One moment please...
 
Exact Globe   
 

Getting started with Windows Azure Active Directory in Exact Globe Next

Introduction

Note:

  • This document is only relevant to the controlled release participants.
  • This is not available for Exact Cloud customers.

If Exact Globe Next is configured for the federated identity environment, the federated identity services must also be configured to support the federated identity authentication, and to perform the federated identity authentication using the configured federated identity provider details.

Scope

This document describes the following:

  1.  Configuring Windows Azure Active Directory applications
  2.  Overview of Exact Globe Next with federated identity configuration
  3.  Retrieving federated identity configuration details
  4.  Configuring the federated identity configuration files for Exact Globe Next
  5.  Additional information

Configuring Windows Azure Active Directory applications

When Exact Globe Next needs to be configured for federated identity, several values need to be provided to successfully manage this. To define the configuration file correctly, you need to configure your Windows Azure Active Directory (WAAD) using the Azure portal.

After logging in to your Azure portal, go to the active directory page and select the active directory you wish to use.

To configure the WAAD applications, do the following:

Creating a Web application

  1. Log in to your WAAD portal.
  2. Go to Azure Active Directory.
  3. Click the active directory that will be used for Exact’s products.
  4. Click App registrations.
  5. Select All Applications.
  6. All the current Azure Active Directory application registrations will be displayed.
  7. Click New registration.
  8. On the Register an application page, do the following:
    • Type a name for the application at Name.
    • Select account type Accounts in this organizational directory only (domain name).
    • Select type Web as redirect URL.
    • Type the Redirect URI at Redirect URI. This is the Exact Synergy Enterprise URL with a trailing slash, for example, https://domain/Synergy/.
  9. Click Register.
  10. Click Authentication
  11. In the advanced settings section, select ID tokens and save the changes
  12. Click Expose an API.
  13. Click Add a Scope.
  14. Click Save and continue to set the Application ID URI. It is automatically generated, but you should change this to your Exact Synergy Enterprise URL. This value is case-sensitive; you should use the value exactly as it is in your portal, including any symbols. You are advised to always use lowercase to avoid a mismatch of the values. For more information, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.
  15. Define the scope properties:
    • Scope name: user_impersonation
    • Who can consent: Admins only
    • Admin consent display name: Access Exact Synergy Enterprise
    • Admin consent description: Access Exact Synergy Enterprise
    • User consent display name: Access Exact Synergy Enterprise
    • User consent description: Access Exact Synergy Enterprise
    • State: Enabled
  16. Click Add Scope.
  17. Click Save.

Creating a Public client application

  1. Log in to your WAAD portal.
  2. Go to Azure Active Directory.
  3. Click the active directory that will be used for Exact’s products.
  4. Click App registrations.
  5. Select All Applications.
  6. All the current Azure Active Directory application registrations will be displayed.
  7. Click New registration.
  8. On the Register an application page, do the following:
    •  Type a name for the application at Name.
    • Select account type Accounts in this organizational directory only (domain name).
    • Select type Public client (mobile & desktop) as redirect URL
    •  Type the Redirect URI at Redirect URI. This is the Exact Synergy Enterprise URL with a traling slash, for example, https://domain/Synergy/.
  9. Click Register.
  10. Click Authentication.
  11. In the advanced settings section, select ID tokens and save the changes.
  12. Click API permissions.
  13. Click Add a permission.
  14. On the Request API permissions page, click APIs my organization uses.
  15. Search for the application you created of type Web.
  16. At What type of permissions does your application require?, select Delegated permissions.
  17. Under the PERMISSION section, select user_impersonation.
  18. Click Add permissions.
  19. Click Grand admin consent for <domain name>.

Configuring Exact Globe Next

Overview of Exact Globe Next with federated identity configuration

To use federated identity with Exact Globe Next, the following configuration details must be made available in Exact Globe Next:

  •  SAML Issuer Name
  •  Client ID
  •  Resource
  •  Allowed Audience
  •  Metadata
  •  Thumbprint
  •  Authority

The configuration details stated must be entered in the Federated Identity Configurator, to generate the federated identity configuration files for Exact Globe Next.

Retrieving WAAD configuration details

To retrieve your WAAD configuration details, log in to your WAAD account and view the WAAD application or client that you have configured for Exact Globe Next.

For more information on how to retrieve these details, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.

Note: All values are case-sensitive; you should use the exact value, including any symbols. You are advised to always use lowercase to avoid a mismatch of the values.

Configuring the WAAD configuration files for Exact Globe Next

To configure Exact Globe Next to use WAAD as the authentication provider, the web application must have the following files configured for the token-based authentication:

  • Bin\EntityServiceIdentity.config
  • Bin\GlobeIdentity.Config
  • XMD\Exact.WindowsService.config

These files should be configured and generated by the Federated Identity Configurator.

  1.  Start the Federated Identity Configurator, by starting FIDConfigurator.exe in the Cab folder of the Exact Globe Next installation folder. The tool requires read and write access to the installed folders of Exact software. Therefore, it is recommended the tool be used with Administrator privileges.
  2.  Select Exact Globe Next from the Products menu on the left.
  3.  Type or select the installation directory of Exact Globe Next at Installation Folder. When a path is specified, the tool will validate the path. If the path is validated successfully, the configuration section and buttons will be enabled.
  4.  Select Windows Azure Active Directory at the Identity Provider field.
  5.  Define the following fields:
    •  SAML Issuer Name
    •  Client ID
    •  Resource
    •  Allowed Audience (this field will automatically be filled, based on the value defined at Resource)
    •  Metadata
    •  Thumbprint
    •  Authority
  6.  Click Validate. The validation screen will be displayed.
  7.  The values from the product screen will be checked for common mistakes, such as formatting, typos, et cetera. The tool will warn you when a value is suspected to be wrong so that you can verify and correct it if needed.
  8.  Type a username and password (from your federated identity account) to test if the configuration values are correct for authentication use.
  9.  Click Validate.
  10.  If the validation is successful, click Generate. The federated identity configuration files will be generated in the installation folder for the product. It will also be retained for future product updates.

Note:

  •  Only after a successful validation, the configuration files can be generated.
  •  All values are case-sensitive; you should use the exact value, including any symbols. You are advised to always use lowercase to avoid a mismatch of the values.
  •  For more information on how to retrieve these details, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.
  •  The tool requires read and write access to the installed folders of Exact software. Therefore, it is recommended the tool be used with Administrator privileges.
  •  For more information about the Federated Identity Configurator, see Federated Identity Configurator.

Additional information

Restarting the Exact Entity service

After generating the federated identity configuration files, the Exact Entity Service should be restarted.

  1. Open services.msc.
  2. Restart Exact Entity Service.

Exact Globe Next login

When the Exact Globe Next services are configured to use the federated identity authentication, the Exact Globe Next application should be configured the same way.

The login screen will be displayed for WAAD when starting Exact Globe Next. In the login screen, the user name and password will be verified by Auth0 against the information configured at GlobeIdentity.config. The GlobeIdentity.config file has to be created and placed into the Exact Globe Next installation folder under the bin sub folder. For example, C:\Program files\Exact Globe Next\bin.

The password will be encrypted and stored at C:\Users\\AppData\Local\IsolatedStorage. The final sub folder will be stored in the AssemFiles folder.

The exception handling log file will be created in a text file format (ExactSSOExceptions.txt) at C:\Users\\AppData\Roaming\Exact.

     
 Main Category: Attachments & notes  Document Type: Support - On-line help
 Category:  Security  level: All - 0
 Sub category:  Document ID: 30.051.371
 Assortment: Exact Globe  Date: 01-04-2021
 Release:  Attachment:
 Disclaimer