18 Jun Single Sign On (SSO) for Sage X3
In my previous post we talked about Single Sign On (SSO) and how we can apply it to a Sage 300 installation. In this post I’m going to cover SSO options for Sage X3 specifically the LDAP option.
Recapping, Single Sign On (SSO) is the process of centralising the authentication data. The benefits of using SSO is that a user can sign on once and use those credentials across multiple applications without further login prompts.
The most common options to achieve this in Sage X3 are LDAP and SAML2 authentication.
What is LDAP
LDAP stands for Lightweight Directory Access Protocol. It’s a standard that defines how resources can be access and distributed over a network. An application will authenticate via LDAP with a resource server, something like Active Directory, which contains resources such as usernames and passwords.
What is SAML2
SAML2 stands for Security Assertion Markup Language 2.0. The idea behind this is that user credentials are passed to a token system. A secure session token is passed around and authenticated against a user account within an identity provider.
Implementing LDAP in Sage X3
The main steps involved for LDAP setup are below.
- Entering the LDAP server details.
- Specifying the DN name and password for a user that has rights to search LDAP groups.
- Specifying the search base which is the group of resources to use on the LDAP server.
- Setting a schedule for synchronising settings.
- Importing and mapping users.
See the Sage X3 guide for full implementation details.
Your final settings would be similar to the image below. Of note is the Search Base which pinpoints a specific group of resources on the server rather than pulling in ALL resources.
Generally your LDAP synchronise settings would be similar to what we have below. The synchronisation process is important as any user changes on the resource server will need to be reflected in Sage X3.
The final step involves mapping Sage X3 user ID’s to users from the resource server. Sage X3 allows a mixture of authentication methods for specific users allowing you to use LDAP for the majority of employees, while external contractors could use standard authentication.
Sharing some tips of LDAP in Sage X3
Below are some tips that we would like to share from numerous implementations of LDAP authentication for Sage X3.
The first one is to create your Sage X3 user ID’s to match the LDAP username. During the import process Sage X3 will automatically map the LDAP username with the Sage X3 user ID if they are the same. In most cases the automapping works as expected allowing you to import and setup many resources easily. This is an especially useful feature for larger implementations where the ability to import and maintain a large set of users from the central authentication system into the Sage X3 system can be mostly automated. Please note, X3 has a limit on user ID size and manually mapping might still be needed if the LDAP resource name exceeds this limit.
Another tip is the use of the Search Base. This narrows the scope of resources that X3 will search for on the LDAP server. We generally recommend creating a Sage X3 resource group and add all required users to that group. This will prevent the import process from importing ALL users on the LDAP server.
In the next issue we will look at SAML2 for Sage X3. Stay tuned for that.