Configure single sign-on (SSO; the new signing on method)
You can use single sign-on through an identity provider with regard to AFAS Online. This means that the sign-on will not be processed by AFAS Online but by the identity provider. If single sign-on has not been configured, users will sign on using two-factor authentication.
On 20 December 2019 the Inloggen via AFAS Identity Provider toestaan (Log on using AFAS Identity provider) has been added. For existing identity providers this setting isn't used and everything will work as it did. When you configure a new identity provider, you must make a choice for this setting.
Log on using AFAS Identity provider is empty
|
Log on using AFAS Identity provider has a value
|
For each InSite URL you determine the lon on method: using single sign-on or two factor authentication.
You can always log on to Profit Windows using two factor authentication (provided the email address of the user has been entered).
The co-operation user (of the accountant) always logs on using two factor authentication, not thru single sign-on.
|
You configure your own identity provider, so users will log on to InSite and Profit Windows using single sign-on. In the identity provider you also determine whether or not users are allowed to log on using two factor authentication.
For example: a user has logged on using his AFAS Online account (so using two factor authentication). Then the user starts Profit Windows or InSite of a customer. Is the user allowed to continue, or should he log on to the SSO provider of the customer?
|
AFAS supports various identity providers, but you must select one particular identity provider. If you want to migrate to another identity provider, do so if no or few people use Record your old data before entering new data.
Attention:
AFAS Support doesn't support the configuration of single sign-on. Your organisation itself is responsible for the security of the logon method and the protection of your data. You manage and maintain the SSO solution yourself.
AFAS, for example, has no insight or influence on whether or not two-factor authentication is used with a single sign-on login method chosen by the customer. However, two-factor authentication is often required by law for privacy-sensitive data. The provider or administrator of the login method (for example, the IT department that manages your organization's ADFS and Active Directory) can set the security options.
System administrator's preparations
The system administrator checks the system requirements with regard to the network/data traffic and users. If you're using a third party to manage your systems, please contact this party well on time.
Recording the Profit administrator for the portal
The Profit administrator must carry out specific actions on the AFAS Online Portal as the portal administrator with regard to single sign-on. This is why you configure the Profit administrator as the portal administrator.
- Go to: General / Management / Authorisation tool.
- Open the properties of the Profit administrator.
- Enter the administrator's email address in the E-mail field.
- Go to the Applications tab.
- Select the AFAS Online Portal Administrator check box.
- If you have an AFAS Accept licence, the AFAS Accept field will be available. If a user may have access to the Accept environment, select the AFAS Accept field for this user.
- Click on: OK.
Configuring the identity provider (system administrator)
Below you will see a list of all supported identity providers. Make a choice and perform the steps.
Note:
If you want to use ADFS as a logon method, combined with (a kind of) multi-factor authentication, extra configuration in the ADFS environment is required. Please refer to this article from SCCT.
AFAS does not offer support on this. If you need more information, you may contact SCCT.
OpenID Connect
Every party with OpenID Connect is supported. For example:
Active Directory Federation Services (AD FS 4.0) - Windows Server 2016 and higher
Read the information below and, next, perform the steps.
Attention:
This is a generic description of the structure of this part, AFAS does not provide any support for this. This description is intended for system administrators who have sufficient knowledge of the design of this component. Due to changes at external parties, it is possible that certain parts has been changed without our knowledge.
Additional AD FS system requirements:
You must have Active Directory Federation Services 4.0 in Windows Server 2016.
Active Directory Federation Services 4.0 is available as a role. You must, however, activate this role. Refer to the relevant Microsoft documentation for more information.
What do you need on AFAS Online?
You must make a note of the following data during the configuration process. You will need this data later on to link AFAS Online to your AD FS.
- The URL of the AD FS that you configured (for the OpenID Connect configuration url field when linking the portal.
- Client identifier, for the Client id field in the portal
- Secret, for the Client secret field in the portal
Step 1: Configure the identity provider:
- Start the server with Windows Server 2016 on which you want to configure AD FS.
- Start Server Manager.
- Go to Tools/AD FS Management.
- Select AD FS / Application Groups.
- Click on Add Application Group (to the right).
- Enter a name for the new application group.
- Select Server application at Template.
- Click Next.
- Enter a name.
There's a unique code at the Client Identifier.
- Note this Client identifier. You will need this for the self service (Client ID ).
- Enter https://sts.afasonline.com/signin-oidc at Redirect Uri and click on Add.
- Click Next.
- Enable Generate a shared secret.
- Note the value at Secret.
- Complete the wizard.
- Open the properties of the application group you've just added.
- Click on Add application.
- Select Web Api.
- Click on Next.
- At Identifier enter the value you entered above (or left in place) at Client Identifier.
- You can configure Access Control Policy to your own liking. This policy's setting determine which users will have access to Profit.
- Click on Next.
- Make sure that the list 'Client application (caller)' contains the Server Application you created before.
- Turn on 'openid' a the 'Permitted scopes' if this is not already so.
- Complete the wizard.
Step 2: Determine the endpoint's eddress:
- Retrieve the OpenId Connect configuratie URL:
- Go to: AD FS / Service / Endpoints.
Here you'll see an ‘OpenID Connect’ group.
Note:
Make sure all endpoints in the 'OpenID Connect' group and the endpoint '/adfs/oauth2' are both enabled and externally available.
- De URL Path of the ‘OpenID Connect Discovery’ type combined with AD FS server address are the url of the configuration file. You need this when making the link, make a note.
For example: https://<ADFS-server>/adfs/.well-known/openid-configuration
Tip: Log on automatically using Chrome, Edge and Firefox
Users can log on automatically when they're already logged on to the domein, but by defailt this only works in Internet Explorer. In ADFS you can activate this for Chrome, Edge and Firefox. For more information, see Single Sign on with Chrome, Firefox and Edge with ADFS 3.0
Instead of this, consider migrating to Azure AD overwegen. For more information, see Azure Active Directory Seamless Single Sign-On.
Azure Active directory (on the basis of OpenID connect)
Attention:
This is a general description of the configuration, AFAS doesn't offer support on this. The description is aimed a system engineers that have sufficient knowledge to configure this. Beause of changes carried out by ecternal parties, it may happen that certain aspects or data of this solution have been changed and this documentation is not up to date.
You must later forward the following data to the Profit administrator to activate single sign-on for Open Azure Active Directory:
- OpenID Connect configuration URL: this is the modified link to the Federation Metadata document
- : this is the Application ID that is created when creating an app in Azure.
- : this is the API Access Key.
Step 1: Configure the identity provider:
- Sign on to portal.azure.com.
- Search based on app registration and click App registrations.
- Create a new registration.
- Select the Web type at redirect URI and enter the following URL:
- Register the application.
- Copy the Application (client) ID. This is the that you need to define later in the AFAS Online login portal.
- Go to: Verification.
- At the redirect URL, enter:
- Click Save.
- Go to: Certificates and secrets.
- Click New client secret, give it a name and select 24 months at Expiry on. Don't forget to make an entry on your to do list or in your dairy to updates this after 24 months.
- Click Add.
- Copy the new client secret and make a note of it.
This is the Client Secret that you need to define later in the AFAS Online login portal.
- Go to API authorisations and check whether the User.Read authorisation has been allocated. This is the default case:
If an authorisation has not been allocated, follow the following steps:
- Click Add an authorisation and, next, select the Microsoft Graph API.
- Select the Delegated authorisations authorisation type.
- Scroll down and select the User.Read. authorisation under the User authorisation type.
- Click Add authorisation.
- Click Overview / End points.
- Make a note/copy the value at OpenID Connect document with metadata. This is the OpenID Connect configuration URL that you must later define in the AFAS Online login portal.
- Create a claim (often a link is created using 'UserPrincipalName'. Therefore, enter an 'Optional claim' of the 'Id' type on the 'upn' field. Click 'Token configuration' on the left and add the claim.
Linking to another claim than UPN
If you want to link to another claim and not UPN (part of the scope profile), create an optional claim by going to Token configuration.
Office 365 on the basis of AzureAD
Linking SSO based on Office 365 is very similar to linking SSO based on Azure AD. The user identity of an Office 365 user is, after all, recorded in an Azure Active Directory that is part of your subscription.
Procedure:
- Sign on through https://portal.office.com/adminportal on the Admin Centre of Office.com.
- You can also access this as follows if you have signed on to Office.com:
- You will see ‘Admin centres’ at the bottom on the right. Open this menu.
- Click ‘Azure AD/Azure Active Directory’.
- Carry out the steps of the SSO link using Open Azure AD based on Connect OpenID.
HelloID
Okta
You can create an application through the procedure below to sign on to AFAS Online with the Okta link.
To activate single sign-on for Okta you must later on record the following data in the AFAS Online Portal:
- ClientID
- ClientSecret
- OpenID Connect URL
- Claim based on which the UPN must be matched
Procedure:
- Okta will issue a URL, username and password.
- Create a new application.
- Click: Add application.
- Click on: Create new app.
- Select Web in Platform.
- Select OpenID Connect in Sign-on method.
- Provide a description for the application
- Enter the following in Login redirect URIs:
https://sts.afasonline.com/signin-oidc
- Click Add URl in Logout redirect URIs.
- Enter the following: https://sts.afasonline.com/signout-callback-oidc
The screen with the settings of the application will be displayed.
Here you will find the ClientID and Client secret fields (click Show to see the Client secret).
- Make a note of these fields.
- Click on: Sign on.
You will find the URL of the issuer, for example:
https://afas-test.okta.com
- This URL is the 'OpenID Connect meta data url' for the configuration on login.afasonline.com. Make a note of this.
UPN field:
The Profit administrator must be aware of what must be entered in Profit in the UPN field of users. Therefore, ensure that it is clear to the Profit administrator where the administrator can find the information or retrieve it and which formatting is used within this context. For example, p.richards@enyoi.com instead of peter.richards@enyoi.local).
Secure Login
Use the following steps to create an SSO connectin with tje OpenID Connect protocol using SecureLogin as Identity Provider (IDP).
Attention:
By default, this option is not enabled in your environment. Please contact the SecureLogin Helpdesk via support@securelogin.nu.
To activate single sign-on for SecureLogin, you should later enter the following data on the AFAS Online Portal:
- AFAS Config URL
- AFAS Client ID
- AFAS Client Secret
- Scope
- Claim
Procedure SecureLogin Manager:
- Click on
and select AFAS OpenID - In the next window, enter the 5-digit environment code of the AFAS envirironment And click AFAS OpenID inschakelen.
- Then you will see the following screen, with the values required for the AFAS Online Portal. Copy the values to the clip board using the Kopiëren button.
UPN
The UPN selected by the Profit manager, should match the user name used for logging on to SecureLogin. Use the Exporteer gebruikers als CSV function to create an overview of the user names SecureLogin.
SURFconext
SURFconext
Use this procedure if you want to use single sign-on through SURFconext. AFAS had a generic contract with SURFconext that is available to all AFAS customers.
SURFconext as the broker in relation to the SURFconext link. You must be a customer of SURFconext and you will therefore also maintain the contacts with SURFconext.
An existing contract will be used in relation to single sign-on for AFAS Online via SURFconext, that is, between the server/identity provider of the customer and SURFconext AND between SURFconext and AFAS Online. The parties must only just agree and configure that the customer will be in contact with AFAS Online for single sign-on through SURFconext. After everything has been configured and arranged, AFAS Online will be available in the SURFconext dashboard.
More information:
Step 1: Configure the identity provider:
- The organisation has often already made a link between the identity provider and SURFconext. If this is not the case, read the SURFconext documentation.
Step 2: Link the instance of AFAS to SURFconext
- Contact support@surfconext.nl to again access to the Service Provider Dashboard. Use this dashboard to link your instance to SURFconext. For more information, view https://wiki.surfnet.nl/display/surfconextdev/SP+Dashboard.
Step 3: Forwarding data to the Profit administrator
UPN field:
The Profit administrator must be aware of what must be entered in Profit in the UPN field of users. Therefore, ensure that it is clear to the Profit administrator where the administrator can find the information or retrieve it and which formatting is used within this context. For example, p.richards@enyoi.com instead of peter.richards@enyoi.local).
For SURFconext the UPN fields in Profit must contain the 'Edu_person_principal_name' value. They are known at SURFconext. If you do not have them, contact SURFconext.
AD FS 3.0
Active Directory 3.0 (AD FS) - Windows Server 2012 R2 (old)
You configure Active Directory Federation Services on a Windows Server.
Read the information below and, next, perform the steps.
Additional system requirements:
For ADFS 3.0 Server 2012 R2 is required. For later versions of Windows Server, use OpenID Connect!
The link is made based on oAuth 2.0.
Refer to the relevant Microsoft documentation for more information.
Configuration requirements:
You need the following data to activate SSO for Active Directory Federation Services:
- The URL of the AD FS that you configured.
Example: https://<ADFS-server>/FederationMetadata/2007-06/Federationmetadata.xml
- The AD FS server must be accessible externally (from outside the company network) via the following address:
- https://<ADFS-server>/FederationMetadata/2007-06/Federationmetadata.xml
- https://<ADFS-server>/adfs/oauth2/token
Note:
Only configure the link through Self-service on the portal when this address is accessible externally. If Federationmetadata.xml is not accessible externally, the link with AFAS cannot be achieved.
What do you need on AFAS Online?
You must make a note of the following data during the configuration process. You will need this data later on to link AFAS Online to your AD FS.
OpenID Connect configuration URL: AD FS URL of the metadata URL
: the unique value that you provide yourself
Step 1: Create a new oAuth 2.0 client:
- Execute the following commands in PowerShell (with admin rights):
Add-AdfsClient -Name "AFAS Online" -ClientId "<my_client_id>" -RedirectUri "https://sts.afasonline.com/signin-oidc"
Add-ADFSRelyingPartyTrust -Name "AFAS Online Trust" -Identifier "https://sts.afasonline.com"
* replace <my_client_id> by your own unique value, for example: 9CEDCF985C03436885E6F22E4D17236E
Step 2: Configuring the identity provider for Relying party trust:
- Open the ADFS Management tool on the Windows Server.
- Go to: AD FS/Service/Endpoints.
- You will find the URL path for the OpenID Connect configuration URL field in the portal in AFAS in the 'Metadata' label.
The URL path of the ‘OpenID Connect Discovery’ type in combination with the address of the AD FS server forms the URL of the configuration file that AFAS requires.
For example: https://<ADFS-server>/FederationMetadata/2007-06/Federationmetadata.xml
- Ensure that the above selected endpoints are enabled and available externally (!).
- Go to: AD FS/Trust Relationships/Relying Party Trusts.
- Select the just created Trust: AFAS Online Trust.
- Click the action: Edit Claim Rules… in the right menu.
- Go to the tab: 'Issuance Transform Rules'.
- Click on: 'Add rule'.
The 'Add Transform Claim Rule Wizard' window will be displayed.
- Select: 'Send LDAP Attributes as Claims'.
- Click on: 'Next'.
- Define the claim. This will define the data that will be sent back when authentication is successful in relation to AFAS Online.
- Enter a description in 'Claim rule name'. For example, UPN.
- Select 'Active directory' in 'Attribute store'.
- Select a value for 'LDAP attribute'.
You may choose any value in relation to this field. The 'User-principal-name' value is recommended.
- Select 'UPN' in the list in 'Outgoing claim type'.
This will determine the value with which the UPN will be filled. This must be unique for every user to be authenticated. You must also link this value in Profit Windows for each user. We recommend using a simple or recognisable value such as the user code or the email address of the user.
- Click on: 'Finish'.
You have now created one rule. You create another one.
- Click the action: Add rule...
- Select a 'Claim rule template'. For example, Permit All Users so that all ADFS users can have access to AFAS Online. This is the simplest option. However, you are free to configure this as you see fit.
- Click Next.
- Click Finish.
Step 6: Administrator transfer
The Profit administrator must be aware of what must be entered in Profit in the UPN field of users. Therefore, ensure that it is clear to the Profit administrator where the administrator can find the information or retrieve it and which formatting is used within this context. (For example, p.jansen@klant.nl instead of piet.jansen@klant.local).
When this has been completed, forward the data that you collected to the Profit administrator.
Recording the sign-on method for each application in the portal (Profit administrator)
If you have the data of your identity provider (received from your system administrator), you can add this data in the AFAS portal yourself.
Next, select the identity provider (your own for single sign-on or the AFAS one for 2-factor authentication) for each application at AFAS Online.
Step 1. Enter the data of your own SSO Identity provider
- Go to: login.afasonline.com
- Sign on as the administrator using two-factor authorisation.
- Is this the first time that you are signing on? Follow this procedure.
- Have you signed on as the administrator before? Follow this procedure.
Note:
When logging on, use the manager's email address, recorded in the Authorisation tool.
Do not sign on through single sign-on because then you will not see the Manage tab.
- Go to tab: Management / Identity provider.
- Select the type of identity provider.
- The fields required depend on the type of identity provider.
OpenID Connect for the following identity providers: AD FS 4.0, Okta, Azure AD, etc.
- Enter a clear Description. For example: My SSO.
- At OpenID Connect configuration URL, enter the external URL that can be used to approach the federator. You will have received this from your system administrator and the system administrator will have made a note of it when setting up the identity provider.
For example:
- If you work with Okta: use, for example, https://<klant-id>.okta.com
- If you work with Azure: use, for example, https://sts.windows.net/<azure-klant-id>/.well-known/openid-configuration
- If you work with AD FS: use, for example, https://<ADFS-server>/adfs/.well-known/openid-configuration
- Enter the client identifier in .
- Enter the shared secret in .
- Enter the Scopes. You use this, for example, if you want to link to Google and you need an email claim. You must then explicitly indicate that you want to have the email address of the user. You may also need to enter the scopes for other applications.
- If you work with Okta: enter profile.
- If you work with Azure AD and you link to the UPN of the user who is defined in Azure AD for this user: enter the profile value.
- If you work with Azure AD and you link to the email address of the user who is defined in Azure AD for this user: enter the email value.
- Enter the name of the property in based on which the UPN field is linked in Profit.
- If you work with Okta: enter the preferred_username value.
- If you work with Azure AD in combination with the profile scope: enter the upn value.
- If you work with Azure AD in combination with the email scope: enter the email value.
- If you work with AD FS: enter upn.
ADFS 3.0
- Select ADFS 3.0 at Type.
- Enter your won description, for instance My SSO.
- At Federation metadata URL, enter the external address on which the ADFS server extern is available.
For instance: https://<ADFS-server>/FederationMetadata/2007-06/Federationmetadata.xml. So [server name+fixed path with xml].
- At Client ID, fill in the unique value that you chose in the step 'Configuration in ADFS' for <my_client_id>.
SURFconext
- Selecteer SURFconext bij Type.
- Vul een eigen Omschrijving in.
Note:
On 20 December 2019 the Allow signing on using AFAS Identity Provider (Log on using AFAS Identity provider) has been added. For existing identity providers this setting isn't used and everything will work as it did. When you configure a new identity provider, you must make a choice for this setting.
Example 1 (Profit Windows):
Richard opens www.afasonline.nl and logs in with his AFAS Online account via two-factor authentication. Richard then opens the customer's Profit Windows via www.afasonline.nl/12345 (participant 12345). The identity provider of a customer is linked to this participant number.
If users who are logged in with the AFAS Identity Provider do not need to log in again, Profit Windows will be opened immediately.
If users always have to log in via the Identity Provider (of the customer), Richard must first log in via the identity provider before he can open Profit Windows.
Example 2 (InSite):
Esther opens www.afasonline.nl and logs in with his AFAS Online account via two-factor authentication. Esther opens the InSite to the customer via 12345.afasinsite.nl (participant 12345). The identity provider of a customer is linked to this participant number.
If users who are logged in with the AFAS Identity Provider do not need to log in again, InSite will be opened immediately.
If users always have to log in via the Identity Provider (of the customer), Esther must first log in via the identity provider before he can open InSite.
Example 3 (user is not logged in):
John is not logged in yet and opens 12345.afasinsite.nl (participant 12345). The identity provider of his organization is linked to this participant number.
John must always log in via the identity provider of his organization, regardless of the setting in the Allow login via AFAS Identity Provider field.
- Click Save.
Step 2. For each application, configure which identity provider you want to use.
For each application, determine the identity provider you want to use.
Attention:
User's will continue to log on using two factor authentication, untill the UPN per user had been recorded.
- Go to www.afasonline.nl and log on as administrator
- Go to: Management / Single Sign on.
You see the application available to you on AFAS Online.
- For each application, select the Identity provider you want to use: your own Single Sign On-identity provider or the standard AFAS Identity Provider (if you aim to use two factor authentication
- Cick Save.
- Enable Show choice screen to offer the user the choice between logging in with single sign-on or two-factor authentication.
- Click Test to view if the connection is good.
Step 3: Record IP restrictions (optional)
The administrator can record IP restrictions on the AFAS Online portal, via Management / IP restrictions. If you define IP restrictions, users can only start the applications (apps) from IP addresses that are allowed based on the IP restrictions, this is an extra security that is also applied when logging in via SSO.
Enter the UPN for each user and test sign-on (Profit administrator)
We recommend first testing single sign-on using one test user, as explained above. An alternative/additional method is testing by filling in the UPN at on user.
If you already used SSO before, the UPN will already have been entered at users. Then, only follow step 2.
Step 1: Enter the UPN at one user
The system administrator will let you know what needs to be entered in the UPN (User Principal Name) field. The Profit administrator enters the UPN by completing the steps below.
Note:
The user's password will be reset when you enter the UPN. This is why the user must be aware of how he or she signs on to Profit by means of single sign-on.
If the user also has access to OutSite, he or she can no longer sign on to the OutSite site either (since his/her password has been reset). The user can request a new password when signing on to the OutSite site itself.
- Go to: General / Management / Authorisation tool.
- Open the properties of the user.
- Enter the UPN (that you received from the system administrator).
If you cannot enter the code, AFAS will not have yet processed the incident for implementing single sign-on.
- Click on: OK. You will now have linked the UPN to the user!
Step 2: Test the sign-on method using one user
- Go to https://login.afasonline.com/12345.
Replace 12345 with your own participant number in this URL.
- Next, a screen will be displayed with the AFAS Online applications. Click the ‘Profit’ tile to open Profit.
- If this works, continue with the next step.
Step 3: Enter the UPN at all users
The UPN of the users must be entered before they can sign on using single sign-on.
If you are doing this for a limited number of users, enter the UPNs manually. See for an explanation the section above: Step 1 Entering a UPN of one user.
If you have a large number of users for whom the UPN field must be entered, you can import them through the import ‘User entry’.
See also:
