Sure you do, you are just used to it.
Here’s a screenshot of the login window for zoom
And here’s the Login window for EpiUsers
Sure you do, you are just used to it.
Here’s a screenshot of the login window for zoom
And here’s the Login window for EpiUsers
Right that’s what I was saying… you’d almost have to have a separate app server to only allow SSO.
So the SSO only option in the user account settings becomes a setting to not allow them to log into any other app servers except ones set up for SSO.
I see Jose, thank you!
I guess the issue I am having in an enterprise setting is that my users don’t know what Epicor Basic and SSO is… and quite frankly, why should they?
why should they?
Make it part of your training. Generally you’d have 1 that most people use.
Right on, I think that’s what I am taking away:
Generally you’d have 1 that most people use.
So set up an app server to use the auth method you want to use and eliminate the choice and the extra training.
Thanks for the feedback and examples of logins Jose, I appreciate it.
After seeing your examples, I would like to rephrase my statement…
My next question is, when I choose basic auth and type in the wrong password does a windows login screen pop up still or is that fixed?
Actually, even Azure AD requires authentication first before getting something user-specic.
So here we have list of auth methods, similar to authentication methods defined for tenant in AAD.
Perfectly put Olga, so we should put in username/email first then present the authentication methods available based on tenant and in Epicor user account settings (i.e. SSO only)
That’s how I would picture it, but I’m splitting hairs here. I love Epicor and all the work being put in.
That’s what I need to get across in these posts.
I love epicor and love the work being put in. Thank you.
Actually, even Azure AD requires authentication first before getting something user-specic.
Is this for when you are using IDP? My 2022.2.10 instance just gives me this prompt right away
Then if I choose basic it gives me username / password, if I click azure it does the Auzure Oauth Dance.
Well, you suggest to allow getting user information from server in unauthenticated call.
SSO only will be checked after login.
I thought about that after I posted it, but I don’t know best practices which is why I am speaking to you
I don’t know how AD does it securely in your case that you posted about:
- You enter email,
- It gets authentication methods based on tenant your email belongs to, not on email itself.
If it wasn’t already apparent, I am wayyyy out of my comfort zone and expertise here…
Click Azure in incoginito window. As I understand you will be redirected to AAD login form, not authenticated in AAD automatically
Here’s the flow right now (even in incognito) it looks like it makes a rest query to pull the information fro azure including the AAD URL to forward to ours.
It makes a call to
https://server.tld.com/EpicorInstance/Apps/ERP/Home/sysconfig.json
Which returns all the different login options that are available.
{
"ep.application": {
"name": "homepage",
"platform": "erp",
"enableLoginFlow": false,
"libPath": "."
},
"ep.login": {
"defaultServerUrl": "",
"eddUrl": ""
},
"ep.idpauth": {
"redirect_uri": "https://epicor.tld.com/EpicorInstanceName/Apps/Erp/Home/",
"post_logout_redirect_uri": "https://epicor.tld.com/EpicorInstanceName/Apps/Erp/Home/login",
"response_type": "id_token token",
"filterProtocolClaims": true,
"loadUserInfo": true,
"scope": "openid email roles",
"automaticSilentRenew": "true",
"silent_redirect_uri": "https://epicor.tld.com/EpicorInstanceName/Apps/Erp/Home/silent-renew.html",
"includeIdTokenInSilentRenew": false
},
"ep.telemetry": {
"providerService": "Ice.BO.CompanySvc",
"trackRouteChanges": false
},
"ep.erp.token": {
"timeout": 0,
"warnExpire": false,
"warnExpireDuration": 10,
"autoRenew": true,
"secureCookie": true
},
"ep.erp.session": {
"restPath": "api/v1"
},
"ep.walkme": {
"testMode": false,
"testId": "01e68e4cd4334c0dbbcaadf1df0c7f19",
"id": "01e68e4cd4334c0dbbcaadf1df0c7f19"
},
"ep.shell.help.panel": {
"elc": "https://erpcustomer.epicor.com/lms/public/signIn.do",
"embedded": "#",
"epicare": "https://epicor.com/epiccare/",
"epicweb": "https://epicweb.epicor.com/",
"epicIdeas": "https://epicor-manufacturing.ideas.aha.io/"
},
"ep.appcommunicator": {
"debug": false
},
"ep.metafx": {
"debug": false
},
"ep-mode": {
"modeText": ""
},
"ep.erp.homepage": {
"applyKineticOptIn": false
},
"ep.log": {
"maxLogEntries": 1,
"off": true
},
"ep.profiler": {
"on": false
}
}
no, this is not the correct url.
Options are taken from /api/.configuration endpoint.
That is what I mean by global settings. They can’t and don’t contain per-user authentication mehod.
sysconfig.json is UXP-specific settings, also 1 per server obviously
They can’t and don’t contain per-user authentication mehod.
I see
Hmmmm I wonder can just disable the dropdown via the config file?
You can force it to a particular home via the classic sysconfig i believe
no, this is not the correct url.
That’s what my instance does today. #ImConfused
You can force it to a particular home via the classic sysconfig i believe
That’s where I was starting to wander in my mind, is there any way to have the browser go to a login screen with one auth method even though the server can accept multiple?
that is because you did not check Preserve log on the Network tab
Preserve log on the Network tab
ah! I see! Danke!