role names may require writing custom rules.
When Authentication Only is selected (checked) there is no discovery of Users & Roles. They must be created in your tenant manually. The CSV upload is a good way to do this.
When Authentication Only is not selected (unchecked) will discover new users at run-time. However users are only discovered when the person tries to login. They are not discovered nor is their user data (email, name, report-to) kept in sync automatically. It requires the user to login. So, this does not necessarily remove the need for manually creating/uploading users and roles ahead of time nor does it remove the need to continuously update the users when changes are made in LDAP.
If you have workflows that are routed to users/roles there is no guarantee that the required users will login before a task is created for that user (specifically or via a role). For example, if a workflow is routed to a specific user and it is performed before the first login of that user, will send an email to the tenant admin indicating that the user is unknown. Routing based on the user's manager will fail. Routing based on a role will succeed but the user will receive no notification.
Manually creating/uploading users/roles in ahead of time avoids this situation.
It is important to know that a SAML tenant with Authorization Only unchecked, means that authentication and authorization are handled by SAML/LDAP. Users are added/updated through discovery. If a tenant admin modifies user information in the UI, for example, changes an email address or adds a role for a user, the changes will stay in effect until the user logs out of the tenant and then logs back in. When the user logs back in, the changes made in the UI will be overwritten by the information in SAML/LDAP. In this case, make the changes in your Active Directory to make them permanent.
Step 6 - Logging into Live Forms in a SAML Tenant
- Paste this URL into your browser:
Cloud Customers: https://app.frevvo.com:443/frevvo/web/tn/{t}/login - Replace {t} with the name of your SAML tenant.
- On-premise Customers:http://<server>:<port>/frevvo/web/tn/{t}/login. Replace <server> and <port> with your server information and t with the name of your SAML tenant.
screens display depending on the level of authorization specified for the user. Designer users will see the Application Home Page while non-designer users will be directed to their Task List.
This URL redirects to /web/saml/login/alias/{t}. This initiates the SAML authentication process by redirecting to the Identity Provider login page. If the user is authenticated, the rest of the standard login processing is done (verify license, redirect on success etc).
Clicking the logout link in , logs the user out from only.
Logging into a SAML tenant directly (user@saml tenant name) displays an application error message.
On-premise customers using the tomcat bundle will see the following entry in the error log:
Application error processing /frevvo/web/login?null java.lang.UnsupportedOperationException: null
Session Timeout
Session timeouts are configured in and in your IDP. If a user's session ends before the IDP timeout is reached, they will automatically be logged back into if they try to access it again. It is recommended that the session timeout and the IDP session timeout be configured for the same value.
Embedding Forms/Flows in your website
Embedding forms and flows into your website when using the SAML Security Manager, will work in the following scenarios :
- The visibility of the form is set to Public.
- The visibility of the form is set to Public in Tenant and the user is already authenticated to SAML
Embedding forms and flows into your website is NOT supported if the the visibility of the form is set to Public in Tenant and the user is NOT already authenticated to SAML. This is because frevvo must direct the user to the IDP login screen and the browser will not allow loading the IDP login page in frevvo's form iframe.
Some Troubleshooting Tips
Login fails with illegal Key Size Error
After a failed login, this error message may appear in the <frevvo-home>\tomcat\logs\frevvo.log file:
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822) ~[xmlsec-1.5.7.jar:1.5.7] … org.opensaml.xml.encryption.DecryptionException?: Failed to decrypt EncryptedData? at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:546) ~[xmltooling-1.4.4.jar:na] …
Solution:
This error indicates the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are missing in the Java Development Kit (JDK) software of your on-premise installation. Follow these steps to install the JCE files into the JDK.
- Go to the Oracle Java SE download page http://www.oracle.com/technetwork/java/javase/downloads/index.html
- Scroll down … Under "Additional Resources" section you will find "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File"
- Download the version that matches your installed JVM - for example, download UnlimitedJCEPolicyJDK8.zip if you are using JDK/JRE version 8
- Unzip the downloaded zip.
- Copy local_policy.jar and US_export_policy.jar to the <JAVA_HOME>/jre/lib/security (Note: these jars will be already there so you have to overwrite them)
- Restart .