Good morning,
We juggle multiple sysconfig files for different authentication schemes, which is simple enough with the smart client. When accessing Kinetic through a browser directly, is there a way to specify which scheme to use? We currently have Azure AD as our default, but I’d like to be able to authenticate with other methods through the browser. Documentation on this seems rather thin currently.
Thanks!
If AppServer uses AzureAD, Kinetic in browser will also use Azure AD, there is no way to chose other authentication.
That’s a bit of bummer. There is some nice peace of mind from knowing I can login with an admin account using Epicor’s built-in authentication in case our Azure AD integration breaks for some reason. For now we can obviously use the smart client for this purpose, but if we go full browser in the future (and we want to), this would be a nice capability.
Perhaps a query parameter, similar to ?mode=mes could be passed?
@olga can correct me if I’m wrong, but if you install an additional AppServer without Azure AD and with SSL, then you’ll get a new URL to hit with your browser.
When it breaks you could disable it in web.config and return to name and password.
Yes, current implementation allows setup Azure AD per app server. So if you create other appserver, you may not set Azure AD for it.
But it kindof defeats the purpose - AAD allows you to use MFA fr login, and allow bypassing it does not look
Yes, you are absolutely right. I would not open that appServer to all users and use the SSO Only flag to prevent most users from using the SSL appServer.
But @fvodden has a point. AAD does seem to go down periodically. 
Maybe having Okta, or other authentication systems with MFA, as a back up might not be a bad idea. 
We don’t have direct intergation with Okta, only through AAD or IDP.
If AAD goes down, you can change web.config to use name and password instead. It will restart app server so small distruption will happen.
Do you think the Cloud Team would do that for SaaS users since those customers don’t have access to the web.config?
It is probably better to ask Cloud team - what do they do when AAD goes down.
(i think when AAD goes down - half of Azure goes down as well)
We are cloud, so I don’t have much context for many of these comments. Support made multiple configurations available to us, does that mean there are multiple AppServers and multiple URLs that I am not familiar with?
@Mark_Wonsil Support has referenced an SSO only flag to me in the past, but I am not familiar with its location. Is it per user? If so, it is no present on our User Account Maintenance form.
This is less about if AAD goes down, and more about some mis-configuration or bad Epicor update breaking something and locking administrative users out.
The require SSO option is not visible on users in User Account Maintenance. Is Single Sign-On referring to a feature other than Azure AD?
If I am correct, the Require SSO means that this user MUST use a single sign-on provider like Azure AD, or Active Directory in pre-Kinetic (Static? 
). This prevents people (users or threat actors) from trying to use Basic Authentication (username/passwords) to brute-force logins.
It is wise to have at least one manager account that has an alternate way to log in the event that your authentication provider goes dark.
Right, I’m looking for a way to force the majority of my user accounts to use Azure AD. The checkbox referenced does not appear in User Security. The fallback tactic would be to set the Epicor passwords to very long, strong passwords (with no intention of their use).
Not sure about Multi-Tenant, it was present in Public Cloud when I was on it. Do you have DMT? You may be able to set the flag that way.
We’re public cloud. I’ll open a ticket and see what support has to say.
