Series 1 EpiSode 6: The Kinetic Transformation with Brian Conner

EpiUsers the Podcast
62

Sure you do, you are just used to it.

Here’s a screenshot of the login window for zoom

image
image656×854 47.9 KB

And here’s the Login window for EpiUsers

image
image733×449 24.2 KB

2 Likes
63

Right that’s what I was saying… you’d almost have to have a separate app server to only allow SSO.

So the SSO only option in the user account settings becomes a setting to not allow them to log into any other app servers except ones set up for SSO.

1 Like
64

I see Jose, thank you!

I guess the issue I am having in an enterprise setting is that my users don’t know what Epicor Basic and SSO is… and quite frankly, why should they?

1 Like
65

Make it part of your training. Generally you’d have 1 that most people use.

2 Likes
66

Right on, I think that’s what I am taking away:

So set up an app server to use the auth method you want to use and eliminate the choice and the extra training.

Thanks for the feedback and examples of logins Jose, I appreciate it.

After seeing your examples, I would like to rephrase my statement…

2 Likes
67

My next question is, when I choose basic auth and type in the wrong password does a windows login screen pop up still or is that fixed?

1 Like
68

Actually, even Azure AD requires authentication first before getting something user-specic.

  1. You enter email,
  2. It gets authentication methods based on tenant your email belongs to, not on email itself.
  3. User enters password or uses passswordless
  4. Login verified
  5. Only after authentication some additional checks can be added by conditional access. Like MFA for specific user.

So here we have list of auth methods, similar to authentication methods defined for tenant in AAD.

3 Likes
69

Perfectly put Olga, so we should put in username/email first then present the authentication methods available based on tenant and in Epicor user account settings (i.e. SSO only)

That’s how I would picture it, but I’m splitting hairs here. I love Epicor and all the work being put in.

That’s what I need to get across in these posts.

I love epicor and love the work being put in. Thank you.

1 Like
70

Is this for when you are using IDP? My 2022.2.10 instance just gives me this prompt right away
image

Then if I choose basic it gives me username / password, if I click azure it does the Auzure Oauth Dance.

2 Likes
71

Well, you suggest to allow getting user information from server in unauthenticated call.
SSO only will be checked after login.

2 Likes
72

I thought about that after I posted it, but I don’t know best practices which is why I am speaking to you :wink:

I don’t know how AD does it securely in your case that you posted about:

If it wasn’t already apparent, I am wayyyy out of my comfort zone and expertise here…

1 Like
73

Click Azure in incoginito window. As I understand you will be redirected to AAD login form, not authenticated in AAD automatically

2 Likes
74

Here’s the flow right now (even in incognito) it looks like it makes a rest query to pull the information fro azure including the AAD URL to forward to ours.

It makes a call to

https://server.tld.com/EpicorInstance/Apps/ERP/Home/sysconfig.json

Which returns all the different login options that are available.

{
  "ep.application": {
    "name": "homepage",
    "platform": "erp",
    "enableLoginFlow": false,
    "libPath": "."
  },
  "ep.login": {
    "defaultServerUrl": "",
    "eddUrl": ""
  },
  "ep.idpauth": {
    "redirect_uri": "https://epicor.tld.com/EpicorInstanceName/Apps/Erp/Home/",
    "post_logout_redirect_uri": "https://epicor.tld.com/EpicorInstanceName/Apps/Erp/Home/login",
    "response_type": "id_token token",
    "filterProtocolClaims": true,
    "loadUserInfo": true,
    "scope": "openid email roles",
    "automaticSilentRenew": "true",
    "silent_redirect_uri": "https://epicor.tld.com/EpicorInstanceName/Apps/Erp/Home/silent-renew.html",
    "includeIdTokenInSilentRenew": false
  },
  "ep.telemetry": {
    "providerService": "Ice.BO.CompanySvc",
    "trackRouteChanges": false
  },
  "ep.erp.token": {
    "timeout": 0,
    "warnExpire": false,
    "warnExpireDuration": 10,
    "autoRenew": true,
    "secureCookie": true
  },
  "ep.erp.session": {
    "restPath": "api/v1"
  },
  "ep.walkme": {
    "testMode": false,
    "testId": "01e68e4cd4334c0dbbcaadf1df0c7f19",
    "id": "01e68e4cd4334c0dbbcaadf1df0c7f19"
  },
  "ep.shell.help.panel": {
    "elc": "https://erpcustomer.epicor.com/lms/public/signIn.do",
    "embedded": "#",
    "epicare": "https://epicor.com/epiccare/",
    "epicweb": "https://epicweb.epicor.com/",
    "epicIdeas": "https://epicor-manufacturing.ideas.aha.io/"
  },
  "ep.appcommunicator": {
    "debug": false
  },
  "ep.metafx": {
    "debug": false
  },
  "ep-mode": {
    "modeText": ""
  },
  "ep.erp.homepage": {
    "applyKineticOptIn": false
  },
  "ep.log": {
    "maxLogEntries": 1,
    "off": true
  },
  "ep.profiler": {
    "on": false
  }
}
3 Likes
75

no, this is not the correct url.
Options are taken from /api/.configuration endpoint.

That is what I mean by global settings. They can’t and don’t contain per-user authentication mehod.
sysconfig.json is UXP-specific settings, also 1 per server obviously

2 Likes
76

I see

1 Like
77

You can force it to a particular home via the classic sysconfig i believe

4 Likes
78

That’s what my instance does today. #ImConfused

2 Likes
79

That’s where I was starting to wander in my mind, is there any way to have the browser go to a login screen with one auth method even though the server can accept multiple?

1 Like
80

that is because you did not check Preserve log on the Network tab :slight_smile:

2 Likes
81

ah! I see! Danke!

1 Like