Single Sign-On Operator Configuration

This program lets administrators configure Identity Provider authentication per operator.

Exploring

Enhancing user convenience while fortifying system security, the SSO Identity Provider Integration feature empowers users to access SYSPRO using trusted identity providers, creating a unified and secure authentication flow.

Once authenticated, SYSPRO users are automatically logged in, without them having to enter the traditional SYSPRO username and password.

Things you can do in this program include:

  • Enable SSO Identity Provider Integration for an operator that has not yet been configured for SSO.

  • Disable SSO Identity Provider Integration for an operator that is currently configured for SSO.
  • Suspend SSO Identity Provider Integration for an operator that is currently configured for SSO.
  • Resume SSO Identity Provider Integration for an operator that is currently suspended.

This program is accessed from the Program List of the SYSPRO menu:

  • Program List > Administration > Security > Authentication

A robust authentication mechanism designed to minimize the vulnerabilities associated with traditional username and password combinations by integrating a trusted authentication technology. This enables users to seamlessly access SYSPRO using a single set of credentials, eliminating the need for multiple logins and reducing the risk of unauthorized access.

Within SYSPRO, the following single sign-on methods are available:

  • SSO using Active Directory

    • This method is ideal for sites using the SYSPRO Desktop user interface, as each user has to login to their Windows client environment. This option allows a site to leverage the user authenticated by Windows to login to SYSPRO.

    • This option is not suitable for users using the SYSPRO Web UI (Avanti) as users can connect via any device (such as a phone or tablet) where Windows authentication is not appropriate.

  • SSO Identity Provider Integration

    • Each Identity provider allows various additional validation over the traditional user name and password, including the use of authenticator applications, and other forms of Multi-Factor Authentication. These providers are often already in use across the organization, so users are already comfortable using these common dialogs.

    • The SSO Identity Provider Integration works across the SYSPRO Desktop and SYSPRO Web UI (Avanti) user interfaces, providing a consistent experience across SYSPRO interfaces and the rest of the organization.

Overview topic

SYSPRO Authentication

Topics

SSO Identity Provider Integration

SSO using Active Directory

Multi-Factor Authentication

SYSPRO Installer

Starting

To use this program, the following setup option(s) must be configured appropriately:

Setup Options > System Setup > Login

  • Identity providers required

  • User applicability

You can restrict operator access to programs by assigning them to groups and applying access control against the group (configured using the Operator Groups program).

You can restrict operator access to programs by assigning them to roles and applying access control against the role (configured using the Role Management program).

The following configuration options in SYSPRO may affect processing within this program or feature, including whether certain fields and options are accessible.

The Setup Options program lets you configure how SYSPRO behaves across all modules. These settings can affect processing within this program.

Setup Options > System Setup > Login

  • Single sign-on identity providers:

    • Identity providers required

    • User applicability

  • The SSO Identity Provider Integration feature supersedes the previous methods of SSO using Active Directory and Multi-Factor Authentication.

    Therefore, it is necessary to disable these previous capabilities, before enabling the new SSO Identity Provider Integration, as the use of both methods simultaneously is not possible.

Solving

Configuration & Usage

If SSO Identity Provider Integration is enabled (i.e. the Identity providers required setup option is enabled) but no Desktop UI providers have been enabled:

  • Operators are prompted with the latest login dialog (which includes the identity providers) however their only choice available will be the standard SYSPRO Authentication (i.e. username and password).

If SSO Identity Provider Integration is enabled but no Web UI providers have been enabled:

  • Operators are prompted with the latest login dialog however no identity provider authentication is displayed. Therefore, their only choice will be the standard SYSPRO Authentication (i.e. username and password).

A timeout occurs when an operator remains inactive within the system for a specified period. In such cases, to maintain security, the operator may be prompted to re-enter their password before they can continue using the system. This measure is in place to prevent unauthorized access in case an operator leaves their application unattended for an extended period.

When a timeout occurs, the SSO Identity Provider Integration comes into effect and is used to authenticate the operator again before granting further access. This authentication step ensures that the operator is indeed the legitimate user and helps maintain the overall security.

When a particular transaction is configured with the highest level of security settings, the operator is required to provide their password each time the transaction is initiated. Moreover, the system allows the administrator to set up an alternative operator password for added flexibility.

During each eSignature password request, the SSO Identity Provider Integration is used for the authentication process. Prior to permitting the transaction to proceed, the system relies on the identity provider to verify the operator's credentials.

This authentication step ensures that only authorized personnel can execute critical transactions, bolstering the overall security and integrity of the eSignature process.

The SYSPRO Supply Chain Portal utilizes the Web authentication settings (as defined within the Setup Options program - Setup Options > System Setup > Login) and performs in the same manner as the SYSPRO Web UI (Avanti).

The only difference when logging in via the SYSPRO Supply Chain Portal, is the absence of the company sign-in page, as this doesn't apply in a portal environment.

Therefore, once you configure the Web authentication settings, both the SYSPRO Web UI (Avanti) and SYSPRO Supply Chain Portal will automatically utilize the SSO Identity Provider Integration capability.

With the integration of the SSO Identity Provider Integration, command line prompts in the SYSPRO Desktop retain their functionality while gaining the added benefit of enhanced authentication options:

When launching the SYSPRO Desktop, users can still pass command line parameters as they did before. These parameters allow users to log in to SYSPRO by selecting their user name, password, company ID, and other relevant information, and even specify a program to run with its associated parameters.

However, with the introduction of the /oper= parameter, the identity provider prompt is now set to SYSPRO Authentication, and the operator's code and password, as well as company-specific information, are validated. This means that if an operator is required to authenticate using an SSO identity provider, the validation process will fail, and the user will be prompted to enter the required provider's credentials.

For users who do not need to be authenticated through an SSO identity provider, the existing command line prompts continue to function seamlessly. They can provide the necessary parameters as before without any changes to their workflow.

For example:

Let's consider the case of the ADMIN user. The following command line parameters can still be used:

/oper=ADMIN /pass=UserSecret /comp=EDU1 /cpas=CompanySecret

These parameters will work smoothly, allowing the ADMIN user to access the SYSPRO Desktop as intended.

When SSO Identity Provider Integration is enabled, the Forgot Password process performs as follows:

SYSPRO Desktop:

  1. When presented with the SYSPRO login dialog, select SYSPRO Authentication from the Identity Provider drop-down.

  2. Enter your traditional user name and password.

  3. Select the Forgot Password option.

  4. A system message prompts you to confirm this request. Select OK to proceed.

  5. From the Forgot Password Email Confirmation screen, enter your email address, followed by the Send Email function.

    The system then verifies your entry against the email address defined against your SYSPRO operator code, before sending the email.

SYSPRO Web UI (Avanti):

  1. When presented with the SYSPRO Sign in dialog, enter your traditional user name and password.

  2. Select the Forgot password option.

  3. From the Forgot password screen, enter your email address, followed by the Request password function.

    The system then verifies your entry against the email address defined against your SYSPRO operator code, before sending the email.

Microsoft SQL Server Related

The following SQL tables within the system database contain information related to SSO Identity Provider Integration:

  • AdmSsoProviders (Admin SSO Identity Providers)

    This table records the following data:

    • SSO identity providers available

    • Indicators as to whether Desktop and/or Web UI authentication applies

    • Default identity provider for each user interface

  • AdmSsoAttributes (Admin SSO Identity Provider Attributes)

    This table records the following data:

    • Attributes associated with each identity provider (e.g. secret key)

  • AdmSsoUserXref (Admin SSO User Cross Reference)

    This table records the following data:

    • Cross references between the SSO user ID and SYSPRO operator

    • The date and time that the definition was created for the operator (i.e. DateAdded)

    • The date and time of each operator's last login using the identity provider (i.e. DateLastLogin)

  • AdmOperator (Admin Operator)

    This table includes the following data:

    • OperatorSsoStatus status flag indicating whether SSO is used (i.e. Enforced, Disabled, Paused)

  • AdmCurrentUsers (Users Currently Using SYSPRO)

    This table includes the following data:

    • AuthType (i.e. Authentication type) - defined as S when using an identity provider

    • SsoProviderName contains the name of the identity provider

    • SsoProviderDesc indicates the description of the identity provider

    The AuthType entry in this table is only stored for the duration of the user(s) being logged in.

Using

  • Columns in a listview are sometimes hidden by default. You can reinstate them using the Field Chooser option from the context-sensitive menu (displayed by right-clicking a header column header in the listview). Select and drag the required column to a position in the listview header.

  • Press Ctrl+F1 within a listview or form to view a complete list of functions available.

Once the administrator has enabled the Single sign-on identity providers capability and configured at least one identity provider, your operator login process is as follows:

  1. An operator launches SYSPRO 8 2023 (or later) in either the SYSPRO Web UI (Avanti) or SYSPRO Desktop user interface.

    The login dialog is displayed to the operator and presents as follows in each of the UIs:

    • SYSPRO Desktop:

      The login dialog contains an Identity Provider drop-down with the a list of all identity providers enabled by the system administrator, as well as a SYSPRO authentication entry that allows the entry of a user name and password.

      The SYSPRO authentication option (i.e. traditional user name and password) is useful for administrators and other operators where Single sign-on identity providers has been disabled or paused.

    • SYSPRO Web UI (Avanti):

      The login dialog contains login buttons for each of the identity providers enabled by the system administrator. In addition, operators currently not enabled for Single sign-on identity providers have the ability to login using the user name and password.

    Operators who have been configured to use Single sign-on identity providers are prevented from using the standard SYSPRO Authentication (i.e. traditional user name and password).

  2. The operator selects their identity provider of choice (if more than one available and configured by the administrator) and authenticates themselves using their account credentials with that provider.

    Depending on the provider, this may include a Multi-Factor Authentication check.

    For example:

    The Microsoft identity provider may ask for confirmation using the mobile-based Authenticator app.

  3. Once authentication has succeeded, the operator is presented with the Single Sign-On Link Dialog, from where they can link their SYSPRO operator code to their authenticated ID:

    1. The operator enters their correct operator code within the User name field.

      This could be an operator code, network user name or email address; depending on the organization's specific parameters and licensing options.

    2. The operator enters the password associated with their operator code within the Password field.

    3. The operator then selects the Link operator function.

    Once these credentials are validated, a row is added to the AdmSsoUserXref (Admin SSO User Cross Reference) system-wide table and contains the following information:

    • SYSPRO operator code

    • SSO provider type (e.g. Microsoft)

    • Unique user string returned from the identity provider

    This creates a cross-reference between the SYSPRO operator code and the authenticated user string, which is then used for subsequent authentication attempts.

  4. Once the operator has been linked, the Company Sign In page is displayed, from where the operator can select the company they want to access and enter the applicable password.

  5. The operator selects the Sign in to company function and is then logged into SYSPRO.

  • Operators can link more than one identity provider to their SYSPRO operator code.

  • When a SYSPRO operator code is linked to an SSO identity provider, the flags against the operator record are set to indicate that SSO authentication is in-force.

  • In the scenario that someone can no longer login using a specific identity provider, the system administrator can login and use the Single Sign-On Operator Configuration program to allow the SYSPRO Authentication (i.e. traditional user name and password) to be used.

    This is achieved by disabling or pausing SSO for the operator.

    An alternative option (e.g. if the Single sign-on identity providers is not set ‘per operator’) is for an administrator to use the Force SSO registration at next login option within the Operator Maintenance program.

    Enabling this option removes the operator's previous SSO history and forces the operator to re-authenticate their SSO Identity Provider login details the next time they login to SYSPRO.

Once an operator has linked their SYSPRO operator code with one of the identity providers and authenticated themselves successfully, their subsequent login experience is as follows:

  1. An operator launches SYSPRO 8 2023 (or later) in either the SYSPRO Web UI (Avanti) or SYSPRO Desktop user interface.

  2. From the login dialog, the operator selects their preferred identity provider (with which they have already linked their operator code) to authenticate their access into SYSPRO.

    SYSPRO validates this authentication by checking the entries defined against the operator within the AdmSsoUserXref (Admin SSO User Cross Reference) table.

  3. The Company Sign In page is displayed, from where the operator can select the company they want to access and enter the applicable password.

  4. The operator selects the Sign in to company function and is then logged into SYSPRO.

  • If an operator is defined to use Single sign-on identity providers for their authentication (and they have logged in at least once using one of the identity providers) then all subsequent logins must use an identity provider for their authentication. Therefore, they can no longer log into SYSPRO using their traditional user name and password after linking their operator code to an identity provider.

    The only exception to this, is if their Single sign-on identity providers authentication has been paused or disabled by the administrator (using the Single Sign-On Operator Configuration program).

  • If an operator cancels out from the authentication dialog, they are returned to the main login screen.

  • If an operator defined to use Single sign-on identity providers attempts to use an alternative user interface where no identity providers have been enabled, then they will not be able to login to that user interface.

Referencing

This refreshes the data displayed.

After selecting the applicable operators from the Operators pane, this function enables them for SSO Identity Provider Integration (i.e. this sets an operator's SSO status as enforced).

After selecting the SSO enabled operators within the Operators pane, this function disables their SSO Identity Provider Integration requirement (i.e. this sets an operator's SSO status as disabled).

Operators who are disabled or suspended for SSO revert to entering the traditional user name and password to access SYSPRO.

If you later enable these operators for SSO, they will have to re-authenticate their operator code with one of the identity providers.

After selecting the SSO enabled operators within the Operators pane, this function suspends their SSO Identity Provider Integration (i.e. this sets an operator's SSO status as paused).

Operators who are disabled or suspended for SSO revert to entering the traditional user name and password to access SYSPRO.

Suspending SSO for an operator is useful when that operator requires temporary suspension from the additional authentication requirement.

For example:

If an operator is configured to use Microsoft authentication and they lose their phone, they can't access SYSPRO. Suspending their SSO status allows them access.

After selecting a suspended operator within the Operators pane, this function reinstates their requirement for SSO Identity Provider Integration (i.e. this sets an operator's SSO status as enforced).

This lets you select all operators within the Operators pane.

This lets you deselect all operators within the Operators pane.

This enables you to remove any previous authentication information for the user.

This removes all associated rows from the AdmSsoUserXref (Admin SSO User Cross Reference) table.

Once an operator is reset, they will be forced to re-link their operator to the identity provider.

This listview includes all operator codes, excluding administrators.

Column Description
Select

Use the checkbox in this column to select operators for actioning.
Operator

This indicates the operator code.
Name

This indicates the name of the operator.

Authentication type

This indicates the authentication type used to log into SYSPRO.

A SYSPRO password is required for the operator when logging into SYSPRO.

  • For Normal operators, this indicates that an operator code and password is used.
  • For Portal operators, this indicates that an email address and password is used.

Multi-Factor Authentication is enabled for the operator. When logging into SYSPRO, the operator code, password and additional authentication method is required.

You can't enable Multi-Factor Authentication for an operator that is defined for concurrent access (i.e. the Allow concurrent use of this operator option is enabled against the operator).

SSO using Active Directory is enabled for the operator. Microsoft Windows authentication is used when logging into SYSPRO.

Because an operator's Microsoft Active Directory (AD) credentials are used to log into SYSPRO, they are not prompted for an operator code or password at the SYSPRO login dialog.

SSO Identity Provider Integration is enabled for the operator and authentication via one of the following identity providers is required when logging into SYSPRO:

  • Google

  • Microsoft

  • LinkedIn

Because an operator's SSO Identity Provider Integration credentials are used to log into SYSPRO, they are not prompted for an operator code or password at the SYSPRO login dialog.
Enable action

Use the Enable or Disable functions within this column to enable or disable SSO Identity Provider Integration for the selected operator.
Suspend action

Use the Suspend or Resume functions within this column to suspend or resume SSO Identity Provider Integration for the selected operator.
SSO Status

This indicates the current SSO Identity Provider Integration status for the operator:

  • SSO enabled

  • SSO disabled

  • SSO paused
Status

This indicates the current status of the operator (as recorded in the OperatorStatus column of the AdmOperator table of your SYSPRO database):

The operator is active in SYSPRO and Microsoft Active Directory (AD) and can log into SYSPRO.

The operator is disabled from one of the following and can't log into SYSPRO or the SYSPRO Supply Chain Portal:

  • Operator Maintenance program
  • Microsoft Active Directory (AD)
  • Portal User Management program

The operator was either removed via Microsoft Active Directory (AD) or the Portal User Management program and can't log into SYSPRO or the SYSPRO Supply Chain Portal.
Email

This indicates the email address configured against the operator.
Last SSO provider used This indicates the last identity provider used by the operator to authenticate their access to SYSPRO.
SSO provider last login date

This indicates the date on which the operator last logged into SYSPRO using an identity provider.
Currently logged in

This indicates if the operator is currently logged into SYSPRO.
Date operator added

This indicates the date on which the operator was created in SYSPRO.

Date operator changed

This indicates the date on which the Status of the operator was last changed.

Last login |

Last login date |

Last login time

This indicates the date and time that the operator code was last used to load SYSPRO.
Locked out

This indicates whether a lock has been set against the operator (i.e. when locked out, the operator is unable to load SYSPRO).
Location

This indicates the physical location of the operator.
Operator type

This indicates the operator type (as recorded in the AdmOperator table):

This is a standard operator that can access the following SYSPRO platforms:

  • SYSPRO Desktop

  • SYSPRO Web UI (Avanti)

  • SYSPRO Espresso

This is a template operator record that can be used as a baseline configuration to simplify the creation of operators in similar areas or departments.

For example:

You can create a template for operators in the Accounts department that contains all the general configuration for those type of operators.

Then in future, when creating an operator code for someone in accounts, you can use this template to simplify the process.

A template operator can't log into SYSPRO.

Template operators are required when creating portal users in the Portal User Management program.

The following fields can't be changed for Template operators:

  • Operator (code)
  • Operator type

This is a named user that is only used for the SYSPRO Supply Chain Portal.

Portal users are created using the Portal User Management program and can log into the following SYSPRO platforms:

  • SYSPRO Supply Chain Portal

The following fields can't be changed for Portal operators:

  • Operator (code)
  • Operator type

You also can't copy a Portal user/operator.

This is an operator managed by Microsoft Active Directory (AD) (via the SYSPRO 8 Active Directory Sync Service).

AD Managed users are created using the Active Directory User Management program and can access the following SYSPRO platforms:

  • Core SYSPRO

The following fields can't be changed for AD Managed operators:

  • Operator name
  • Email
  • Network user name
  • Operator status

This is an operator managed by SSO Identity Provider Integration.

SSO with ID Integration users are managed using the Single Sign-On Operator Configuration program and can access the following SYSPRO platforms:

  • Core SYSPRO
CMS only user

This indicates if the operator is only enabled to use the Contact Management System.
Espresso user

This indicates if the operator is a SYSPRO Espresso user.
POS only user

This indicates whether the operator is only enabled for SYSPRO Point of Sale.

Primary group |

Primary group code

This indicates the primary operator group to which this operator belongs.

Primary role |

Primary role code

This indicates the role descriptor usually matching the job description or job function assigned to an operator.