System requirements for the new sign-on method
Study the system requirements. The system requirements apply to both two-factor authentication and single sign-on unless specified otherwise.
Note:
As of 15 December 2021, TLS1.3 will be supported for connection to Profit Windows (incoming traffic only). The support of TLS1.2 will be limited because some old ciphers will no longer be supported as of 15 December 2021. Support is expanded to include other ciphers.
Contents |
Computer/workstation user
Component |
Explanation |
---|---|
Control system |
|
Browsers |
If you use Chrome, Safari or FireFox, you must configure the browser in such a way that this is automatically updated to the last version. You must add the URLs below to the Trusted Sites. If you do not, the 'The current website is trying to open a site in your Trusted sites list' message may be displayed. This is how you open the
Also see: |
Citrix Receiver |
|
TLS |
|
PCC |
|
We use certificates from QuoVadis/WiseKey.
Network and data traffic
Component |
Explanation |
---|---|
IP range |
|
Outgoing traffic |
|
Incoming traffic |
|
Certificates originate from QuoVadis/WiseKey.
See also:
- Profit Connectors linked to the new sign-on method
Other
- Users can sign on via AFAS Pocket with regard to two-factor authorisation (on supported iPhones or Android devices). The first step is to sign on using a username + password and the second step is to confirm via AFAS Pocket on the user's smartphone. If you only use AFAS Pocket for this authentication, you do not need to configure (the app connector of) Pocket.
A user can link AFAS Pocket for two-factor authorisation to multiple AFAS Online accounts.
Note:
AFAS Pocket offers a lot more functionality and especially with regard to Employee Self Service. If you use this solution, you must, however, execute the configuration in Profit. In this situation, AFAS Pocket is linked to one specific environment for the full use of the Pocket functionality and to one or more AFAS Online accounts for two-factor authorisation.
- With two-factor authentication, you can also log in via a supported authenticator app (instead of AFAS Pocket).
- Preventing the jacking of parts of your own InSite/OutSite on an external site (anti-click jacking) is on by default. If this needs to be disabled, please submit an incident ticket. As from Profit 19, you manage this yourself in the site properties. You can, however, include a linked to an InSite/OutSite page on an external site.
You can continue to show an external page on your own site with an integration page.
- If you carry out an analysis from AFAS Online, you cannot call web services through the analyses. This is, however, possible if you carry out an analysis through the command line of the PCC.
IP addresses, URLs and ciphers
This information is intended for organisations that use a whitelist on the firewall or a proxy.
Note:
As of 15 December 2021, TLS1.3 will be supported for connection to Profit Windows (incoming traffic only). The support of TLS1.2 will be limited because some old ciphers will no longer be supported as of 15 December 2021. Support is expanded to include other ciphers.
As of 15 December 2021, the following ciphers are supported:
- TLS1.3-AES256-GCM-SHA384 0x13,0x02
- TLS1.3-CHACHA20-POLY1305-SHA256 0x13,0x03
- TLS1.3-AES128-GCM-SHA256 0x13,0x01
- TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 0xC0,0x30
- TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 0xCC,0xA8
- TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 0xC0,0x2F
The following ciphers will NOT be supported from 15 December 2021:
- TLS1.2-ECDHE-ECDSA256-GCM-SHA384 0xC0,0x2C
- TLS1.2-ECDHE-ECDSA128-GCM-SHA256 0xC0,0x2B
- TLS1.2-ECDHE-RSA-AES-256-SHA384 0xC0,0x28
- TLS1.2-ECDHE-RSA-AES-128-SHA256 0xC0,0x27
You can check through Citrix Workspace whether you have the correct ciphers.
PCC
Applications |
Explanation |
Host name |
Public IP |
Ports |
TLS version |
TLS Ciphers [1] |
Certificate |
InSite, PCC |
PCC Notification hub. This must be available to all users who use the PCC. |
pc**.notificationhub.afas.online |
185.46.182.28 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
SOAP API for production environments. This must be available for all connections/connectors and PCC users. |
[participant].soap.afas.online |
185.46.182.140 thru 185.46.182.179. |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
SOAP API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments. |
[participant].soaptest.afas.online |
185.46.182.180 thru 185.46.182.199. |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
SOAP API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments. |
[participant].soapaccept.afas.online |
185.46.182.44 185.46.182.45 185.46.182.46 185.46.182.47
|
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
REST API for production environments. This must be available for all connections/connectors and PCC users. |
[participant].rest.afas.online |
185.46.182.140 thru 185.46.182.179. |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
REST API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments. |
[participant].resttest.afas.online |
185.46.182.180 thru 185.46.182.199. |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
REST API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments. |
[participant].restaccept.afas.online |
185.46.182.44 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite |
InSite. Must be available to all InSite users. |
[participant].afasinsite.nl |
185.46.182.60 |
80 (redirect), 443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite |
InSite test sites. Must be available to all InSite users who must be able to sign on to InSite sites of test environments. |
[participant].insitetest.afas.online |
185.46.182.90 |
80 (redirect), 443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite |
InSite accept sites. Must be available to all InSite users who must be able to sign on to InSite sites of accept environments. |
[participant].insiteaccept.afas.online |
185.46.182.95 |
80 (redirect), 443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Sing-on portal (InSite + Profit)
Applications |
Explanation |
Host name |
Public IP |
Ports |
TLS version |
TLS Ciphers [1] |
Certificate |
InSite, Profit |
Multifactor authentication. Your device will make a connection with this address from AFAS Pocket to approve/reject the authentication. |
auth.afasonline.com |
185.46.182.10 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite, Profit |
Login Portal. All users sign on here through the browser. |
login.afasonline.com |
185.46.182.11 |
80 (redirect), 443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite, Profit |
Secure Token Service. This must be available to all users. If using federation (SSO), this address must also be accessible for the federation server (for example, ADFS) on site. Outgoing oAuth/OpenID Connect connections may not occur from this IP address. |
sts.afasonline.com |
185.46.182.12 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite, Profit |
Identity Provider. This must be available to all users to ensure they can sign on to the portal. |
idp.afasonline.com |
185.46.182.13 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Profit Windows |
Citrix Netscaler. The Citrix Client makes a connection using this address (portal.afasonline.com - CNAME: portal.gslb.afasonline.com). Must be available for Profit Windows users. |
portal.afasonline.com |
185.46.182.121 |
443 |
1.3 (As from 15 December 2021) |
[0x13,0x02], [0x13,0x03], [0x13,0x01] |
QuoVadis RSA |
1.2 |
[0xC0,0x30],[0xC0,0x2F]
[0xCC,0xA8] (As from 15 December 2021)
[0xC0,0x27],[0xC0,0x28] (Not supported as from 15 December 2021) |
||||||
Profit Windows |
Citrix Netscaler. The Citrix Client makes a connection using this address (portal.afasonline.com - CNAME: portal.gslb.afasonline.com). Must be available for Profit Windows users. |
portal.afasonline.com |
185.46.182.122 |
443 |
1.3 (As from 15 December |
[0x13,0x02], [0x13,0x03], [0x13,0x01] |
QuoVadis RSA |
1.2 |
[0xC0,0x30],[0xC0,0x2F]
[0xCC,0xA8] (vanaf 15-12-2021)
[0xC0,0x27],[0xC0,0x28] (Not supported as from 15 December 2021) |
||||||
Bank link |
Bank Integration Portal. Required to change banking links. Redirect from the bank website. |
bis.afas.online |
185.46.182.37 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Additional for InSite
Applications |
Explanation |
Host name |
Public IP |
Ports |
TLS version |
TLS Ciphers [1] |
Certificate |
InSite |
InSite. Must be available to all InSite users. |
[participant].afasinsite.nl |
185.46.182.60 |
80 (redirect), 443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite |
InSite test sites. Must be available to all InSite users who must be able to sign on to InSite sites of test environments. |
[participant].insitetest.afas.online |
185.46.182.90 |
80 (redirect), 443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite |
InSite accept sites. Must be available to all InSite users who must be able to sign on to InSite sites of accept environments. |
[participant].insiteaccept.afas.online |
185.46.182.95 |
80 (redirect), 443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite |
Profit BI Dashboards. This must be available to every InSite user who wants to view Dashboards. |
pc**.bi.afas.online |
185.46.182.35 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
InSite |
Analytics for AFAS InSite. This must be available to every InSite user for diagnostic purposes. |
statistics.afas.online |
185.46.182.26 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connectors
Applications |
Explanation |
Host name |
Public IP |
Ports |
TLS version |
TLS Ciphers [1] |
Certificate |
Connector, PCC |
SOAP API for production environments. This must be available for all connections/connectors and PCC users. |
[participant].soap.afas.online |
185.46.182.140 thru 185.46.182.179. |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
SOAP API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments. |
[participant].soaptest.afas.online |
185.46.182.180 thru 185.46.182.199. |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
SOAP API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments. |
[participant].soapaccept.afas.online |
185.46.182.44 185.46.182.45 185.46.182.46 185.46.182.47
|
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
REST API for production environments. This must be available for all connections/connectors and PCC users. |
[participant].rest.afas.online |
185.46.182.140 thru 185.46.182.179. |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
REST API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments. |
[participant].resttest.afas.online |
185.46.182.180 thru 185.46.182.199. |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Connector, PCC |
REST API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments. |
[participant].restaccept.afas.online |
185.46.182.44 |
443 |
1.2 |
[0xC0,0x2B],[0xC0,0x2C] |
QuoVadis ECC |
Applications |
Explanation |
Host name |
Public IP |
Ports |
TLS version |
TLS Ciphers [1] |
Certificate |
Variable |
Default outgoing AFAS Online IP address. Any communication profiles and/or connections to your personal email servers come from this address. |
proxy.afas.online |
185.46.182.1 |
Variable |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mail.afas.online |
185.46.182.200 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta1.afas.online |
185.46.182.201 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta2.afas.online |
185.46.182.202 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta3.afas.online |
185.46.182.203 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta4.afas.online |
185.46.182.204 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta5.afas.online |
185.46.182.205 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta6.afas.online |
185.46.182.206 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta7.afas.online |
185.46.182.207 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta8.afas.online |
185.46.182.208 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Variable |
Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online |
mta9.afas.online |
185.46.182.209 |
25 |
1.0, 1.1, 1.2 |
Variable |
N/A |
Directly to |