SSOLogonDef section - HxGN EAM - 11.07.01 - Feature Briefs - Hexagon

HxGN EAM Single Sign-On
ft:locale
en-US
Product
HxGN EAM
Search by Category
Feature Briefs
HxGN EAM Version
11.7.1

The ssoLogonDef block is used only when connecting to an Infor SSO server. It must not be used for custom SSO implementations.

  • name - Each logon definition must have a unique name. The name must be unique across all ssoLogonDef and customLogonDef blocks.

  • logonURL - The URL of the HxGN EAM module that communicates with the SAML server.

    • Since the browser will be redirected to this URL, the URL must be accessible from the browser.

    • The default value will normally not need to be changed.

  • logoutURL - The URL to which the browser will be redirected when the user logs out of HxGN EAM.

    • Note: Do not set the logoutURL to the HxGN EAM login page. If the logoutURL points to the login page, users will be unable to log out at all.

  • ssoLogoutURL - The URL to which the browser will be redirected if the HxGN EAM session times out.

  • STSEndpoint

    • Use a browser to access the ADFS mex address endpoint (see ‘STSMexAddress’ below)

    • In the resulting xml document search for an address ending in "2005/usernamemixed"

    • Use the entire URL for the STSEndpoint

  • STSKeyType

    • The default value should not be altered.

  • STSMexAddress

  • To find the Message Exchange Address using the ADFS console:

    • Navigate to Service > Endpoints.

    • Locate the Metadata section.

    • The Metadata section should contain an entry whose type is WS-MEX.

    • Copy the URL Path for this entry.

    • The complete mex address is a URL using this path. The mex address will look something like https://<adfsserver>:<optional port>/adfs/services/trust/mex.

  • STSPolicyID - Should be left blank when connecting to ADFS.

  • userAttribute - The name of the SAML attribute containing the userid (the unique identifier for the user).

    • This value must exactly match, including case, a Claim Type in ADFS

      • See the Claim Descriptions screen (under the Service tab)

    • Filter

      • In the event that the userid is a substring of the value returned in the SAML claim, a filter may be specified to extract the userid from the SAML value.

      • Requirements for the filter string:

      • It must be a valid Java regular expression

      • Group number 1 will be used to extract the userid substring. If other groups exist they must be non-capturing.

      • If the filter is omitted the entire SAML value will be used.

    • primaryRoleAttribute
      The name of the SAML attribute containing an EAM role name

    • The value must match a role defined on the EAM roles screen.

    • This value must exactly match, including case, a Claim Type in ADFS

      • See the Claim Descriptions screen (under the Service tab)

    • If this value is omitted, user records must already exist in the EAM database

    • Filter (see details under the userAttribute above)

  • identityProviderID - A unique identifier for the Identity Provider (e.g. ADFS).

    • By default this value will be automatically populated using the idpEntityID from the yaml configuration.

    • The value only needs to be entered manually if more than one Identity Provider is configured. The ID should be copied from the entityID attribute in the appropriate idp*.xml file.

  • identityProviderType - Defaults to ADFS. This setting should be left unchanged when connecting to ADFS.

  • logonRedirectTimeout

    • When control returns to EAM from an SSO server, parameters are passed to EAM in an encrypted string by means of an http post from the browser.

    • To minimize the possibility of a replay attack, the encrypted string contains a timestamp indicating how long the string remains valid.

    • The timestamp value is given in seconds.

    • The server defaults this value to 300 seconds. The minimum value is 5 seconds; any smaller value will be ignored.

  • faaConfig - This section is only used when EAM is running in the SAAS environment.

    • tenantCookieDomain
      The domain name to use when setting the FAACustomerID cookie

      • The name will normally begin with a dot (‘.’)

      • If this property is present the tenantID must be of the form "CustomerID_somestring".

    • qualifyUserNames
      A Boolean value, If true, the userid sent in a WS-Trust request will be of the form (CustomerID_userid)

      • The customerID will be extracted from the tenantID passed in the SOAP request.

      • If this attribute is set to true, the tenantID must be of the form "CustomerID_somestring"

    • transmitTenant
      Transmit the entire tenant id, not just the customer id portion, with a ws-trust request.

      • The transmitTenant and qualifyUserNames elements should not be used together. If both elements are present, the qualifyUserNames element will be ignored.

  • internalUserAttribute - The name of a SAML claim whose value is a displayable user name.

    • If the logon process results in the automatic creation of a record in r5users, the value of this attribute will be used to populate the usr_code column (provided the value is <= 30 characters). This column will be displayed to end users on various screens.

  • emailAttribute - The name of a SAML claim whose value contains the user’s email address.

    • If the logon process results in the automatic creation of a record in r5users, the value of this column will be used to populate the email address in r5users.

  • userDescriptionAttribute

    • The name of a SAML claim whose value contains a description of the user. The value will be used to populate the description in r5users.