Configuring how to log into OutSite with your own identity provider (single sign-on)

If the users are logged into the domain, they can log into OutSite sites via single sign-on.

There are two ways to sign on.

  • Through an Identity Provider based on the Open ID Connect protocol such as Azure or Google.
  • Via the user's own "Secure Token Service" (STS).

    Please note:

    This login method is only suitable for organisations with extensive knowledge of configuring single sign-on. You are responsible for a correct configuration. AFAS Support cannot support this.

Content

Import OAuth ID and OAuth account per user

You define the OAuth ID and OAuth account per user through an import. You can automate this process with an automatic batch job/task via AFAS Remote or the KnUser UpdateConnector. The import is described below.

You must first import otherwise the users can no longer log in after migrating to single sign-on!

Please note:

The OutSite user is not linked via the UPN field on the General tab of the user's properties in Profit. This field is intended for InSite and Profit Windows users in combination with single sign-on.

For OutSite, the user is linked through the value you import per user in the OAuth ID field.

This value must therefore be equal to the value of the 'claim' received by AFAS Online when the user authenticates himself/herself with regard to the identity provider when logging into OutSite.

To link the user in the identity provider to an OutSite user so that the user can log in via single sign-on, you need to import two values per user. You will then use an (entry) import on the user.

  1. Go to: General / Management / Import / User / User entry.

    Import the User, OAuth ID and OAuth account fields.

    Please note:

    It may occur that users to be imported also log in via single sign-on in Profit and/or InSite. A value is then entered in the UPN field on the user's General tab. When this is the case, also import the value for the UPN field with regard to this user.

    If you do not do this, the value for this field will be removed with regard to the user during the import and the user can no longer log into Profit/InSite via single sign-on.

  2. The result of the import is that you see that the OAuth account is linked in the user's properties on the OutSitetab:

Determine the login method

You decide on each OutSite whether users log in using their usernames/passwords or single sign-on. A combination of both methods for one site is not possible: you must make a choice.

Configuring single sign-on:

  1. Go to: General / In & OutSite / Site.
  2. Open the OutSite, Login tab.
  3. Select Own identity provider at Method.
  4. Copy the Redirect URI to the clipboard: you need it at the next step.
  5. Leave the screen open and continue with one of the following options.
    • Option 1: Configure open ID Connect
    • Option 2: Configure your own Secure Token Service

Option 1: Configuring OpenID Connect (for example Azure or Google)

Configuring the identity provider:

First, configure the identity provider. Create a client secret and client ID and add the redirect URI for OutSite within the identity provider. For further details, see the general description of the configuration.

Configuring OpenID Connect:

  1. Go back to Profit, you still have the screen open with the OutSite settings.
  2. Go to the tab: Logging in.
  3. Select Using the OpenID Connect protocol.
  4. Enter values for the fields.

It is important that this value is also defined as 'upn' within the identity provider because, in the example when carrying out the import in relation to user 31399.cursist at the OAuth Id field, the cursist@afassupport.onmicrosoft.com value was imported.

Option 2: Configure your own Secure Token Service (based on OAuth 2.0)

You define the details of the STS in the properties of the site. You perform this procedure for each site on which users can log in through an identity provider.

For authentication, we use your own 'Secure Token Service' (STS). You set up the STS and set up the required OutSite sites in Profit.

Communication and authentication with the STS:

The table below shows the communication and authentication with the STS.

Ins_Auth inloggen eigen IP (Beschr) - Visio

Linking your own STS to the site (From Profit 18):

  1. Go back to Profit, you still have the screen open with the OutSite settings.
  2. Go to the tab: Logging in.
  3. Do not select Use OpenID Connect protocol..
  4. Enter values for the fields.