One moment please...
 
 
Exact Globe+   
 

Getting started with Windows Azure Active Directory in Exact Globe+

Introduction

Note:

  • This document is only relevant to the controlled release participants.
  • This is not available for Exact Cloud customers.

If Exact Globe+ is configured for the federated identity environment, the federated identity services must also be configured to support the federated identity authentication, and to perform the federated identity authentication using the configured federated identity provider details.

Scope

This document describes the following:

  1.  Configuring Windows Azure Active Directory applications
  2.  Overview of Exact Globe+ with federated identity configuration
  3.  Retrieving federated identity configuration details
  4.  Configuring the federated identity configuration files for Exact Globe+
  5.  Additional information

Configuring Windows Azure Active Directory applications

When Exact Globe+ needs to be configured for federated identity, several values need to be provided to successfully manage this. To define the configuration file correctly, you need to configure your Windows Azure Active Directory (WAAD) using the Azure portal.

After logging in to your Azure portal, go to the active directory page and select the active directory you wish to use.

To configure the WAAD applications, do the following:

Creating a Web application

  1. Log in to your WAAD portal.
  2. Go to Azure Active Directory.
  3. Click the active directory that will be used for Exact’s products.
  4. Click App registrations.
  5. Select All Applications.
  6. All the current Azure Active Directory application registrations will be displayed.
  7. Click New registration.
  8. On the Register an application page, do the following:
    • Type a name for the application at Name.
    • Select account type Accounts in this organizational directory only (domain name).
    • Select type Web as redirect URL.
    • Type the Redirect URI at Redirect URI. This is the Exact Synergy Enterprise URL with a trailing slash, for example, https://domain/Synergy/.
  9. Click Register.
  10. Click Authentication
  11. In the advanced settings section, select ID tokens and save the changes
  12. Click Expose an API.
  13. Click Add a Scope.
  14. Click Save and continue to set the Application ID URI. It is automatically generated, but you should change this to your Exact Synergy Enterprise URL. This value is case-sensitive; you should use the value exactly as it is in your portal, including any symbols. You are advised to always use lowercase to avoid a mismatch of the values. For more information, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.
  15. Define the scope properties:
    • Scope name: user_impersonation
    • Who can consent: Admins only
    • Admin consent display name: Access Exact Synergy Enterprise
    • Admin consent description: Access Exact Synergy Enterprise
    • User consent display name: Access Exact Synergy Enterprise
    • User consent description: Access Exact Synergy Enterprise
    • State: Enabled
  16. Click Add Scope.
  17. Click Save.

Creating a Public client application

  1. Log in to your WAAD portal.
  2. Go to Azure Active Directory.
  3. Click the active directory that will be used for Exact’s products.
  4. Click App registrations.
  5. Select All Applications.
  6. All the current Azure Active Directory application registrations will be displayed.
  7. Click New registration.
  8. On the Register an application page, do the following:
    •  Type a name for the application at Name.
    • Select account type Accounts in this organizational directory only (domain name).
    • Select type Public client (mobile & desktop) as redirect URL
    •  Type the Redirect URI at Redirect URI. This is the Exact Synergy Enterprise URL with a trailing slash, for example, https://domain/Synergy/.
  9. Click Register.
  10. Click Authentication.
  11. In the advanced settings section, select ID tokens and save the changes.
  12. Click API permissions.
  13. Click Add a permission.
  14. On the Request API permissions page, click APIs my organization uses.
  15. Search for the application you created of type Web.
  16. At What type of permissions does your application require?, select Delegated permissions.
  17. Under the PERMISSION section, select user_impersonation.
  18. Click Add permissions.
  19. Click Grand admin consent for <domain name>.

Configuring Exact Globe+

Overview of Exact Globe+ with federated identity configuration

To use federated identity with Exact Globe+, the following configuration details must be made available in Exact Globe+:

  •  SAML Issuer Name
  •  Client ID
  •  Resource
  •  Allowed Audience
  •  Metadata
  •  Thumbprint
  •  Authority

The configuration details stated must be entered in the Federated Identity Configurator, to generate the federated identity configuration files for Exact Globe+.

Retrieving WAAD configuration details

To retrieve your WAAD configuration details, log in to your WAAD account and view the WAAD application or client that you have configured for Exact Globe+.

For more information on how to retrieve these details, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.

Note: All values are case-sensitive; you should use the exact value, including any symbols. You are advised to always use lowercase to avoid a mismatch of the values.

Configuring the WAAD configuration files for Exact Globe+

To configure Exact Globe+ to use WAAD as the authentication provider, the web application must have the following files configured for the token-based authentication:

  • Bin\EntityServiceIdentity.config
  • Bin\GlobeIdentity.Config
  • XMD\Exact.WindowsService.config

These files should be configured and generated by the Federated Identity Configurator.

  1.  Start the Federated Identity Configurator, by starting FIDConfigurator.exe in the Cab folder of the Exact Globe+ installation folder. The tool requires read and write access to the installed folders of Exact software. Therefore, it is recommended the tool be used with Administrator privileges.
  2.  Select Exact Globe+ from the Products menu on the left.
  3.  Type or select the installation directory of Exact Globe+ at Installation Folder. When a path is specified, the tool will validate the path. If the path is validated successfully, the configuration section and buttons will be enabled.
  4.  Select Windows Azure Active Directory at the Identity Provider field.
  5.  Define the following fields:
    •  SAML Issuer Name
    •  Client ID
    •  Resource
    •  Allowed Audience (this field will automatically be filled, based on the value defined at Resource)
    •  Metadata
    •  Thumbprint
    •  Authority
  6.  Click Validate. The validation screen will be displayed.
  7.  The values from the product screen will be checked for common mistakes, such as formatting, typos, and other mistakes. The tool will warn you when a value is suspected to be wrong so that you can verify and correct it if needed.
  8.  Type a username and password (from your federated identity account) to test if the configuration values are correct for authentication use.
  9.  Click Validate.
  10.  If the validation is successful, click Generate. The federated identity configuration files will be generated in the installation folder for the product. It will also be retained for future product updates.

Note:

  •  Only after a successful validation, the configuration files can be generated.
  •  All values are case-sensitive; you should use the exact value, including any symbols. You are advised to always use lowercase to avoid a mismatch of the values.
  •  For more information on how to retrieve these details, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.
  •  The tool requires read and write access to the installed folders of Exact software. Therefore, it is recommended the tool be used with Administrator privileges.
  •  For more information about the Federated Identity Configurator, see Federated Identity Configurator.

Additional information

Restarting the Exact Entity service

After generating the federated identity configuration files, the Exact Entity Service should be restarted.

  1. Open services.msc.
  2. Restart Exact Entity Service.

Exact Globe+ login

When the Exact Globe+ services are configured to use the federated identity authentication, the Exact Globe+ application should be configured the same way.

The login screen will be displayed for WAAD when starting Exact Globe+. You have to select an account in the login screen.


Once you have selected an account you will be prompted to enter the authentication code if you have enabled Multifactor authentication (MFA).

 

 

     
 Main Category: Attachments & notes  Document Type: Support - On-line help
 Category:  Security  level: All - 0
 Sub category:  Document ID: 27.183.654
 Assortment:  Date: 26-03-2024
 Release:  Attachment:
 Disclaimer