Possibilities of using federated identity with Exact Globe+ and Exact Synergy Enterprise
Note:
- This document is only relevant to the controlled release participants.
- This is not available for Exact Cloud customers.
Introduction
In this document we will explain high level technical implementation of federated identity support in Exact Globe+ and Exact Synergy Enterprise and the possibilities that enables for supporting different identity providers.
Explanation
The implementation of federated identity in Exact Globe+ and Exact Synergy Enterprise is based on protocols, not on identity providers. Exact has selected Auth0 and Windows Azure Active Directory (WAAD) as supported identity providers. This means that other identity providers that support the same protocols should also work, but this is not tested by Exact and therefore not officially supported.
Exact Globe+ and Exact Synergy Enterprise both support SAML2 and 0Auth2 protocol which are standard protocols for identity management purposes. Part of the protocol is the authorization mode, where Exact Globe+ uses the active mode and Exact Synergy Enterprise
can use the active mode or passive mode. One of the main differences between the two is that with passive mode a pop-up is shown (so user is redirected to another login web page) and with active mode this is not the case.
The SAML2 protocol only supports passive mode, while 0Auth2 protocol supports both. In below image you can see where Exact Globe+ and Exact Synergy use which protocol.
In summary this means:
- Exact Synergy Enterprise itself can use the SAML2 protocol and passive
connection mode, or the OAuth2 protocol and the active or passive mode
- Exact Synergy Enterprise webservices uses 0Auth2 protocol
- Exact Globe+ uses 0Auth2 protocol
The SAML2 protocol only supports passive mode, while 0Auth2 protocol supports both active and passive mode.
Based on the supported scenarios of the protocols and the architecture of Exact Synergy Enterprise and Exact Globe+ it means that:
- Exact Globe+ uses the 0Auth2 protocol and the active connection mode
- Exact Synergy Enterprise can use the SAML2 protocol and the passive connection mode,
or the OAuth2 protocol and the active and passive mode including the
support for refresh of the access token.
- Exact Synergy Enterprise webservices can use the SAML2 and 0Auth2 protocol and can support both connection modes. Exact recommends to use 0Auth due to performance reasons and because SAML2 cannot support refresh of the access token.
Result of the above is that identity providers that Exact Globe+ and Exact Synergy Enterprise can use need to meet the above criteria. If a certain identity provider which is supported by Auth0 or WAAD does not support the required connection mode, it cannot work with the respective Exact product.
In general for Exact Globe+ following identity methods within Auth0 support active mode:
- Auth0 database connection (username and password stored in Auth0 database)
- Auth0 custom database connection (same as previous one, but with additional scripts to custom backend)
- Active Directory \ LDAP connection
- ADFS, but requires active mode to be enabled
Social identity providers like Gmail do not support active connection mode.
More information
| Main Category: |
Attachments & notes |
Document Type: |
Support - On-line help |
| Category: |
|
Security level: |
All - 0 |
| Sub category: |
|
Document ID: |
27.763.977 |
| Assortment: |
Exact Synergy Enterprise
|
Date: |
21-11-2022 |
| Release: |
|
Attachment: |
|
| Disclaimer |