Copy link

Configure single sign-on (SSO; the new signing on method)

You can use single sign-on through an identity provider with regard to AFAS Online. This means that the sign-on will not be processed by AFAS Online but by the identity provider. If single sign-on has not been configured, users will sign on using two-factor authentication.

You can determine through which method you will sign on for each InSite URL. This is why you can use single sign-on before the live InSite use while you use two-factor authorisation for the test InSite. For example: You use single sign-on on, but two-factor authorisation on

This page describes the steps such as when you want to use SSO for the first time when you switch to the new AFAS Online platform (therefore including, for example, rolling out the Citrix server). Even if you have already configured single sign-on on the old AFAS Online platform, you must reconfigure SSO. Follow the steps below.

If you want to configure SSO separately before switching to the new platform SSO, you can do this through this procedure. If, on the contrary, you have already switched to the new platform for a while and you want to start using SSO, follow this procedure.

This page contains the system requirements and preparations with regard to single sign-on. The steps for after the switch can be found for each identity provider.


If you configure single sign-on, users can sign on using both single sign-on and two-factor authorisation. The only way in which to prevent that users sign on using two-factor authorisation is by deleting the email address in the user settings. This, however, will mean that the user cannot sign on to OutSite and cannot use AFAS Pocket.

The following identity providers are supported:

  • Every party with OpenID Connect. For example:
    • Active Directory Federation Services (AD FS 4.0) - Windows Server 2016
    • Azure Active directory (on the basis of OpenID connect)
    • Office 365 on the basis of AzureAD
    • Okta
  • SURFconext
  • Active Directory 3.0 (AD FS) - Windows Server 2012 R2


System administrator's preparations

The system administrator must check and configure different issues because of the change to the Citrix platform. If you use an external party for system administration, contact this party in a timely manner. Ensure that you understand all issues before you get started.

  1. Check the system requirements with regard to the network/data traffic and users.
  2. Configure Profit Connectors. Additional system requirements apply to this. When you switch to the new sign-on method, the connectors must also be transferred.
  3. Check the Profit environment type. This will nearly always be correctly recorded, but check this to be certain.
    1. Open the environment.
    2. Go to General/Environment/Properties.
    3. Go to the tab: AFAS Online.
    4. Check whether the correct value has been selected: production environment (P), test environment (T) or accept environment (A).
  4. If you use your own mail server, make sure that your AFAS Online communication is not blocked. This component is maintained by your system administrator and AFAS cannot offer support for this.

    Whitelist the IP address that is used by AFAS Online for emailing: IP /

Change the outgoing AFAS Online mail server:

When you work on AFAS Online and you use the AFAS Online mail server, you must configure the Sender Policy Framework (SPF) records so that you authorise the AFAS Online mail server to email on behalf of your email address (domain). If you do not configure SPF record, outgoing emails will not be delivered correctly and they will be blocked.

How do I know that I am using the AFAS Online mail server?

Change the SPF records of the outgoing mail server. You can already do this before you switch.

You can easily check the outgoing SPF record:

  1. Go to:
  2. Enter the Domain name. This is the part after the @ in your email address.


    If your email address is,

    the Domain name will then be:

  3. If the SPF record has been configured correctly, you will see the following line:

  4. If you do not see this line, contact the system administrator in your own organisation. AFAS cannot change this for you.

Roll out Citrix Receiver

Citrix Receiver must be installed on all workstations on which Profit Windows is used. Profit Windows, after all, runs in a Citrix environment. Users start Profit Windows by means of Citrix Receiver.

You do not have to create an account when installing Citrix Receiver. If the Add account screen is displayed, you can close it.

Use these links to roll out Citrix Receiver:

Also see:

Configuring the identity provider (system administrator)

Below you will see a list of all supported identity providers. Make a choice and perform the steps.


Every party with OpenID Connect is supported. For example:

Active Directory Federation Services (AD FS 4.0) - Windows Server 2016

Azure Active directory (on the basis of OpenID connect)

Office 365 on the basis of AzureAD


Or carry out the steps for:


Active Directory 3.0 (AD FS) - Windows Server 2012 R2

When this has been completed, forward the data that you collected to the Profit administrator.

Recording the Profit administrator for the portal

The Profit administrator must carry out specific actions on the AFAS Online Portal as the portal administrator with regard to single sign-on. This is why you configure the Profit administrator as the portal administrator.

  1. Go to: General / Management / Authorisation tool.
  2. Open the properties of the Profit administrator.
  3. Enter the administrator's email address in the E-mail field.

    2FA - Beheer - Overstappen (proc -mail gebruiker) - e0mail

  4. Go to the Applications tab.

    2FA - Beheer - Overstappen (proc -mail gebruiker) - e0mail

  5. Select the AFAS Online Portal Administrator check box.


    This field will only work after switching to the new sign-on method. If the field is selected, you will have access to the Management tab on the AFAS Online Portal. If you have not yet switched, you will not have access to the Management tab.

  6. If you have an AFAS Accept licence, the AFAS Accept field will be available. If a user may have access to the Accept environment, select the AFAS Accept field for this user.
  7. Click on: OK.

Recording the sign-on method for each application in the portal (Profit administrator)

If you have the data of your identity provider (received from your system administrator), you can add this data in the AFAS portal yourself.

Next, select the identity provider (your own for single sign-on or the AFAS one for 2-factor authentication) for each application at AFAS Online.

Step 1. Enter the data of your own SSO Identity provider

  1. Go to:
  2. Sign on as the administrator using two-factor authorisation.
    • Is this the first time that you are signing on? Follow this procedure.
    • Have you signed on as the administrator before? Follow this procedure.


    Do not sign on through single sign-on because then you will have insufficient rights.

  3. Go to tab: Management.

  4. Click: Identity provider.

  5. Select which identity provider you want to add in Type.
  6. Depending on your choice in Type, you may need to provide values for other fields.

    OpenID Connect in relation to the identity providers AD FS 4.0, Okta, Azure AD, etc.

    ADFS 3.0


  7. Click: Save.

Step 2. Configure for each application which identity provider you want to use

Determine for each application which identity provider you want to use.


Users will continue to sign on by means of two-factor authentication until you have set down a UPN for each user.

  1. Go to and sign on as the administrator if this is not yet the case.
  2. Go to: Management/Single sign-on.

    AOL_SSO Self-service AOL portal instellen - ADFS (20)

    You will here see which applications there are for you in AFAS Online.

  3. Select the Identity provider for each application that you want to use: your own single sign-on identity provider or the standard AFAS Identity Provider (if you want to use two-factor authorisation).
  4. Click: Save.

Enter the UPN for each user and test sign-on (Profit administrator)

We recommend first testing single sign-on using one test user.

If you already used SSO before, the UPN will already have been entered at users. Then, only follow step 2.

Step 1: Enter the UPN at one user

Step 2: Test the sign-on method using one user

Step 3: Enter the UPN at all users

After the change

At least version PCC version 7 or higher must have been installed for users that use the PCC.

Install PCC version 7

If you use the PCC, you must also switch to PCC version 7 after switching to Profit 7.

To achieve this, update the PCC to the latest version.

The latest version of the PCC will convert your PCC settings to the new connector addresses (endpoints) in order to prepare for the new AFAS Online platform. The following is relevant to your system administrator:

Your computer must support TLS 1.2 for the new address. Click here for more information. If you block by default all traffic and you allow all exceptions through your firewall? Ensure that the you whitelist thePCC addresses.

Directly to

  1. Configuration with regard to the new sign-on
  2. System requirements
  3. Before, during and after the change to two-factor authentication
  4. Before, during and after the change to single sign-on
  5. Citrix Receiver Frequently Asked Questions


Signing on

Work area