Part V: Appendices
Chapter 16: Implement Single Sign On
Use this chapter to implement single sign-on access to your Epicor ERP 10.1 application. Note that additional security implementation instructions are included in the Epicor ERP Implementation User Guide. To download the user guide, log onto EPICweb and select Documentation > User Guides. Under Epicor ERP 10.1, select the PDF icon to download the specific user guide.
Prior to implementing single sign on, you must determine your user identity authentication method for accessing the Epicor ERP application. If you need additional information to make your decision, refer to the "Authentication Options" information in the Epicor Architecture Guide.
16.1 Set Up Automatic Sign On (Epicor Account)
Use these steps to set up their Epicor user accounts to automatically sign into the Epicor ERP application. When you launch the Epicor ERP application, you bypass the logon window to directly access the menu. When you activate this functionality, you create an encrypted login account that only works on the user's client installation.
1. Navigate to System Setup > Security Maintenance > Password Policy Maintenance. 2. In the Permissions section, select the Allow save password check box.
3. Click Save.
4. Now when users log into the Epicor ERP application, they can decide whether they want to set up their
client installation to automatically launch. For example, to do this for your account, launch the Epicor ERP application.
5. On the Home page, click the Settings tile.
6. Verify the General Operations setting group is selected. 7. Click the Preferences... option.
8. On the Preferences dialog, select the Automatically sign on check box.
Note If you did not activate the Allow save password check box on Password Policy Maintenance in
the previous step, the Automatically sign on check box is not available to select.
9. Click OK. The client installation saves your user name and encrypts your password.
The next time you launch this client installation, you automatically log into the application.
16.2 Set Up Single Sign On (Windows Account)
Use these steps to set up single sign on access using the same account you use to log into the Windows operating system.
To set up these accounts for Single Sign On, you must use Windows authentication. You configure the client, the server, and the application server to authenticate logons through Windows. Through this method, you can also set up other applications to automatically login. Users can then access their complete environment.
environments that use token authentication, Windows Channel authentication, or Secure Sockets Layer (SSL) Channel authentication protocols.
16.2.1 Set Up User Account
Use these steps to set up a user account to use the Windows domain account. You do this in User Account Security Maintenance.
1. Navigate to System Setup > Security Maintenance > User Account Maintenance. Click the User ID
field to find and select the user record for which you will activate the automated login feature.
2. Enter the Domain that the user accesses to log into the computer. 3. Enter this user’s Domain User ID.
Tip When users log in automatically, the Epicor ERP application only uses this Domain User ID for the
log in value. The account password is ignored. Since Windows validates the password when the user first logs into the client machine, the application only needs the Windows identity (Domain) User ID to determine whether the account can access the system.
4. When you select the Require Single Sign-On check box, you indicate this user account is restricted to only
use Single Sign On for logging into the Epicor ERP application. Select this check box when:
• The user will only access the server through Windows Authentication. • The server only runs Windows Authentication for all application servers. DO NOT select this check box when:
• The server is configured for multiple application servers that use different authentication methods. For example, if one application server uses Windows authentication while another application server uses UsernameToken via SSL authentication, do not select this check box.
• The user logs in through different authentication methods in different environments. For example, if the user logs in through Windows authentication at the office but logs in through UsernameToken via SSL authentication while working remotely without a VPN connection, do not select this check box.
5. Click Save.
16.2.2 Configure the Server
Verify the web configuration file for the application server uses the Windows TCP binding configuration.
1. Access the Epicor server and launch a file explorer.
2. Navigate to the \inetpub\wwwroot\<name_of_Epicor_appserver>\ directory. 3. Using a text editor like Notepad, open the web.config file.
4. Locate the line that begins with <add scheme=”. Either remove the comments around this setting or modify it to display <add scheme="net.tcp" binding="customBinding" bindingConfigur ation="TcpCompressedWindows" /> . Your dialog may look similar to the following:
Note Be sure that you only remove the comments from one <add scheme> setting. If another <add
scheme> setting is active, comment out this additional setting. Also be aware that all client installations that connect to the system through this application server will need to use this same Windows authorization setting.
5. Save your changes. The server is now configured to use Windows authentication. 6. Close the text editor.
16.2.3 Configure the Application Server
You must configure the application server to use the Windows account. You update these properties in the Epicor Administration Console. When an application server uses the Windows account, its task agent also uses this account to process the tasks users activate on client workstations.
1. On your server, launch the Epicor Administration Console.
2. Use the tree view to navigate to the application server. Expand the Server Management node, and then
the <ServerName> node.
3. Select the application server you need to change. Information about the selected application server displays
in the middle pane.
4. From the Actions pane, click Properties.
5. In the <Application Server Name> Properties dialog, click the Binding drop-down list and select the Windows
option.
6. In the Authentication Credentials section, enter the Epicor User Name and Password for the Windows
account. Be sure to enter this value using the <Domain>/User Name format.
Note In some versions of Epicor ERP, you do not need to enter the Epicor User Name and Password.
The Windows account you set up on the server is automatically used, so these fields are inactive.
7. Click Apply.
8. Click OK. The application server now uses the same Windows account as the server.
Tip The next time you display the <ApplicationServerName> Properties window, the Epicor User
Name and Password will be blank, as the application server incorporates this account as a default property.
16.2.4 Configure the Client
To complete the setup, you now update the configuration settings (.sysconfig) file on each client installation.
1. Access the Epicor client workstation. Launch a file explorer. 2. Navigate to the Epicor ERP client folder; open the Config folder.
3. Using Notepad or a similar text editor, open the [AppServerName].sysconfig file. This configuration file
defines the settings that activate when the user launches the Epicor ERP client application.
4. Locate the setting that begins with <EndpointBinding value=". Modify this setting to display <End pointBinding value="Windows" options="UsernameSslChannel|Windows|UsernameWi ndowsChannel" />. Your file may look similar to the following:
Note Remember that all client installations connected to this application server will need to use this
Windows configuration setting. Be sure you update all client .sysconfig files with this Windows endpoint value.
The Epicor ERP client is now configured to use Windows authentication.
5. If you are making the Single Sign On feature mandatory for all users, locate the setting that begins with
<SingleSignOn value=". Change this line to display:<SingleSignOn value="true" bool="" /> instead.
6. Save your changes. 7. Close the text editor.
8. Test the setup by double-clicking the Epicor ERP client icon. The logon window no longer displays; the