/
Azure SAML Security Manager

Live Forms v8.0 is no longer supported. Please visit Live Forms Latest for our current Cloud Release. Earlier documentation is available too.

Azure SAML Security Manager

Sept 06, 2019

Live Forms supports the Azure Security Manager for Single Sign On. Users/roles are automatically pulled from Azure AD into Live Forms cloud tenants and on-premise installations. Users are redirected to the Microsoft Azure login screen for authentication.

frevvo recommends using the SAML Security Manager for customers who want to manage users/roles from the  UI.

On this page:

Prerequisites

  • You will need a valid Microsoft Azure subscription

  • The frevvo.TenantAdmin and frevvo.Designer groups must be specified on your Active Directory server. The group names must be spelled as shown. Upper/lower case may be a factor for Open LDAP systems. These groups are required.

    • Tenant admin users must be assigned to the frevvo.TenantAdmin group.

    • Designer users must be assigned to the frevvo.Designer group

  • Contact the frevvo Customer Success team to schedule your Security Manager configuration.

  • frevvo Best Practice recommends that you create a user account in your Active Directory that will house all of your deployed Production forms/flows. This user can be named anything i.e.frevvoProduction but it must be a member of the frevvo.Designer group

  • If you want to preserve Applications/Forms/Flows developed in your trial/starter tenant to your desktop, perform these steps BEFORE changing the Security Manager. :

    1. Download the Applications/Forms/Flows that you want to preserve to your desktop as a backup. Do this for all

      user accounts that have Applications/Forms/flows that you want to keep.

    2. When the backup of all Applications/Forms/flows is completed, delete the user accounts in your Default Security Manager tenant.

  • There are two additional roles in

    frevvo.Publisher and frevvo.ReadOnly.  These roles are optional.

    • In order to give a user the frevvo.publishers role, create the  frevvo.Publisher  group in your AD and assign users to it. Refer to the Administrator Best Practices for an explanation of this role.

    • In order to give a user the frevvo.ReadOnly role, create the frevvo.ReadOnly group in your AD and assign users to it. Following frevvo Best Practice eliminates the need for this role.

  • frevvo only supports the Azure Security Manager when

    is running in the tomcat container. Refer to our Supported Platforms for the list of supported/certified Application Servers.

Configuring the Azure SAML Security Manager

Follow these steps listed below to create a

tenant using the Azure SAML Security Manager:

  1. Create an Application for Live Forms in Azure

  2. Create the Live Forms metadata file

  3. Create the Azure Tenant IDP metadata file

  4. Create/edit the Live Forms tenant

  5. Log into your Live Forms tenant

Step 1 - Create an Application for Live Forms in Azure

frevvo assumes that customers have someone on staff that can successfully perform this step of the procedure. Information about 

 is listed below to help you with this process.

The Azure global administrator MUST create the application for

in Azure.

If you are familiar with the Microsoft Azure Legacy Portal, review this Microsoft Training Guide before setting up the Azure application for 

.

Do not include the curly braces in the URLs discussed below.

  1. Login to the Microsoft Azure Management console: https://manage.windowsazure.com or https://portal.azure.com with your Azure global administrator account.

  2. Click on the Azure Active directory link on the left side of the screen.

  3. Click on the App Registrations link.

  4. Click on the New application registration link for creating a new application.

  5. Enter the following details:

    1. Name:- Name of your frevvo Azure application

    2. Select who can use this application or access this API

  6. Configure the Redirect URL:

    1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{t} - replace {t} with name of your frevvo tenant.

    2. On-premise customers should use http://<server>:<port>/frevvo/web/saml/SSO/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo in-house tenant.

    3. Click Register.

  7. Select the frevvo application from the list.

  8. Click the Branding tab

  9. Configure the Home Page URL:

    1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/tn/{t}/login - replace {t} with the name of your frevvo Cloud tenant.

    2. On-premise customers should use http://<server>:<port>/frevvo/web/tn/{t}/login - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo in-house tenant.

       

    3. Click Save.

  10. Click on the API Permissions tab.

    1. Click Add a Permission.

    2. Select Azure Active Directory Graph from the Supported legacy APIs section.

    3. For Application Permissions, select Read and write directory data (under Directory).

    4. For Delegated Permissions, select Sign in and read user profile (under User) AND Read directory data under (under Directory).

    5. Click on the Grant Permissions button select "Yes" option  and click on the Save button.

  11. Click on the Expose an API tab.

    1. Configure the Application ID URI:

      1. Cloud Customers should use https://app.frevvo.com:443/frevvo/web/alias/{t} - replace {t} with the name of your frevvo Cloud tenant.

      2. On-premise customers should use http://<server>:<port>/frevvo/web/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and {t} with the name of your frevvo in-house tenant.

      3. Click Save.

  12. Click the Certifiates & secrets tab.

    1. Generate the Client Secret. COPY/SAVE the VALUE in a notepad - you will need this for the frevvo tenant screen.  
      There is only one chance to retrieve the client secret key when you create the application for

      in Azure. Once you leave this screen the value will be hidden.

  13. Click the Overview tab.

    1. Copy the Application ID into your notepad. This is the value of the Client ID on the frevvo configuration screen.

    2. Copy the Directory ID into your notepad. This is the value of the Tenant ID on the frevvo configuration screen.
      Click Endpoints at the top of the screen. Copy the Federation Metadata Document URL from the list to your notepad. This is the URL that you will use to generate the Azure metadata

      Example of the Federation Metadata Document URL

      https://login.microsoftonline.com/3d532ac1-a43c-45c7-b0e9-cc814400ca11/federationmetadata/2007-06/federationmetadata.xml

       

  14. Proceed to Step 2 - Create the Live Forms metadata file

Just a reminder - you will need the Azure tenant ID, the client id and client secret for the frevvo application when configuring your

Azure SAML tenant.

Step 2 - Create the Live Forms metadata file

Follow these steps to generate the frevvo metadata for your Azure SAML tenant. You can do this even if the tenant has not been created yet.

  1. Paste this URL into your browsr:

    1. Cloud Customers: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{t} - replace {t} with the name of your

      tenant - Ex; azuread

    2. On-premise customers: http://<server>:<port>/frevvo/web/saml/metadata/alias/{t} - replace <server> with the ip of your server, <port> with the port number (if applicable) and t with the name of your frevvo tenant.

  2. When the metadata displays, save the page as an xml file.



  3. We will need to copy the entire metadata from this file to the Azure SAML Security Manager configuration screen.

  4. Metadata must be generated for each Azure SAML tenant. Each tenant will have a unique URL.

Step 3 - Create the Azure Tenant Idp metadata file

Follow these steps:

  1. Browse the Federation Metadata Document URL that you copied to your notepad when creating the Azure application for 

    . It is located on the Endpoints tab in your frevvo Azure application.

    Example of Federation Metadata Document URL from Endpoints

    https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml

  2. Save all the metadata returned as an xml file. We will need to copy the entire metadata from this file to the Azure SAML Security Manager configuration screen.

Step 4 - Create/edit the Azure SAML tenant

To successfully create a

tenant using the Azure SAML Security manager, you will need the following:

cloud customers, migrating your tenant to the Azure SAML Security Manager, will make the changes via the Edit Tenant screen. Once accessed, follow these steps beginning with step 3.

  1. Log onto

    as the superuser (on-premise) or the tenant admin (cloud).

  2. Access the Add Tenant (on-premise) or Edit Tenant (cloud) screen.

  3. Select Azure SAML Security Manager from the Security Manager Class dropdown.

  4. Copy the Service Provider (frevvo) metadata into the Service Provider field. You can include the xml prolog when you paste the Service Provider (frevvo) metadata.



  5. Copy the metadata from the Azure tenant IDP file previously created and paste it into the Identity Provider field.



  6. Enter the Federation Metadata Document URL that you copied from Endpoints in your frevvo Azure application. The URL is needed to handle Signing key rollover in Azure Active Directory. This URL is polled and refreshes the Azure IDP metadata every 3 hours. The new metadata is stored and automatically used as backup in case the URL is not accessible. 

    Example of Federation Metadata Document URL

    https://login.microsoftonline.com/fece6b7e-fbc6-4b3a-8287-fc07c29aa2d2/FederationMetadata/2007-06/FederationMetadata.xml

  7. Check the Ignore Case checkbox if you are using LDAP for authentication and you want

    to ignore the case stored in LDAP systems for users/roles. The field is checked by default. Refer to the Mixed or Upper case User Names topic for more information.

  8. Enter the User Id. This should be the User property name that identifies the user. A typical value is userPrincipalName, givenname etc.

  9. Custom attributes can be mapped by typing the attribute names in the Custom field separated by a comma.

  10. Enter the following information in the API Access section.

    1. Enter the Azure tenant identifier into the tenant Id field. This can be obtained by viewing the endpoint Urls listed when you click View Endpoints in your frevvo Azure application.

    2. Enter the client id and client secret key that were created as part of registering the frevvo application into the respective fields.

  11. Configure a tenant admin account. This account  does not require Azure SAML authentication. This tenant admin can log directly into

    providing a default security manager backdoor.

    1. The tenant admin id, password and email fields are required.

    2. When this tenant admin performs a form based login i.e. /frevvo/web/login, the password entered on this screen is used for authentication. This is also the URL used by the API.

    3. If the tenant based login url is used i.e. /frevvo/web/tn/{t}/login then the Azure SAML login is used.

     



    The forgot password function works for an Azure SAML tenant admin user. For all others, it will display the error message about not being supported for the tenant.

  12. Configure the Business Calendar for your tenant. The

    escalation feature will use this calendar to calculate deadlines and send notification and reminder emails.

  13. Enter HTTP Auth credentials if required. Credentials for external secure web services accessed by the forms and flows in your tenant can be specified in this section.

  14. Click Submit.