In Part 3 of this series, we described how Anonymous tasks are vastly simplified in V8.0. Another enhancement that customers have requested is the ability to view a form that they had submitted earlier as part of a workflow.
For example, we automate our internal operations with frevvo. Let’s say I submit a Vacation Request or Expense Report for processing. A few days later I want to go back and look at what I submitted. Prior to V8, we setup an action that notifies me at every step along the way and emails me a PDF copy of the form that I submitted. Email is already hard enough to keep track of and this isn’t an ideal solution.
Now, you don’t have to email PDFs around for record-keeping. You can simply use Task Search to find your workflow and then use the Audit trail to view the information you submitted.
In the audit trail for any workflow, you will see a new View icon. The icon will only show up if you have permission to view the workflow at that step. However, you can always
see things that you submitted – by far, the most common scenario. Click the View button and frevvo will render a read-only view of the workflow using the data from that step.
You can expand/collapse Sections, navigate Tabs and view all the data. However, you cannot make changes.
Obviously, the audit trail also shows the progress of the workflow through various approval stages so you can always see where the workflow is currently sitting and the history as it was routed from person to person. Now, you can also see the data.
We hope you’ll like the improvements that we’ve made. Stay tuned for future articles and upcoming webinars on V8.0 – it will be released to frevvo Cloud this Fall. We’re also already working on features for the next release(s) that we’ll describe here as we go along.
In Part 2 of this series, we described the redesigned Flow Step Properties panel which makes it much easier easier to configure individual flow steps. Another oft-requested improvement is to anonymous steps.
What are Anonymous Steps?
Anonymous steps in a workflow are routed to an email address and do not require the recipient to authenticate before performing the step. They’re super common – for example, a purchase order may be started internally by a sales person, get approved by his/her manager and then get routed to the customer for signature. You probably want to make it as easy as possible for the customer to sign the PO and not require an account, remember passwords etc.
Prior to V8, you had to drag in a separate Email (Anonymous) Step and configure it separately in your workflow. It would send an email and advance the workflow to the following step which was the actual form that the recipient would see. Customers found it confusing and we ran into many situations where workflows were incorrectly designed as a result.
More Intuitive Anonymous Steps
V8 simplifies this significantly by simply removing the additional step in the flow. Now, you simply drop in the form you want the recipient to see or link to an existing one and configure its properties. Click on the cog icon to bring up the Flow Step Properties dialog and navigate to the Assignment tab.
On this tab, you can now assign the task to a user, role or email address in one place. At runtime, assignment is made in that priority order. If you want to route to an email address, simply type it in and leave the other two fields blank – the step will be routed via email and can be performed anonymously. There’s also no longer a requirement to make the entire workflow public.
You can also use control templates in the email field so that it’s dynamic. Start typing and a pick list will appear with matching controls. At runtime, the value of the control is evaluated and if it’s a valid email address, the step will be routed via email and can be performed anonymously.
We’re looking forward to this release and hope you’ll like all the improvements. Stay tuned for future articles and upcoming webinars on V8.0 – it will be released to frevvo Cloud this Fall.
With the release of 6.2, customers will have the option to login to frevvo via SAML 2.0. This is primarily meant for cloud tenants who use LDAP but do not want to expose it over the internet. Of course, there will be those who prefer to use it simply because it offers single sign-on (SSO). The inability to access LDAP does require us to store user and role information in frevvo in order to route the workflow tasks. This data duplication may seem unwarranted in on-premise deployments, where LDAP is accessible. On the other hand, there is still Integrated Windows Authentication as an SSO option.
The use of SAML requires the configuration and installation of a SAML identity provider product. These products can be free (Shibboleth, OpenSSO) or commercial (ADFS, PingFederate, etc), require IT savvy personnel to set it up, or be subscription based cloud providers like OneLogin who provide connectors to hook up your LDAP with SAML. Once setup, you need to release attributes about the user viz. user id, first name, last name, email, manager user id, and role names. Manager and Role attribute values are typically available as distinguished names (DN) in the LDAP, and require additional lookup and transformation to convert them to identifiers. The support for/ease of doing this varies depending on the LDAP and SAML product. Other custom attributes can also be released for use in frevvo forms. In addition, the ‘frevvo.User’ role must be configured for any user to be authorized to access frevvo. The Add/Edit Tenant screens allow configuring the service and identity provider metadata as well as mapping the attribute names. Security in SAML is achieved via signing/encrypting the communication and this requires managing cryptographic keys. This can be setup in the key-store provided with frevvo.
While the user attributes can be discovered and saved on login, routing to other users requires user/role information to be available upfront. This can be accomplished using the bulk user CSV upload feature that is already available for use with the default security manager. Custom attributes, however, will not be persisted. With user information coming from 2 sources viz. login and upload, the most recent data will be used. Complete information needs to be provided from either source as there is no support for merging data.
LDAP is the de facto standard when it comes to managing identity information in an enterprise. It authenticates who you are, with a user name and password, and authorizes what you can do, by means of roles (groups). There are other interesting attributes associated with the ‘who’ such as your name, email address, manager etc. In a frevvo context, the name would typically be used to identify an applicant on a form, while the email and manager can be used to route notifications or escalations in a workflow. In order to route workflow tasks by role, we need to answer the question ‘who are the users that have this role?’. This is information that the LDAP can provide and is not the typical authentication or authorization function that it is used for. We need a direct connection to the LDAP in order to make this query which most organizations are happy to allow as long as the access is within their firewall. This approach has been used successfully in frevvo on-premise deployments for many years.
Let’s now consider a frevvo cloud tenant that needs to access the LDAP. The LDAP now needs to be exposed to the internet, raising visions of hackers stealing identities and personal information. The immediate reaction is to use the tried-and-trusted VPN to secure the connection or single sign-on protocols like SAML that abstract away the LDAP. On the other hand, there is the less popular solution of using a secure LDAP (over SSL or TLS) connection, which is the equivalent of the trusted HTTPS. What is the right approach? VPN offers no more security than secure LDAP as this blog argues, is harder to implement in a multi-tenant product like frevvo, and costs more. Single sign-on protocols like SAML (provided by commercial products like Microsoft ADFS or the open-source Shibboleth OpenSAML) are great for authentication and authorization (and single sign-on, of course) but will not satisfy the routing requirements. We would need to provide a back channel to upload role information to frevvo as we currently do for tenants that do not use LDAP (CSV file import). This is an additional integration that has to be managed by the customer who has the onus of keeping it synchronized, and comes with the risk of stale routing data.
Secure LDAP has the benefit of being just a configuration change (we support both the deprecated LDAPS and the recommended TLS in 6.1) with no change in functionality. Communication between frevvo and LDAP is encrypted, similar to HTTPS. On the other hand, the customer, being in control of security, has to take precautions to ensure that the LDAP information is accessible only to frevvo (origin IP address restrictions), that the data cannot be changed (read-only access), and only the required attributes are exposed (selective replication). In case of Active Directory (by far the most popular LDAP), Microsoft recommends the use of RODC (read-only domain controller) and provides guidelines to implement the above. With this in place, passwords need not be replicated to the RODC (as authentication will be forwarded to the associated writeable DC) and hence are not exposed even if the RODC is compromised.
So what is the right approach? Secure LDAP is, well, secure, has all the capabilities we need to provide the required product features, and requires the least integration effort. This would be our recommended approach. For the skeptical, there is SAML with data upload, which is planned for a later release.
||Need external data sync