frevvo + Google Apps: Part 7. Single Sign On using your Google Apps credentials

As of October 2015, Google Apps can now act as a SAML Identity Provider. Since frevvo also supports SAML, you can easily sign in to your frevvo Cloud tenant or On-premise system using your Google Apps credentials. The complete walk-through below shows you how to setup Google as the Identity Provider and frevvo as the Service Provider to configure SSO. This walk-through is for Cloud. On-Premise is similar but has an additional step to generate a certificate.

Google as the Identity Provider

Follow the steps below. Screens are shown in the images below.

  1. Login to your Google domain as an admin, go to the admin portal and click through to Apps > SAML Apps. If you have any existing SAML apps, you’ll see them here. Click the big PLUS (+) sign at bottom right to add a new one. A wizard will appear.
  2. In Step 1, click the “Setup My Own Custom App” link at the bottom of the screen.
  3. In Step 2, choose Option 2 and Download the IDP metadata file.
  4. In Step 3, you can provide a name for your application, a description and a logo.
  5. In Step 4, you must enter the Service Provider (frevvo) details. For ACS URL, type https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/{tenant}. For Entity Id, type https://app.frevvo.com:443/frevvo/web/alias/{tenant}. In both cases, replace {tenant} with your cloud tenant. For example, https://app.frevvo.com:443/frevvo/web/saml/SSO/alias/ashish-saml.com. Leave the built-in Name Id attribute configuration alone.
  6. In Step 5, you need to add a new Attribute Mapping:
    User Id | Basic Information | Primary Email and click Finish.
  7. You should see the Setup Complete screen show up. Click OK.
  8. Your new SAML App will be displayed. Click the three dots at right and turn ON SSO. You can choose to turn it ON for everyone in your domain or for specific sub-domains.

Create users in Google

At this point, you’ll need to create your users in Google or move existing users into the appropriate sub-organization if you are limiting access to your SAML app in Google. You won’t have to create new users or move existing users if you enabled the SAML app for everyone in your Google domain.

However, you’ll need a user in your Google domain to serve as the tenant administrator. Either, create a new one or choose an existing one (there’s nothing to do as long as you choose someone).

Create users in frevvo

You need to ensure that the user you chose/created as the tenant admin exists in frevvo. Once we switch over to SAML, all authentication will use Google Apps credentials and you won’t be able to login using your current tenant admin or other users. We’ll use CSV upload. The file syntax looks like this:

userId,tenant,password,firstName,lastName,email,enabled,reportsTo,roles,transaction
{user}@{domain},{tenant},123,{first},{last},{email},true,,frevvo.Designer|frevvo.TenantAdmin,

The fields are your Google login (e.g. prajakta.deshmukh@frevvo.com), your frevvo tenant id (e.g. ashish-saml.com), any password (it is not used), the first name, last name and email address. In the roles field, use the roles indicated above.

  1. Login as the current tenant admin user.
  2. Click on Manage Users.
  3. Click on Download CSV users file.
  4. Edit the file to setup at least one Google User (the one you chose/created as the tenant admin).
  5. Click on CSV Upload (the Excel looking icon) and upload the file to create this user.

frevvo as the Service Provider

Now, we need to setup frevvo. Follow the steps below (also shown in the image below):

  1. Generate the SP metadata file from frevvo. Visit the URL: https://app.frevvo.com:443/frevvo/web/saml/metadata/alias/{tenant} in your browser. Replace {tenant} with your cloud tenant. Right click to View Page Source and save as an XML file.
  2. Login to your Cloud account as tenant admin and click the Edit Tenant button.
  3. In the Security Manager section, click the Change button, choose SAML in the drop down that appears and click Ok. NOTE: Free Trial accounts do not show the Change button. If the Change button is not visible in your tenant, please contact customer support.
  4. The SAML configuration section will appear. In the Service Provider section, we must paste the SP metadata file we generated in Step 1 above. Unfortunately, the file contains an XML prolog (highlighted in the image below) which must be removed. Paste the contents of this SP metadata file without the prolog into the Service Provider text area of the configuration form.
  5. In the Identity Provider section, paste the IDP metadata file we generated and saved in the Google setup above. Once again, the file contains an XML prolog. Paste the contents of this IDP metadata file without the prolog into the Identity Provider text area of the configuration form.
  6. Check Authentication Only. This means SAML will authenticate the user but not retrieve any of the attributes. Users are not automatically discovered upon first login. Therefore, you must create users & roles using CSV upload.
    • If you do not wish to select the Authentication Only option, you’ll need to map other attributes in Google first before you can assign them in Frevvo. First Name, Last Name, and Email should be pretty straight forward since these attributes are surfaced by the Google SAML IdP app. The other attributes may be more difficult.
  7. With the Authentication Only option, attribute mapping only includes one attribute, the User Id. Since we mapped the email address to the User Id attribute in Google while setting up the SAML app, we can simply map the frevvo attribute to User Id in the configuration form.
  8. Submit the form and we’re done.

How to use your new SAML tenant

  1. Logout of all your Google accounts to test.
  2. Go to the tenant URL: https://app.frevvo.com:443/frevvo/web/tn/{tenant}/login. Replace {tenant} with your tenant id.
  3. You will be redirected to the Google login page.
  4. Login to Google as the Google user you chose/created as the tenant admin.
  5. You will be redirected to frevvo to the Manage Tenant screen.

The user id displayed in frevvo at the top will look like {user}@{domain}@{tenant} which is a bit confusing but is purely cosmetic.

Load other users in frevvo

Before your other Google users can login to frevvo using their Google Apps credentials, they must first be created in frevvo. You can download users from Google Apps as a CSV file (uncheck the create a Google Sheet option), modify it  to follow frevvo’s syntax as above and upload it. You can also login as the tenant admin Google user and create users and roles using the UI.

Once the user exists in frevvo, he/she can login using Google credentials and the system will behave as expected according to the roles assigned to the user.

One Response to frevvo + Google Apps: Part 7. Single Sign On using your Google Apps credentials

  1. Pingback: frevvo + Google Apps: Part 1. Save to a Google Sheet | frevvoblog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: