I had a long discussion with Epicor support and learned that SSO is not what I thought. Single sign-on, to me, would mean logging into Windows and then not having to login to Epicor afterwards. The Windows authentication should be enough to allow the user to use Epicor.
We are cloud, not on-prem. The closest we can get is if we use EntraID with conditional access policy (whatever that means). Even that will still require the users to login to Epicor after logging into Windows.
It sounds like SSO would be good for users that log into Epicor, and also log into Ideas, and EpicWeb. None of our users log in to anything but Epicor.
We already use Duo MFA for AD users logging into Windows. Lets just figure out a way to pass this auth to Epicor. Right?
SSO is definitely a misnomer. However, if you configure it to work with your Entra authentication then they at least do not need a separate password to log into epicor - they just need to complete their normal entra authentication process. And the MFA is then also covering your Epicor accounts. So there is value in it.
You can pass that, there are instructions on how to set up Entra ID for you Epicor users so they can use that exact method. @bderuvo gave a presentation on it at insights and it has all those extra capabilities like conditional access that you just spoke about whereas IDP doesn’t, right @aosemwengie1 ?
Single Sign-On means you use the same credentials across multiple services, which is already what Epicor is doing today (via Entra or IDP).
What you are thinking of is the old Windows Integrated Authentication (WIA) that used Kerberos or, in older setups, NTLM. That required a local Active Directory and was very Windows specific. It basically said “Get the current user from the computer and pass that ID as the logged-in user.”
That worked for on-prem applications, but web-based products do not handle it well unless the browser is built into the operating system, like Internet Explorer. It was also a pain to maintain and had no flexibility. If you wanted to log in as a different user, you had to log off or restart the machine.
Modern SSO uses standards like OAuth 2.0, SAML, and OpenID Connect. These are more flexible and work across browsers, devices, and platforms. When I log into Epicor with Entra ID I only authenticate once against Entra. Epicor stores a token and refresh token, and every time I log in it silently uses that to get a fresh token.
Yes, I see a “Login Here” button in Epicor, but clicking it immediately signs me in without typing my password again because my Entra session is still valid.
Right, but I still think its a misnomer - yes you only have one set of credentials, but you don’t get to sign on “just once” as the term SINGLE sign on implies.
If I understood Jose and what single sign on means, it means I have one single method of signing on (Entra). Making up our own definition or interpretation is why we get frustrated.
Nobody is making anything up - single sign on USED TO mean you signed in one time. Yes technology has moved on but this term continues to cause confusion as the meaning has changed over time.
Personally, “single sign on” means how many times I have to enter my password. I login to my computer in the morning (or really VPN) and then any of the systems I use that are configured for SSO all I need to do is click what amounts to a “log me in” button and I’m then I’m in.
I’m just leery of any shortcuts on security stuff…hell, I don’t even like clicking “save my password” on anything. Guess I’m just an old coot that doesn’t trust technology.
I’m thinking of the Morpheus meme where it has text that says “what if I told you…” and then what if everything we thought SSO was, was never really SSO and now we think it is and are frustrated by it.
But you mostly do. As I demonstrated above I didn’t have to “sign in” again I just had to push the door open. We could be splitting hairs, but I dind’t have to type in my email or my password, all I had to do was say yes please let me in.
is moved.