REST in single sign-on environment

Hi Guys,

We have an application server setup with single sign-on enabled.

We have some integration with ECC and the developer used a username/password combination (not SSO) before to connect to the BAQs he needs. Now on this new application server he cannot connect how he used to. Using my AD credentials when browsing the API works fine but it will not accept a standard Epicor username and password any longer.

Is it possible to enable basic authentication for API when application server is using SSO? And how?

1 Like

You should be able to edit your web.config file in your wwwroot folder to do this. The Epicor_RESTServices guide outlines it pretty well for switching TO single-sign on at least. I think you will need to find your REST/Odata authentication binding settings in the config, and change clientCredentialType to Basic (likely set to InheritedFromHost).

Not 100% sure, but I had an issue similar to this in the past. We aren’t actually set up for SSO, but REST services somehow were and I had to change them to basic by editing this file. I solved it a bit differently (since we don’t use SSO) using the customBindings in this config file.

Thanks Adam for the response.

I had a look at the guide and as you say for SSO it is clear what the setting must be but not sure what to set the clientCredentialType to for basic auth. I tried the values “None”, “Basic” and “UserName” but none of them seem to work. Would I need to recycle the app server/app pool after the change because it seems the change is immediate? Do I need to make any authentication changes in IIS?

It still will not accept an Epicor username and password. I have also tried to set up the user in Epicor with an Access Scope but does not make a difference.

Here is my web.config file. (4.4 KB)

Ok some feedback from Epicor Support.

You cannot use Epicor username and password for REST if you are using SSO for the application server. You can set it so it will prompt for user credentials but you still need to enter the domain username and password which is linked to an Epicor user.

If you want to make use of Epicor username and pass then you need to configure a second non-SSO app server.

The reason for this is that the endpoint is controlled by the sysconfig file which can only have 1 at this time.

Hope this helps someone else.