There are a number of products
that are facilitating the SSO process with JDE, but you want something good,
easy and secure... Right? This is where myAccess comes in. The
fusion5 product myAccess ensures that the complexity stays with Azure AD and
the ease and benefits flow through to JD Edwards.
Once you use SSO, you are never going back - especially when you
are able to use conditional access to enforce MFA. This ensures that
things are secure without going over the top. I've enabled SSO on one of
our demo environments and I have all of the consultants wanting more.
When you can finally login to JDE with a click of a button (or no
interaction), then this is a good day. This does save time and
energy. It's especially good for commissioning user accounts (and even
better decommissioning), as it's done in a single process. You delete the
AD account and they cannot log into JDE - done. They forget their
password 0 forget level 0 or 1 support, they use self service and reset the
password.
How does it work? It's simple and uses open standards OpenID
for authentication. We have this working on premise with ADFS, but we
don't like it. We have it working with OKTA, but you don't need it.
Finally - it works out of the box and great with Azure AD. If you have
office365 - then this is all you need.
We register an app under your
Azure AD and configure some settings. Note that this is all standard
stuff in Azure.
You need to ensure that you webservers can talk to the internet
too, this is part of the AzureAD auth process.
Once the basic config is done, you can use any of the really cool and easy conditional access settings to ensure that you are only getting the correct users authenticating to JD Edwards.
You can see here that I've required MFA for our demo environment. We are keeping things tight!
We install a new application
on your weblogic instance that does all of the and we modify the login pages to
enable the SSO functionality. [my son typed that sentence - he wanted to
assist]. You can make the button look as sexy as you like.
That answers a common
question, you can have SSO working and you can also login as a JDE user.
This is good for many many reasons.
This also means that the implementation does not need to be
"big brush".
So, when you click this button (for the first time, or the Azure
SSO token has expired (60 days)), then you are presented with your corporate
Azure login dialog:
Whack your password in (this
is your network password). Note that this has nothing really to do with your site or our software... It's all Azure.
Of course, we are secure, and
now I need to MFA the sign in request. Note that I'm using an incognito
browser so that it does not have access to any of the standard cookies on my
machine.
My phone pings and I can
approve this.
Note that when you are done, you can ask to stay signed in - standard Azure AD
No comments:
Post a Comment