We are on version 2022.1.9 aka 11.2.100.9. I am wanting to know if there is a way in the smart client, not the web browser UI, to change the currently logged in user account. We have our app servers setup to use SSO and it automatically signs in with the currently logged in windows account. I’d like to be able to still have the ability to change to a different Epicor user in the smart client if possible when I need to switch over to the security manager to perform security functions.
It’s been a while… lets see…
It is either this:
You need a seperate AppServer one for SSO and one not SSO, followed by 2 .sysconfig files one for UsernameWindowsChannel and one for Windows in addition your User Account under User Account Maintenance isn’t allowed to be set for “Required SSO”.
Or it is this: (Try this first, simpler change)
Try in your Client .sysconfig file changing <SingleSignOn value="true" bool="" /> to false
Perhaps its both, havent had to mess with it in a while.
Is change user in the triple dots in the top right of the main menu along with Developer Mode?
I did check there and “change user” is not an option from that menu.
Epicor runs a method CanChangeUser which has logic like this:
var UsingWindowsBinding = usrRow.RequireSso ||
IsSingleSignOn(AppSettingsHandler.GetValue(Ice.Lib.AppSettingsSections.Application, "EndpointBinding", ""));
return !UsingWindowsBinding;
It determines whether to show it or hide it. Hence see my previous post on it.
I imagine one of these options or both of them would technically work, but I was hoping to be able to just switch user or change user after first having signed in via SSO and not have to have SSO disabled or a separate app server not configured with SSO.
I did not know about this at all. I can confirm that I DO NOT have “require SSO” checked for my user account. However, the single configured app server and associated client config file are setup for SSO.
If you change your client and the Server is setup for SSO only, it may not connect.
Epicor Considers the following Endpoint Bindings to be SSO:
- Windows
- TcpBinaryWindowsChannel
- HttpsBinaryWindowsChannel
We typically have 2 AppServers, not sure if you can use UsernameWindowsChannel and use RequireSSO to have one where SSO is sort of optional.
<EndpointBinding value="UsernameWindowsChannel" />
But also remember SSO may set the user some jibberish password, which you may not know. So another option you can try is, if you hold SHIFT and Right Click on your Epicor Shortcut, you could run the Client as another User, and that may pass-thru:
Holding SHIFT and Right Clicking on the Kinetic shortcut and then choosing to run as a different user worked.
Does SSO not also work for Epicor IdP or Azure Active Directory as well?
SSO=Window Auth only. For historical reasons