Exact Synergy Enterprise

 

Getting started with Windows Azure Active Directory in Exact Synergy Enterprise

Introduction

Windows Azure Active Directory (Azure AD) is a cloud service by Microsoft that provides identity and access management. For Exact Synergy Enterprise, Azure AD can be used as (or integrated with) an organization’s directory and can be used to provide token-based authentication for the users.

This document describes the overview of how to configure Azure AD in Exact Synergy Enterprise. Topics such as Azure AD prerequisites, where to retrieve the details from the Azure portal, and how to use the details to configure Azure AD in Exact Synergy Enterprise are also explained in this document.

To use the federated identity provider, the account from the federated identity provider must be acquired and configured for Exact Synergy Enterprise. For more information, refer to the identity provider’s main web sites. Only one federated identity provider can be used at a time in Exact Synergy Enterprise.

Note:

• This document is only relevant to the controlled release participants.
• This is not available for Exact Cloud customers.
• OAuth is the recommended protocol to use.
  

Prerequisites

The organization must have an active account for Microsoft Azure before Azure AD can be used in Exact Synergy Enterprise. Azure AD must also have two (2) application registrations created for Exact Synergy Enterprise:

1. The Web application registration should be configured for the Exact Synergy Enterprise web application.
2. The Public client application registration is needed for the Exact Synergy Enterprise web services. It should be configured with the delegated permission to both Azure AD and the Web app application registration for Exact Synergy Enterprise.

This information is based on the information for Azure AD as of October 13, 2017. For more information on how to set up your account, see the following documents:

•  Microsoft Azure Documentation — https://docs.microsoft.com/en-us/azure/
•  Integration applications with Azure Active Directory -- https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications

Preparing and configuring the supported user database source

Each identity provider may support different user database sources. For the usage of the federated identity in Exact Synergy Enterprise, the user database source used must support the email address as the default claim type. Furthermore, the email address of the user should match the user name (humres.usr_id column) of a person in Exact Synergy Enterprise.

For Windows Azure Active Directory, the directory is also the user database source for the identity provider.

Setup account

It is assumed that you have a Live.com account that is activated with the MSDN subscription, for example, Microsoft Visual Studio with MSDN. To manage your MSDN subscription, go to https://msdn.microsoft.com/en-us/subscriptions/manage/hh442900.

If Exact Synergy Enterprise is used on Windows Azure, the users will be based on Windows Azure Active Directory. For more information on Windows Azure, see https://account.windowsazure.com/Home/Index.

Configuring Windows Azure Active Directory applications

WAAD applications are configurations that represent, and are used by Exact Synergy Enterprise, Exact Globe+, ELIS, and other products for the federated identity authentication via WAAD. Before you can set up Exact Synergy Enterprise, Exact Globe+, ELIS, or other products, you have to configure the WAAD applications first.

The following WAAD applications have to be created:

• Web application
• Public client client application

To configure the WAAD applications, do the following:

Creating a Web application

1. Log in to your WAAD portal.
2. Go to Azure Active Directory.
3. Click the active directory that will be used for Exact’s products.
4. Click App registrations.
5. Select All Applications.
6. All the current Azure Active Directory application registrations will be displayed.
7. Click New registration.
8. On the Register an application page, do the following:
   • Type a name for the application at Name.
   • Select account type Accounts in this organizational directory only (domain name).
   • Select type Web as redirect URL
   • Type the Redirect URI at Redirect URI. This is the Exact Synergy Enterprise URL with a trailing slash, for example, https://domain/Synergy/.
9. Click Register.
10. Click Authentication.
11. In the advanced settings section, select ID tokens and save the changes.
12. Click Expose an API.
13. Click Add a Scope.
14. Click Save and continue to set the Application ID URI. It is automatically generated, but you should change this to your Exact Synergy Enterprise URL. This value is case-sensitive; you should use the value exactly as it is in your portal, including any symbols. You are advised to always use lowercase to avoid a mismatch of the values. For more information, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.
15. Define the scope properties:
    • Scope name: user_impersonation
    • Who can consent: Admins only
    • Admin consent display name: Access Exact Synergy Enterprise
    • Admin consent description: Access Exact Synergy Enterprise
    • User consent display name: Access Exact Synergy Enterprise
    • User consent description: Access Exact Synergy Enterprise
    • State: Enabled
16. Click Add Scope.
17. Click Save.
18. Click Authentication.
19. In the Web section, click Add URI.
20. Add the following URL: {Exact Synergy Enterprise URL}docs/SysFederatedLogin.aspx
        The {Exact Synergy Enterprise URL} is the Exact Synergy Enterprise URL.
21. Click Save.
    

The next 6 steps are only needed if you will be using the 0Auth protocol. When using SAML these are not required:
22. Click Certificates & secrets.
23. Click New client secret.
24. Type “ClientSecret” at Description.
25. Select Never at Expires.
26. Click Add.
27. Copy the generated password value and save it in a document so you can use it later when configuring the 0Auth protocol.

Creating a Public client application

1. Log in to your WAAD portal.
2. Go to Azure Active Directory.
3. Click the active directory that will be used for Exact’s products.
4. Click App registrations.
5. Select All Applications.
6. All the current Azure Active Directory application registrations will be displayed.
7. Click New registration.
8. On the Register an application page, do the following:
   • Type a name for the application at Name.
   • Select account type Accounts in this organizational directory only (domain name).
   • Select type Public client (mobile & desktop) as redirect URL
   • Type the Redirect URI at Redirect URI. This is the Exact Synergy Enterprise URL with a traling slash, for example, https://domain/Synergy/.
   • Click Register.
9. Click Authentication.
10. In the advanced settings section, select ID tokens and save the changes.
11. Click API permissions.
12. Click Add a permission.
13. On the Request API permissions page, click APIs my organization uses.
14. Search for the application you created of type Web.
15. At What type of permissions does your application require?, select Delegated permissions.
16. Under the PERMISSION section, select user_impersonation.
17. Click Add permissions.
18. Click Grand admin consent for <domain name>.
    

Configuring Exact Synergy Enterprise

Overview of Exact Synergy Enterprise with Azure AD configuration

To use the Windows Azure Active Directory provider with Exact Synergy Enterprise, the following configuration details from Azure AD must be made available in Exact Synergy Enterprise:

•  Authority
•  Client ID
•  App ID URI
•  Allowed Audience
•  WS-Fed Metadata URL
•  WS-Fed Issuer
•  Issuer
•  Thumbprint

The configuration details stated must be entered in the Federated Identity Configurator, to generate the federated identity configuration files for Exact Synergy Enterprise.

Retrieving Azure AD configuration details

To retrieve your Azure AD configuration details, log in to your Azure account, and click App registrations under the Azure Active Directory to view the app registrations that you have configured for Exact Synergy Enterprise.

For more information on how to retrieve these details, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.

Note: All values are case-sensitive; you should use the exact value, including any symbols. You are advised to always use lowercase and a trailing slash to avoid a mismatch of the values.

Configuring Windows Azure Active Directory into Exact Synergy Enterprise

To configure Exact Synergy Enterprise to use Windows Azure Active Directory as the authentication provider, the web application must have the following files configured for the token-based authentication:

•  web.config
•  system.identityModel.config
•  system.identityModel.services.config

These files should be configured and generated by the Federated Identity Configurator.

1.  Start the Federated Identity Configurator, by starting FIDConfigurator.exe in the Cab folder of the Exact Synergy Enterprise installation folder. The tool requires read and write access to the installed folders of Exact software. Therefore, it is recommended the tool be used with Administrator privileges.
2.  Select Exact Synergy Enterprise from the Products menu on the left.
3.  Type or select the installation directory of Exact Synergy Enterprise at Installation Folder. When a path is specified, the tool will validate the path. If the path is validated successfully, the configuration section and buttons will be enabled.
4.  Select Windows Azure Active Directory at the Identity Provider field.
5.  Define the following fields:
   •  SAML Issuer Name
   •  Authority
   •  Client ID
   •  App URI ID
   •  Allowed Audience (this field will automatically be filled, based on the value defined at App URI ID)
   •  Realm (this field will automatically be filled, based on the value defined at App URI ID)
   •  Audience URI (this field will automatically be filled, based on the value defined at App URI ID)
   •  Thumbprint (Microsoft changes the thumbprint regularly. If the thumbprint changes, the system.identitymodel.config file must be updated. This is done automatically by the system. For the system to be able to do this, the authenticated user must have one of the following rights for the system.identitymodel.config file: modify, read, read and execute, or write)
   •  Metadata
   •  WS Fed Issuer
   •  Reply
6.  Click Validate. The validation screen will be displayed.
7.  The values from the product screen will be checked for common mistakes, such as formatting, typos, and other mistakes. The tool will warn you when a value is suspected to be wrong so that you can verify and correct it if needed.
8.  Type a username and password (from your federated identity account) to test if the configuration values are correct for authentication use.
9.  Click Validate.
10.  If the validation is successful, click Generate. The federated identity configuration files will be generated in the installation folder for the product. It will also be retained for future product updates.

Note:

•  Only after a successful validation, the configuration files can be generated.
•  All values are case-sensitive; you should use the exact value, including any symbols. You are advised to always use lower case and a trailing slash to avoid a mismatch of the values.
•  For more information on how to retrieve these details, see How-to: Retrieving information for Windows Azure Active Directory and Auth0.
•  The tool requires read and write access to the installed folders of Exact software. Therefore, it is recommended the tool be used with Administrator privileges.
•  For more information about the Federated Identity Configurator, see Federated Identity Configurator.

Changing the identity of the used AppPool

To be able to create a Synergy database and virtual directory in an FID-configured environment, you must change the identity of the used AppPool to an Active Directory user with administrator rights.

1. Open the Internet Information Services (IIS) Manager.
2. Go to Application Pools.
3. Create a new application pool, or right click the application pool DefaultAppPool and select Advanced Settings....
4. In the Process Model section at Identity, click ..., select Custom account, and click Set.
   
5. Enter the credentials of an Active Directory user with administrator rights and click OK.
   

Configuring ESE Web Application in Internet Information Services (IIS)

After configuring Exact Synergy Enterprise to work with the token-based authentication, the Web Site Application in Internet Information Services (IIS) must be properly configured.

1. Open the Internet Information Services (IIS) Manager.
2. Go to the Exact Synergy website in Internet Information Services (IIS) Manager.
3. Open Authentication.
4. Make sure Anonymous Authentication is enabled and Windows Authentication is disabled.
5.  Restart the IIS services, and you will be able to use Exact Synergy Enterprise with token-based authentication through the Windows Azure Active Directory provider.

Additional information

Database Configuration File

When Exact Synergy Enterprise is used with the token-based authentication, the database configuration file, db.config, will be in the root folder of the Exact Synergy Enterprise installation. Therefore, Exact Synergy Enterprise will require read or write access to this file.

Starting Exact Synergy Enterprise

You should be able to start Exact Synergy Enterprise in the browser where you will be asked to log in via the federated identity provider’s login page. If this is not the first time you are starting Exact Synergy Enterprise, the browser must run using the built-in administrator account.

Configuring FID in Azure AD

When you configure FID in Azure AD, the Enable the following mobile and desktop flows field should be set to Yes in the public application at Authentication > Advanced settings > Allow public client flows. If this is not done, FID will not work.

Related documents

• Federated Identity Configurator
Federated Identity (FID) startpage
• How-to: Retrieving information for Windows Azure Active Directory and Auth0
• How-to: Setting up public website

     

Main Category:	Attachments & notes	Document Type:	Online help main
Category:		Security  level:	All - 0
Sub category:		Document ID:	27.547.289
Assortment:	Exact Synergy Enterprise	Date:	24-05-2023
Release:		Attachment:
Disclaimer