System requirements for the new sign-on method

Study the system requirements. The system requirements apply to both two-factor authentication and single sign-on unless specified otherwise.

Note:

As of 15 December 2021, TLS1.3 will be supported for connection to Profit Windows (incoming traffic only). The support of TLS1.2 will be limited because some old ciphers will no longer be supported as of 15 December 2021. Support is expanded to include other ciphers.

Contents

Computer/workstation user

Component	Explanation
Control system	Windows Server 2019 Windows Server 2016 Windows Server 2012 Windows Server 2012 R2 Windows 11 Windows 10 Windows 8.1 Windows 8 Apple Mac OS X 10.11 (El Capitan) or higher Also see: Which Windows operating system do I use (Microsoft website)? Which MacOS operating system do I use (Apple website)? Platform and product support
Browsers	Microsoft Edge Google Chrome Safari (Apple Mac) Mozilla Firefox If you use Chrome, Safari or FireFox, you must configure the browser in such a way that this is automatically updated to the last version. You must add the URLs below to the Trusted Sites. If you do not, the 'The current website is trying to open a site in your Trusted sites list' message may be displayed. This is how you open the Trusted Sites. Start Internet Explorer. Go to: Internet options. Go to the tab: Security. Click on: Trusted sites. Click on: Sites. https://.afasonline.com https://.afas.online https://*.afasinsite.nl Also see: Which browser do I use (What browser website)?
Citrix Receiver	Citrix Receiver for Windows LTSR Citrix Workspace (latest version) Citrix Receiver for Mac See also: Frequently asked questions about Citrix Receiver
TLS	TLS 1.2 must have been enabled. TLS (Transport Layer Security) is an encryption protocol for the authentication and security of data that are sent through the Internet. [As from December 15, 2021] TLS1.3 or TLS1.2 should be enabled. You can test whether your computer/workstation works for outgoing traffic to AFAS Online by opening the login.afasonline.com site. This site requires TLS1.2.
PCC	Use the last version released by AFAS. The PCC is not supported on Apple Mac. (the PCC is not supported by Apple Mac) See the explanation at 2-factor authentication or single sign-on.

We use certificates from QuoVadis/WiseKey.

Network and data traffic

Component	Explanation
IP range	185.46.182.0/24 (therefore 185.46.182.0 to 185.46.182.255)
Outgoing traffic	Outgoing traffic clients by means of port 443 (HTTPS). Usually, you do not have to open anything for this unless you work with a whitelist on the firewall or with a proxy. We support TLS1.0, TLS1.1 and TLS1.2 where possible for outgoing traffic. Outgoing traffic operates on the basis of whitelisting. AFAS Online will prepare as best as possible all outgoing communication from your environment. A personal communication profile will, in a very few cases, not work immediately. If this is the case, submit an incident to have the address released.
Incoming traffic	TLS1.2. [As from TLS December 15, 2021] TLS1.3 The supporting cipher suites differ per endpoint. When possible, we use an ECC certificate. Initially, there is still an RSA certificate on Citrix and support for the ECC certificate will follow later. You will find more information for each endpoint in the summary with IP addresses, URLs and ciphers in the ‘TLS Ciphers’ column. The used ciphers can be found here too: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

Certificates originate from QuoVadis/WiseKey.

Other

Users can sign on via AFAS Pocket with regard to two-factor authorisation (on supported iPhones or Android devices). The first step is to sign on using a username + password and the second step is to confirm via AFAS Pocket on the user's smartphone. If you only use AFAS Pocket for this authentication, you do not need to configure (the app connector of) Pocket.
A user can link AFAS Pocket for two-factor authorisation to multiple AFAS Online accounts.

Note:

AFAS Pocket offers a lot more functionality and especially with regard to Employee Self Service. If you use this solution, you must, however, execute the configuration in Profit. In this situation, AFAS Pocket is linked to one specific environment for the full use of the Pocket functionality and to one or more AFAS Online accounts for two-factor authorisation.
With two-factor authentication, you can also log in via a supported authenticator app (instead of AFAS Pocket).
Preventing the jacking of parts of your own InSite/OutSite on an external site (anti-click jacking) is on by default. If this needs to be disabled, please submit an incident ticket. As from Profit 19, you manage this yourself in the site properties. You can, however, include a linked to an InSite/OutSite page on an external site.
You can continue to show an external page on your own site with an integration page.
If you carry out an analysis from AFAS Online, you cannot call web services through the analyses. This is, however, possible if you carry out an analysis through the command line of the PCC.

IP addresses, URLs and ciphers

This information is intended for organisations that use a whitelist on the firewall or a proxy.

Note:

As of 15 December 2021, the following ciphers are supported:

TLS1.3-AES256-GCM-SHA384 0x13,0x02
TLS1.3-CHACHA20-POLY1305-SHA256 0x13,0x03
TLS1.3-AES128-GCM-SHA256 0x13,0x01
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 0xC0,0x30
TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 0xCC,0xA8
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 0xC0,0x2F

The following ciphers will NOT be supported from 15 December 2021:

TLS1.2-ECDHE-ECDSA256-GCM-SHA384 0xC0,0x2C
TLS1.2-ECDHE-ECDSA128-GCM-SHA256 0xC0,0x2B
TLS1.2-ECDHE-RSA-AES-256-SHA384 0xC0,0x28
TLS1.2-ECDHE-RSA-AES-128-SHA256 0xC0,0x27

You can check through Citrix Workspace whether you have the correct ciphers.

PCC

Applications	Explanation	Host name	Public IP	Ports	TLS version	TLS Ciphers [1]	Certificate
InSite, PCC	PCC Notification hub. This must be available to all users who use the PCC.	pc**.notificationhub.afas.online	185.46.182.28	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	SOAP API for production environments. This must be available for all connections/connectors and PCC users.	[participant].soap.afas.online	185.46.182.140 thru 185.46.182.179.	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	SOAP API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments.	[participant].soaptest.afas.online	185.46.182.180 thru 185.46.182.199.	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	SOAP API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments.	[participant].soapaccept.afas.online	185.46.182.44 185.46.182.45 185.46.182.46 185.46.182.47	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	REST API for production environments. This must be available for all connections/connectors and PCC users.	[participant].rest.afas.online	185.46.182.140 thru 185.46.182.179.	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	REST API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments.	[participant].resttest.afas.online	185.46.182.180 thru 185.46.182.199.	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	REST API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments.	[participant].restaccept.afas.online	185.46.182.44	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite	InSite. Must be available to all InSite users.	[participant].afasinsite.nl	185.46.182.60	80 (redirect), 443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite	InSite test sites. Must be available to all InSite users who must be able to sign on to InSite sites of test environments.	[participant].insitetest.afas.online	185.46.182.90	80 (redirect), 443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite	InSite accept sites. Must be available to all InSite users who must be able to sign on to InSite sites of accept environments.	[participant].insiteaccept.afas.online	185.46.182.95	80 (redirect), 443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC

Sing-on portal (InSite + Profit)

Applications	Explanation	Host name	Public IP	Ports	TLS version	TLS Ciphers [1]	Certificate
InSite, Profit	Multifactor authentication. Your device will make a connection with this address from AFAS Pocket to approve/reject the authentication.	auth.afasonline.com	185.46.182.10	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite, Profit	Login Portal. All users sign on here through the browser.	login.afasonline.com	185.46.182.11	80 (redirect), 443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite, Profit	Secure Token Service. This must be available to all users. If using federation (SSO), this address must also be accessible for the federation server (for example, ADFS) on site. Outgoing oAuth/OpenID Connect connections may not occur from this IP address.	sts.afasonline.com	185.46.182.12	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite, Profit	Identity Provider. This must be available to all users to ensure they can sign on to the portal.	idp.afasonline.com	185.46.182.13	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Profit Windows	Citrix Netscaler. The Citrix Client makes a connection using this address (portal.afasonline.com - CNAME: portal.gslb.afasonline.com). Must be available for Profit Windows users.	portal.afasonline.com	185.46.182.121	443	1.3 (As from 15 December 2021)	[0x13,0x02], [0x13,0x03], [0x13,0x01]	QuoVadis RSA
Profit Windows		portal.afasonline.com	185.46.182.121	443	1.2	[0xC0,0x30],[0xC0,0x2F] [0xCC,0xA8] (As from 15 December 2021) [0xC0,0x27],[0xC0,0x28] (Not supported as from 15 December 2021)	QuoVadis RSA
Profit Windows	Citrix Netscaler. The Citrix Client makes a connection using this address (portal.afasonline.com - CNAME: portal.gslb.afasonline.com). Must be available for Profit Windows users.	portal.afasonline.com	185.46.182.122	443	1.3 (As from 15 December	[0x13,0x02], [0x13,0x03], [0x13,0x01]	QuoVadis RSA
Profit Windows		portal.afasonline.com	185.46.182.122	443	1.2	[0xC0,0x30],[0xC0,0x2F] [0xCC,0xA8] (vanaf 15-12-2021) [0xC0,0x27],[0xC0,0x28] (Not supported as from 15 December 2021)	QuoVadis RSA
Bank link	Bank Integration Portal. Required to change banking links. Redirect from the bank website.	bis.afas.online	185.46.182.37	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC

Additional for InSite

Applications	Explanation	Host name	Public IP	Ports	TLS version	TLS Ciphers [1]	Certificate
InSite	InSite. Must be available to all InSite users.	[participant].afasinsite.nl	185.46.182.60	80 (redirect), 443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite	InSite test sites. Must be available to all InSite users who must be able to sign on to InSite sites of test environments.	[participant].insitetest.afas.online	185.46.182.90	80 (redirect), 443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite	InSite accept sites. Must be available to all InSite users who must be able to sign on to InSite sites of accept environments.	[participant].insiteaccept.afas.online	185.46.182.95	80 (redirect), 443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite	Profit BI Dashboards. This must be available to every InSite user who wants to view Dashboards.	pc**.bi.afas.online	185.46.182.35	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
InSite	Analytics for AFAS InSite. This must be available to every InSite user for diagnostic purposes.	statistics.afas.online	185.46.182.26	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC

Connectors

Applications	Explanation	Host name	Public IP	Ports	TLS version	TLS Ciphers [1]	Certificate
Connector, PCC	SOAP API for production environments. This must be available for all connections/connectors and PCC users.	[participant].soap.afas.online	185.46.182.140 thru 185.46.182.179.	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	SOAP API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments.	[participant].soaptest.afas.online	185.46.182.180 thru 185.46.182.199.	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	SOAP API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments.	[participant].soapaccept.afas.online	185.46.182.44 185.46.182.45 185.46.182.46 185.46.182.47	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	REST API for production environments. This must be available for all connections/connectors and PCC users.	[participant].rest.afas.online	185.46.182.140 thru 185.46.182.179.	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	REST API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments.	[participant].resttest.afas.online	185.46.182.180 thru 185.46.182.199.	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC
Connector, PCC	REST API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments.	[participant].restaccept.afas.online	185.46.182.44	443	1.2	[0xC0,0x2B],[0xC0,0x2C]	QuoVadis ECC

Applications	Explanation	Host name	Public IP	Ports	TLS version	TLS Ciphers [1]	Certificate
Variable	Default outgoing AFAS Online IP address. Any communication profiles and/or connections to your personal email servers come from this address.	proxy.afas.online	185.46.182.1	Variable	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mail.afas.online	185.46.182.200	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta1.afas.online	185.46.182.201	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta2.afas.online	185.46.182.202	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta3.afas.online	185.46.182.203	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta4.afas.online	185.46.182.204	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta5.afas.online	185.46.182.205	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta6.afas.online	185.46.182.206	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta7.afas.online	185.46.182.207	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta8.afas.online	185.46.182.208	25	1.0, 1.1, 1.2	Variable	N/A
Variable	Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online	mta9.afas.online	185.46.182.209	25	1.0, 1.1, 1.2	Variable	N/A

Directly to