thumb_up
thumb_down
link
Copy link
Copied
insert_emoticon
lmatfy
Copied

Configure single sign-on (SSO; the new signing on method)

You can use single sign-on through an identity provider with regard to AFAS Online. This means that the sign-on will not be processed by AFAS Online but by the identity provider. If single sign-on has not been configured, users will sign on using two-factor authentication.

On 20 December 2019 the Inloggen via AFAS Identity Provider toestaan (Log on using AFAS Identity provider) has been added. For existing identity providers this setting isn't used and everything will work as it did. When you configure a new identity provider, you must make a choice for this setting.

Log on using AFAS Identity provider is empty

Log on using AFAS Identity provider has a value

For each InSite URL you determine the lon on method: using single sign-on or two factor authentication.

You can always log on to Profit Windows using two factor authentication (provided the email address of the user has been entered).

The co-operation user (of the accountant) always logs on using two factor authentication, not thru single sign-on.

You configure your own identity provider, so users will log on to InSite and Profit Windows using single sign-on. In the identity provider you also determine whether or not users are allowed to log on using two factor authentication.

For example: a user has logged on using his AFAS Online account (so using two factor authentication). Then the user starts Profit Windows or InSite of a customer. Is the user allowed to continue, or should he log on to the SSO provider of the customer?

AFAS supports various identity providers, but you must select one particular identity provider. If you want to migrate to another identity provider, do so if no or few people use Record your old data before entering new data.

Attention:

AFAS Support doesn't support the configuration of single sign-on. Your organisation itself is responsible for the security of the logon method and the protection of your data. You manage and maintain the SSO solution yourself.

AFAS, for example, has no insight or influence on whether or not two-factor authentication is used with a single sign-on login method chosen by the customer. However, two-factor authentication is often required by law for privacy-sensitive data. The provider or administrator of the login method (for example, the IT department that manages your organization's ADFS and Active Directory) can set the security options.

Contents

System administrator's preparations

The system administrator checks the system requirements with regard to the network/data traffic and users. If you're using a third party to manage your systems, please contact this party well on time.

Roll out Citrix Workspace

Citrix Workspace must be installed on all workstations on which Profit Windows is used. Profit Windows, after all, runs in a Citrix environment. Users start Profit Windows by means of Citrix Workspace.

You do not have to create an account when installing Citrix Workspace. If the Add account screen is displayed, you can close it.

Please view: which version of Citrix Workspace do I need (Dutch).

Also see:

Recording the Profit administrator for the portal

The Profit administrator must carry out specific actions on the AFAS Online Portal as the portal administrator with regard to single sign-on. This is why you configure the Profit administrator as the portal administrator.

  1. Go to: General / Management / Authorisation tool.
  2. Open the properties of the Profit administrator.
  3. Enter the administrator's email address in the E-mail field.

    2FA - Beheer - Overstappen (proc -mail gebruiker) - e0mail

  4. Go to the Applications tab.

    2FA - Beheer - Overstappen (proc -mail gebruiker) - e0mail

  5. Select the AFAS Online Portal Administrator check box.
  6. If you have an AFAS Accept licence, the AFAS Accept field will be available. If a user may have access to the Accept environment, select the AFAS Accept field for this user.
  7. Click on: OK.

Configuring the identity provider (system administrator)

Below you will see a list of all supported identity providers. Make a choice and perform the steps.

OpenID Connect

Every party with OpenID Connect is supported. For example:

Active Directory Federation Services (AD FS 4.0) - Windows Server 2016 and higher

Azure Active directory (on the basis of OpenID connect)

Office 365 on the basis of AzureAD

HelloID

Okta

Secure Login

SURFconext

SURFconext

AD FS 3.0

Active Directory 3.0 (AD FS) - Windows Server 2012 R2 (old)

When this has been completed, forward the data that you collected to the Profit administrator.

Recording the sign-on method for each application in the portal (Profit administrator)

If you have the data of your identity provider (received from your system administrator), you can add this data in the AFAS portal yourself.

Next, select the identity provider (your own for single sign-on or the AFAS one for 2-factor authentication) for each application at AFAS Online.

Step 1. Enter the data of your own SSO Identity provider

  1. Go to: login.afasonline.com
  2. Sign on as the administrator using two-factor authorisation.
    • Is this the first time that you are signing on? Follow this procedure.
    • Have you signed on as the administrator before? Follow this procedure.

    Note:

    When logging on, use the manager's email address, recorded in the Authorisation tool.

    Do not sign on through single sign-on because then you will not see the Manage tab.

  3. Go to tab: Management / Identity provider.

  4. Select the type of identity provider.
  5. The fields required depend on the type of identity provider.

    OpenID Connect for the following identity providers: AD FS 4.0, Okta, Azure AD, etc.

    ADFS 3.0

    SURFconext

    Note:

    On 20 December 2019 the Inloggen via AFAS Identity Provider toestaan (Log on using AFAS Identity provider) has been added. For existing identity providers this setting isn't used and everything will work as it did. When you configure a new identity provider, you must make a choice for this setting.

    Example 1 (Profit Windows):

    Richard opens www.afasonline.nl and logs in with his AFAS Online account via two-factor authentication. Richard then opens the customer's Profit Windows via www.afasonline.nl/12345 (participant 12345). The identity provider of a customer is linked to this participant number.

    If users who are logged in with the AFAS Identity Provider do not need to log in again, Profit Windows will be opened immediately.

    If users always have to log in via the Identity Provider (of the customer), Richard must first log in via the identity provider before he can open Profit Windows.

    Example 2 (InSite):

    Esther opens www.afasonline.nl and logs in with his AFAS Online account via two-factor authentication. Esther opens the InSite to the customer via 12345.afasinsite.nl (participant 12345). The identity provider of a customer is linked to this participant number.

    If users who are logged in with the AFAS Identity Provider do not need to log in again, InSite will be opened immediately.

    If users always have to log in via the Identity Provider (of the customer), Esther must first log in via the identity provider before he can open InSite.

    Example 3 (user is not logged in):

    John is not logged in yet and opens 12345.afasinsite.nl (participant 12345). The identity provider of his organization is linked to this participant number.

    John must always log in via the identity provider of his organization, regardless of the setting in the Allow login via AFAS Identity Provider field.

  6. Click Save.

Step 2. For each application, configure which identity provider you want to use.

For each application, determine the identity provider you want to use.

Attention:

User's will continue to log on using two factor authentication, untill the UPN per user had been recorded.

  1. Go to www.afasonline.nl and log on as administrator
  2. Go to: Management / Single Sign on.

    AOL_SSO Self-service AOL portal instellen - ADFS (20)

    You see the application available to you on AFAS Online.

  3. For each application, select the Identity provider you want to use: your own Single Sign On-identity provider or the standard AFAS Identity Provider (if you aim to use two factor authentication
  4. Cick Save.
  5. Click Test to view if the connection is good.

Step 3: Record IP restrictions (optional)

The administrator can record IP restrictions on the AFAS Online portal, via Management / IP restrictions. If you define IP restrictions, users can only start the applications (apps) from IP addresses that are allowed based on the IP restrictions, this is an extra security that is also applied when logging in via SSO.

Enter the UPN for each user and test sign-on (Profit administrator)

We recommend first testing single sign-on using one test user, as explained above. An alternative/additional method is testing by filling in the UPN at on user.

If you already used SSO before, the UPN will already have been entered at users. Then, only follow step 2.

Step 1: Enter the UPN at one user

Step 2: Test the sign-on method using one user

Step 3: Enter the UPN at all users

After the change

If you use the PCC, you must also switch to PCC version 7 after switching to Profit 7. The procedure will depend on your Profit version:

  • Do you use Profit 6 and have you switched to the new sign-on method? You must download and install the PCC version 7. Next, download the settings and again link the environment.
  • Do you use Profit 7 and have you switched to the new sign-on method? Update the PCC to Profit 7.

More information:

Directly to

  1. Configuration with regard to the new sign-on
  2. System requirements
  3. Before, during and after the change to two-factor authentication
  4. Before, during and after the change to single sign-on
  5. Citrix Receiver Frequently Asked Questions

Process

Signing on

Work area

app