Configuring User Authentication withLesson 5

Integration with Other Identity and Access

Back to S200: SysAdmAdvanced

Lesson 5: Integration with Other Identity and Access

Part 2: Configuring User Authentication with

Management Systems

The integration of Acumatica ERP with Windows Azure Active Directory (Azure AD) provides single sign- on (SSO) and centralized user and access management. You can use an instance of Azure AD, which is a cloud version of the Active Directory service, if your organization is signed up for a Microsoft cloud service, such as Azure or Office 365. With such integration in place, users of your Acumatica ERP instance will use their Azure AD domain credentials for authorization in Acumatica ERP. You can integrate your Acumatica ERP instance with AD FS or Azure AD, but not with both. These two identity management systems are mutually exclusive because they use the same functionality to connect to Acumatica ERP. Acumatica ERP also supports integration with Google and Microsoft Account by using the OAuth 2.0 standard for providing single sign-on (SSO). After you set up SSO with Google or Microsoft Account, the employees of your organization can use their Google (or Microsoft accounts) to access your Acumatica ERP instance as well as Google services (or Microsoft services). This reduces the number of logins and passwords the users have to remember, thus reducing the risk of identity theft. With this integration, the Google account (or Microsoft account) provides the only authentication for employees of your company. You set up authorization for users in your Acumatica ERP instance by assigning user types and roles for an Acumatica ERP user account. Then users need to log in to Acumatica ERP once using the login and password there in order to assign their own Google account (or Microsoft account) to their user account.

Lesson Objectives You will learn how to do the following (you do not need to perform the steps to pass the training):

  • Integrate Acumatica ERP with Azure AD
  • Set up SSO with Google for your Acumatica ERP instance
  • Set up SSO with Microsoft Account for your Acumatica ERP instance | Integration with Azure Active Directory | 58

Integration with Azure Active Directory

You can integrate Acumatica ERP with Windows Azure Active Directory (Azure AD) to manage users and access in one place and to provide single sign-on. You can create, delete, and manage user accounts by using Azure AD. During integration you map Azure AD groups with user roles in Acumatica ERP to determine users’ access rights.

Requirements Before you integrate Acumatica ERP with Azure AD, your company must be signed up for a Microsoft cloud service, such as Azure or Office 365, with the Azure Active Directory instance configured. For more information, see Azure Active Directory on the Windows Azure Portal.

Configuration Steps You can configure integration with Azure AD when you implement Acumatica ERP or at any later time. To integrate an instance ofAcumatica ERP with Azure AD, you will perform the following steps:

  1. Register your Acumatica ERP instance with the Azure AD instance and obtain the client ID and client secret, as described in To Register Your Acumatica ERP Instance on Windows Azure.
  2. Enable integration with Azure AD by modifying the web.config file of the application instance, as described in To Enable Azure Active Directory Integration for the Acumatica ERP Instance. After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance.
  3. Map the Azure AD groups to Acumatica ERP roles, as described in To Map Azure Active Directory Groups to Roles in Acumatica ERP.
  4. Optional: If required, override the roles assigned to any user automatically by selecting the required roles manually. For details, see To Set Up Role Assignment for Domain Users.
  5. Optional: If you want to use the Azure AD service as the default identity provider, enable silent logon with Azure AD, as described in To Enable Silent Logon.
    User Accounts of Domain Users in Acumatica ERP After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your Acumatica ERP instance for the first time. The accounts of domain users in Acumatica ERP are based on their accounts in the domain. The password of a domain user in Acumatica ERP is the same as the domain account password. The email address and the first and last name of the user are populated from the domain account as well. However, the login, password, email address, and first and last name are managed through the domain and cannot be changed in Acumatica ERP. You cannot restore the passwords of domain users by using Acumatica ERP tools. You should restore users’ domain credentials by using tools of Active Directory (AD).
    If the number of users or groups in AD is greater than or equal to 1000, information about users and groups from AD is automatically cached by Acumatica ERP to speed authentication of users. When you make any changes in AD, you can manually synchronize the cached lists of users and groups with AD in Acumatica ERP. If the number of users and groups in AD is less than 1000, Acumatica ERP retrieves the lists of users and groups directly from AD.
    Domain User Authentication After integration of Acumatica ERP with Azure AD, users use single sign-on (SSO) with the domain to sign in to Acumatica ERP. By default, the users follow these steps: | Integration with Azure Active Directory | 59
  6. On the Welcome page of your Acumatica ERP instance, the user selects the Azure AD icon to open the Azure AD sign-in page.
  7. On the sign-in page, the user enters the domain credentials in the following format: <User_Name>@<Domain_Name>, where <User_Name> is the user account name in the integrated domain and <Domain_Name> is the UPN suffix, also known as the domain name.

To simplify the procedure, you can configure silent logon with Azure AD server. For more information, see To Enable Silent Logon.

Domain User Authorization When a domain user tries to access Acumatica ERP, user authorization occurs as follows:

  1. The application instance sends an authentication request to the AD server to validate the user’s credentials.
  2. When validation has completed successfully, the AD server sends Acumatica ERP the list of AD groups to which the user is assigned.
  3. Acumatica ERP compares the list of AD groups with the internal Acumatica ERP roles, based on the mapping rules defined on the User Roles (SM201005) form.
  4. The system finds any Acumatica ERP roles that are associated with AD groups to which the domain user account is assigned. If Acumatica ERP finds at least one role, the user is authenticated to sign in to the Acumatica ERP instance. The user access rights within the Acumatica ERP application instance are based on the internal list of roles.

For more information about authentication in Acumatica ERP, see User Accounts in Acumatica ERP. For details about roles and access rights in Acumatica ERP, see User Access Rights.

Access Rights of Domain Users Domain users inherit access rights from the AD groups that you mapped to Acumatica ERP user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights. New domain users automatically get the rights to sign in to Acumatica ERP when they join a domain. The membership of these users in Acumatica ERP roles is then automatically updated to comply with the membership of the users in the domain groups. | Single Sign-On with Google | 60

Single Sign-On with Google You can integrate Acumatica ERP with Google if you want to allow employees of your organization to use their Google accounts to access your Acumatica ERP instance as well as Google services.

Requirements If you plan to use this integration, we strongly recommend that you host your Acumatica ERP instance (or instances) over HTTPS. For more information, see Setting Up an HTTPS Service in Web Server (IIS).

Configuration Steps The configuration of single sign-on (SSO) with Google for your Acumatica ERP instance consists of the following steps:

  1. You register your Acumatica ERP instance with Google and obtain the OAuth 2.0 credentials, including the client ID and client secret. For details, see To Register an Acumatica ERP Instance with Google.
  2. You enable SSO with Google in your Acumatica ERP instance by using the client ID and client secret you obtained in the previous step, as described in To Enable SSO with Google. You can enable and disable SSO with Google for your Acumatica ERP instance at any time because Acumatica ERP uses SSO with Google only for verifying user identities. Users can still authenticate themselves by using their Acumatica ERP credentials.
  3. Optional: You activate SSO with Google on the Users (SM201010) form for each user who will use his or her Google account for authorization in Acumatica ERP. Alternatively, each user can activate SSO with Google for himself or herself on the User Profile (SM203010) form. For details, see To Activate Your Google or Microsoft Account.
  4. Users of your Acumatica ERP instance associate their Acumatica ERP accounts with their Google accounts. They can do this in either of the following ways:
  • Users click the Associate User button on the User Profile form (for details, see To Activate Your Google or Microsoft Account). The system registers the unique user key associated with the user’s Google account with the user’s Acumatica ERP account. This way can be used if users activate SSO with Google for their accounts on their own.
  • If the value of the selfAssociate parameter in the externalAuth section of the web.config file is true (which is the default value), users click the Google icon on the Welcome page of Acumatica ERP, and the system suggests that they enter the credentials of an Acumatica ERP user that should be associated with the Google account. This way can be used when you activated SSO with Google for each user.
  1. Optional: You configure your Acumatica ERP instance to automatically redirect users to the Google sign-in page, as described in To Enable Silent Logon. Before you turn on silent logon with Google, ask your users if all of them can sign in to Acumatica ERP with their Google accounts.
    User Authentication After you have integrated Acumatica ERP with Google account, users use SSO with Google services to sign in to Acumatica ERP. By default, each user follows these steps:
  2. On the Welcome page of the Acumatica ERP instance, the user clicks the Google icon to open the Google sign-in page.
  3. On the sign-in page, the user enters his or her Google account credentials.
    To simplify the procedure, you can configure silent logon with Google. For more information, see To Enable Silent Logon. | Single Sign-On with Microsoft Accounts | 61

Single Sign-On with Microsoft Accounts You can integrate Acumatica ERP with Microsoft Account if you want to allow employees of your organization to use their Microsoft Accounts to access your Acumatica ERP instance as well as Microsoft services.

Requirements If you plan to use this integration, we strongly recommend that you host your Acumatica ERP instance (or instances) over HTTPS. For more information, see Setting Up an HTTPS Service in Web Server (IIS).

Configuration Steps The configuration of SSO with Microsoft account for your Acumatica ERP instance consists of the following steps:

  1. You register your Acumatica ERP instance with Microsoft Account and obtain the OAuth 2.0 credentials, including the client ID and client secret. For details, see To Register an Acumatica ERP Instance with Microsoft Account.
  2. You enable SSO with Microsoft Account in your Acumatica ERP instance by using the client ID and client secret you obtained in the previous step, as described in To Enable SSO with Microsoft Account. You can enable and disable SSO with Microsoft Account for your Acumatica ERP instance at any time because Acumatica ERP uses SSO with Microsoft Account only for verifying user identities. Users can still authenticate themselves by using their Acumatica ERP credentials.
  3. Optional: You activate SSO with Microsoft Account on the Users (SM201010) form for each user who will use his or her Microsoft Account credentials for authorization in Acumatica ERP. Alternatively, each user can activate SSO with Microsoft Account for himself or herself on the User Profile (SM203010) form. For details, see To Activate Your Google or Microsoft Account.
  4. Users of your Acumatica ERP instance associate their Acumatica ERP accounts with their Microsoft Account credentials. They can do this in either of the following ways:
  • Users click the Associate User button on the User Profile form (for details, see To Activate Your Google or Microsoft Account). The system registers the unique user key associated with the user’s Microsoft Account with the user’s Acumatica ERP account. This way can be used if users activate SSO with Microsoft Account for their accounts on their own.
  • If the value of the selfAssociate parameter in the externalAuth section of the web.config file is true (which is the default value), users click the Microsoft icon on the Welcome page of Acumatica ERP, and the system suggests that they enter the credentials of an Acumatica ERP user that should be associated with the Microsoft Account. This way can be used when you activated SSO with Microsoft Account for each user.
  1. Optional: You can configure your Acumatica ERP instance to automatically redirect users to the Microsoft Account sign-in page, as described in To Enable Silent Logon. Before you turn on silent logon with Microsoft Account, ask your users if all of them can sign in to Acumatica ERP with their Microsoft Account credentials.
    User Authentication After you have integrated Acumatica ERP with Microsoft Account, users use single sign-on (SSO) with Microsoft services to sign in to Acumatica ERP. By default, the users follow these steps:
  2. On the Welcome page of the Acumatica ERP instance, the user clicks the Microsoft icon to open the Microsoft sign-in page.
  3. On the sign-in page, the user enters his or her Microsoft account credentials. | Single Sign-On with Microsoft Accounts | 62

To simplify the procedure, you can configure silent logon with Microsoft account. For more information, see To Enable Silent Logon. | Lesson Summary | 63

Lesson Summary

In this lesson, you learned about integration between Acumatica ERP and Azure Active Directory, Single Sign-On with Google or Microsoft Accounts. Review Questions:

  • What are the benefits of integration between Acumatica ERP and other identity and access management systems?
  • What is the process of user authentication when integration with one of such systems is configured? | Lesson 6: Synchronizing with Microsoft Exchange Server | 64