Integration with AD FS
You integrate MYOB Acumatica with Microsoft Active Directory Federation Services (AD FS) when you want to manage users and access rights using Active Directory (AD) and your MYOB Acumatica instance is deployed on the Internet but not in your organization's intranet.
Integration of MYOB Acumatica with AD FS also provides single sign-on for domain users between your MYOB Acumatica instance and other services that use AD FS.
Requirements
To seamlessly integrate your AD FS server and your MYOB Acumatica instance, make sure that the following requirements are met.
- The AD FS version 3.0 (included in Windows Server 2012 R2) or later.
- AD FS is configured to provide access to external web services.
- The domain users have preconfigured email addresses.
Configuration Steps
You can configure integration with AD FS when you implement MYOB Acumatica or at any later time. To integrate an instance of MYOB Acumatica with AD FS, you perform the following steps:
- Configure the AD FS server. Do the following:
- Configure AD FS Relying Party Trust to register your MYOB Acumatica instance with AD FS. For details, see To Configure the AD FS Relying Party Trust.
- Configure claims for MYOB Acumatica, as described in To Configure AD FS Claims.
- Enable integration with AD FS by modifying the web.config file of
the application instance, as described in To Enable AD FS Integration with MYOB Acumatica.Important:When you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance.
- Map the AD FS claims to MYOB Acumatica roles. This process is described in To Map AD FS Claims to Roles in MYOB Acumatica .
- Optional: If required, override the roles assigned to any user automatically by selecting the required roles manually. For details, see To Set Up Role Assignment for Domain Users.
- Optional: If you want to use the AD FS service as the default identity provider, enable silent logon with AD FS, as described in To Enable Silent Logon.
User Accounts of Domain Users in MYOB Acumatica
After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your MYOB Acumatica instance for the first time.
The accounts of domain users in MYOB Acumatica are based on their accounts in the domain. The password of a domain user in MYOB Acumatica is the same as the domain account password. The email address and the first and last name of the user are populated from the domain account as well. However, the login, password, email address, and first and last name are managed through the domain and cannot be changed in MYOB Acumatica.
To speed up authentication of users, the information about AD groups is automatically
cached by MYOB Acumatica, if the count of the user groups is greater than or equal to the value of the
ADGroupCacheLimit
parameter specified in the
web.config file. To update the list of the user groups in
Acumatica ERP with current information from AD, click Reload AD
Groups on the toolbar of the User
Roles (201005) form.
The Reload AD Groups button appears only when you integrated
MYOB Acumatica instance with AD, AD FS or Azure AD and when the number of the user groups in AD,
AD FS or Azure AD is greater than or equal to the value of the
ADGroupCacheLimit
parameter specified in the
web.config file. If the number of the users and groups in
AD is less than the value of the ADGroupCacheLimit
parameter, MYOB Acumatica retrieves the lists of users and groups directly from AD.
Domain User Authentication
After integration of MYOB Acumatica with AD FS users use single sign-on (SSO) with the domain to sign in to MYOB Acumatica. By default, the users do the following to authenticate themselves:
- On the Sign-In page of your MYOB Acumatica instance, the user selects the Azure AD icon () to open the AD FS sign-in page.
- On the sign-in page, the user enters the domain credentials in the following format: <User_Name>@<Domain_Name>, where <User_Name> is the user account name in the integrated domain and <Domain_Name> is the UPN suffix, also known as the domain name.
To simplify the procedure, you can configure silent logon with the AD FS server. For more information, see To Enable Silent Logon.
Domain User Authorization
When a domain user tries to access MYOB Acumatica, user authorization occurs as follows:
- The application instance sends an authentication request to the AD server to validate the user's credentials.
- When validation has completed successfully, the AD server sends MYOB Acumatica the list of AD groups to which the user is assigned.
- MYOB Acumatica compares the list of AD groups with the internal MYOB Acumatica roles, based on the mapping rules defined on the User Roles (SM201005) form.
- The system finds any MYOB Acumatica roles that are associated with AD groups to which the domain user account is
assigned. If MYOB Acumatica finds at least one role, the user is authenticated to sign in to the MYOB Acumatica instance.
The user access rights within the MYOB Acumatica application instance are based on the internal list of roles.
For more information about authentication in MYOB Acumatica, see Managing User Access. For details about roles and access rights in MYOB Acumatica, see Configuring User Roles.
Access Rights of Domain Users
Domain users inherit access rights from the AD groups that you mapped to MYOB Acumatica user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights.
New domain users automatically get the rights to sign in to MYOB Acumatica when they join a domain. The membership of these users in MYOB Acumatica roles is then automatically updated to comply with the membership of the users in the domain groups.