Configure single sign-on (SSO; the new signing on method)
You can use single sign-on through an identity provider with regard to AFAS Online. This means that the sign-on will not be processed by AFAS Online but by the identity provider. If single sign-on has not been configured, users will sign on using two-factor authentication.
You can determine through which method you will sign on for each InSite URL. This is why you can use single sign-on before the live InSite use while you use two-factor authorisation for the test InSite. For example: You use single sign-on on https://12345.afasinsite.nl, but two-factor authorisation on https://12345.afasinsite.nl/test.
This page describes the steps such as when you want to use SSO for the first time when you switch to the new AFAS Online platform (therefore including, for example, rolling out the Citrix server). Even if you have already configured single sign-on on the old AFAS Online platform, you must reconfigure SSO. Follow the steps below.
If you want to configure SSO separately before switching to the new platform SSO, you can do this through this procedure. If, on the contrary, you have already switched to the new platform for a while and you want to start using SSO, follow this procedure.
This page contains the system requirements and preparations with regard to single sign-on. The steps for after the switch can be found for each identity provider.
If you configure single sign-on, users can sign on using both single sign-on and two-factor authorisation. The only way in which to prevent that users sign on using two-factor authorisation is by deleting the email address in the user settings. This, however, will mean that the user cannot sign on to OutSite and cannot use AFAS Pocket.
The following identity providers are supported:
- Every party with OpenID Connect. For example:
- Active Directory Federation Services (AD FS 4.0) - Windows Server 2016
- Azure Active directory (on the basis of OpenID connect)
- Office 365 on the basis of AzureAD
- Active Directory 3.0 (AD FS) - Windows Server 2012 R2
System administrator's preparations
The system administrator must check and configure different issues because of the change to the Citrix platform. If you use an external party for system administration, contact this party in a timely manner. Ensure that you understand all issues before you get started.
- Check the system requirements with regard to the network/data traffic and users.
- Configure Profit Connectors. Additional system requirements apply to this. When you switch to the new sign-on method, the connectors must also be transferred.
- Check the Profit environment type. This will nearly always be correctly recorded, but check this to be certain.
- Open the environment.
- Go to / / .
- Go to the tab: .
- Check whether the correct value has been selected: production environment (P), test environment (T) or accept environment (A).
- If you use your own mail server, make sure that your AFAS Online communication is not blocked. This component is maintained by your system administrator and AFAS cannot offer support for this.
Whitelist the IP address that is used by AFAS Online for emailing: IP 18.104.22.168 / proxy.afas.online
Change the outgoing AFAS Online mail server:
When you work on AFAS Online and you use the AFAS Online mail server, you must configure the Sender Policy Framework (SPF) records so that you authorise the AFAS Online mail server to email on behalf of your email address (domain). If you do not configure SPF record, outgoing emails will not be delivered correctly and they will be blocked.
Change the SPF records of the outgoing mail server. You can already do this before you switch.
- If you had already configured this, the old SPF record could look as follows:
yourdomain.nl txt v=spf1 mx ip4:127.0.0.1 include:_spf.afasonline.nl ~all
- Change this as follows:
You can easily check the outgoing SPF record:
- Go to: https://mxtoolbox.com/spf.aspx.
- Enter the Domain name. This is the part after the @ in your email address.
If your email address is email@example.com,
the Domain name will then be: enyoi.com
- If the SPF record has been configured correctly, you will see the following line:
- If you do not see this line, contact the system administrator in your own organisation. AFAS cannot change this for you.
Roll out Citrix Receiver
Citrix Receiver must be installed on all workstations on which Profit Windows is used. Profit Windows, after all, runs in a Citrix environment. Users start Profit Windows by means of Citrix Receiver.
You do not have to create an account when installing Citrix Receiver. If the Add account screen is displayed, you can close it.
Use these links to roll out Citrix Receiver:
Configuring the identity provider (system administrator)
Below you will see a list of all supported identity providers. Make a choice and perform the steps.
Every party with OpenID Connect is supported. For example:
Active Directory Federation Services (AD FS 4.0) - Windows Server 2016
Or carry out the steps for:
Active Directory 3.0 (AD FS) - Windows Server 2012 R2
When this has been completed, forward the data that you collected to the Profit administrator.
Recording the Profit administrator for the portal
The Profit administrator must carry out specific actions on the AFAS Online Portal as the portal administrator with regard to single sign-on. This is why you configure the Profit administrator as the portal administrator.
- Go to: / / .
- Open the properties of the Profit administrator.
- Enter the administrator's email address in the
- Go to the
- Select the
This field will only work after switching to the new sign-on method. If the field is selected, you will have access to the Management tab on the AFAS Online Portal. If you have not yet switched, you will not have access to the Management tab. check box.
- If you have an AFAS Accept licence, the field will be available. If a user may have access to the Accept environment, select the field for this user.
- Click on: .
Recording the sign-on method for each application in the portal (Profit administrator)
If you have the data of your identity provider (received from your system administrator), you can add this data in the AFAS portal yourself.
Next, select the identity provider (your own for single sign-on or the AFAS one for 2-factor authentication) for each application at AFAS Online.
Step 1. Enter the data of your own SSO Identity provider
- Go to: login.afasonline.com
- Sign on as the administrator using two-factor authorisation.
- Is this the first time that you are signing on? Follow this procedure.
- Have you signed on as the administrator before? Follow this procedure.
Do not sign on through single sign-on because then you will have insufficient rights.
- Go to tab:
- Select which identity provider you want to add in .
- Depending on your choice in
OpenID Connect in relation to the identity providers AD FS 4.0, Okta, Azure AD, etc., you may need to provide values for other fields.
- Click: .
Step 2. Configure for each application which identity provider you want to use
Determine for each application which identity provider you want to use.
Users will continue to sign on by means of two-factor authentication until you have set down a UPN for each user.
- Go to login.afasonline.com and sign on as the administrator if this is not yet the case.
- Go to: Single sign-on.
You will here see which applications there are for you in AFAS Online./
- Select the for each application that you want to use: your own single sign-on identity provider or the standard AFAS Identity Provider (if you want to use two-factor authorisation).
- Click: .
Enter the UPN for each user and test sign-on (Profit administrator)
We recommend first testing single sign-on using one test user.
If you already used SSO before, the UPN will already have been entered at users. Then, only follow step 2.
After the change
At least version PCC version 7 or higher must have been installed for users that use the PCC.
Install PCC version 7
If you use the PCC, you must also switch to PCC version 7 after switching to Profit 7.
To achieve this, update the PCC to the latest version.
The latest version of the PCC will convert your PCC settings to the new connector addresses (endpoints) in order to prepare for the new AFAS Online platform. The following is relevant to your system administrator:
Your computer must support TLS 1.2 for the new address. Click here for more information. If you block by default all traffic and you allow all exceptions through your firewall? Ensure that the you whitelist thePCC addresses.