Posts

Configure LBI for ADFS

When you configure LSF for ADFS, you will need to make some changes to your LBI configuration so that users will be able to access LBI with the userPrincipalName (username@company.com).

The first thing you need to do is ensure that you have a user in Lawson security where RMID = SSOP = UPN (userPrincipalName).  The RM User that is used to search LSF for LBI users must have an account where RMID and SSOP match.  It is recommended that you have a new AD user created for this purpose (such as lbirmadmin).

Add the new user to Lawson, ensuring that their ID and SSOP values both use UPN.  (lbirmadin@company.com)  Also make sure the new user is in the appropriate LBI groups for LBI access.

The next change will take place in the sysconfig.xml file located in <LBI install directory>/FrameworkServices/conf.  The ssoRMUserid should be the UPN of your LBI user mentioned above.  After you make these changes, restart the application server, clear the IOS cache in Lawson, and try logging into LBI.

Other Authentication Options for Infor Lawson Applications

On March 1, 2019, Infor will no longer support LS/STS authentication configuration for Lawson applications.  The Infor recommended configuration will be to use Active Directory Federation Services (ADFS) for Single Sign-On (SSO) authentication. To learn more about ADFS, check out our other articles on the topic:

 

What are our other options?

If your organization chooses not to move to ADFS at this time, you have two other temporary options.

  1. Use Kerberos for authentication

Kerberos is another authentication type provided by Windows, and also works with your Active   Directory.  This authentication type is supported in Infor Lawson 10.

 

  1. Stay in an unsupported authentication configuration

As of March 1, 2019, Infor will no longer be releasing Lawson patches that take LS/STS authentication method into account.  This doesn’t mean your current versions of Lawson applications will stop working if you fail to move to ADFS at this time.  It just means that you won’t be able to upgrade past a specific ESP for each product (10.0.9 for Lawson).  When Infor sunsets the product versions that allow LS/STS, you will then be on an unsupported product version.  It is looking like this will happen sometime early 2021.

 

Have more questions? Contact us and setup a free, no obligation call with our installer to answer all your questions.

Five Things You Need to Know About Implementing ADFS For Your Infor Lawson Applications

On March 1, 2019, Infor will no longer support LS/STS authentication configuration for Lawson applications.  The Infor recommended configuration will be to use Active Directory Federation Services (ADFS) for Single Sign-On (SSO) authentication. To learn more about ADFS, check out our other articles on the topic:

Five Things to Know About Implementing ADFS

Here are some pro tips to help you prepare for your ADFS implementation.

  1. Version compatibility is important

Before you begin your ADFS implementation, it is important that you verify component compatibility.  Check the Lawson compatibility matrix for which version of ADFS is compatible with your versions of Lawson and Ming.le.  You must also verify that the version of ADFS you are installing is compatible with your version of Active Directory.  Additionally, you will need a minimum Windows Server version of 2012R2 on the server that is hosting ADFS and your domain controllers.

 

  1. You might need a new server(s)

The ADFS installation for Infor Lawson applications also requires Infor Federation Services (IFS) to be installed on the same server.  If you are not prepared to host IFS on a shared ADFS server, you will need to stand up a new Windows server dedicated to ADFS/IFS for Infor applications.

 

  1. There will be small changes in user maintenance

ADFS is an authentication method, and user maintenance will change slightly.  For instance, you will be able to disable users right in ADFS rather than having to do it in Lawson Security.  Also, there will be a new identity to maintain in Lawson Security.  When you implement ADFS, you will need to import all your users into IFS.  However, implementing ADFS will not change the user authorization tools.  You will still use Lawson Security Administrator (LSA) or Infor Security Services (ISS) to maintain users and roles, and those roles will work the same.

 

  1. SSL is required for Infor Lawson applications

All of your Lawson web applications must use HTTPS to be able to implement ADFS.  If your web applications are not currently using HTTPS, it is recommended that you make this change prior to implementing ADFS.  You will need to choose a certificate authority (CA) and install certificates at each endpoint.

 

  1. You need a SQL Server to host IFS databases

IFS will create new SQL Server databases, so you will need to have a SQL Server to host those.  You can use a shared database server for this, such as your server that hosts Ming.le data or the server that hosts your Lawson data.

 

Have more questions? Contact us and setup a free, no obligation call with our installer to answer all your questions.

 

Seven Myths About Implementing ADFS For Infor Lawson

On March 1, 2019, Infor will no longer support LS/STS authentication configuration for Lawson applications.  The Infor recommended configuration will be to use Active Directory Federation Services (ADFS) for Single Sign-On (SSO) authentication. To learn more about ADFS, check out our other articles on the topic:

What is ADFS?

Active Directory Federation Services is a Single Sign-On service provided by Microsoft.  It runs on Windows Server, and provides users with the ability to sign on with one set of credentials across applications.

How does ADFS work with Lawson?

 

Why change our authentication method?

Although there will be some work up front to modify your configuration from LS/STS to ADFS, using ADFS for SSO authentication is actually beneficial to your organization.  It is more secure because Infor applications will never have access to a user’s password.  It is also a bit easier to maintain your Infor users in ADFS, in that you can enable/disable the users right within Windows instead of having to do it in Lawson Security.  Additionally, implementing ADFS will open up other Microsoft security components, such as two-factor authentication.

 

Busting Myths

There are some common misconceptions revolving around the implementation of ADFS for your Infor Lawson application.  Hopefully these explanations will help dispel the confusion.

MYTH: We can use our organization’s current ADFS installation

Infor Federation Services (IFS) must be installed on the same server as ADFS.  So, you may need to have a dedicated server for ADFS for Lawson.  Also, your Infor Lawson applications cannot be hosted on the same server as ADFS.  If you are installing a new instance of ADFS, make sure that it is compatible with your current version of Active Directory

 

MYTH: We don’t need SSL to implement ADFS

ADFS requires all of your Infor Lawson applications to use SSL (Secure Socket Layer).  You will need to select a Certificate Authority (CA), and install certificates at each web endpoint.  If your current Lawson web applications are not using SSL, you will need to convert them before you begin the ADFS installation/configuration.

MYTH: Our organization has to begin using ADFS for everything

The ADFS implementation is limited to Lawson and does not need to be part of any other application in your organization. A Windows server will host ADFS solely for Lawson and can be segregated to just this specific use without affecting anything else within the organization.

 

MYTH: The change is transparent to users

The look & feel of your Lawson web applications will remain the same, but the way users log in will change.  LS/STS username format is currently “username”.  When you switch to ADFS, users will log in with format “username@domain.com”.  Also, keep in mind that if you have to update to a compatible ESP in any of your applications, there may be some slight changes in what the users see on the forms they use.  Make sure this is done well in advance so the ESP can be tested thoroughly.

 

MYTH: Infor won’t support us after March 1, 2019

As of March 1, 2019, Infor will no longer be releasing Lawson patches that take LS/STS authentication method into account.  This doesn’t mean your current versions of Lawson applications will stop working if you fail to move to ADFS at this time.  It just means that you won’t be able to upgrade past a specific ESP for each product (10.0.9 for Lawson).  When Infor sunsets the product versions that allow LS/STS, you will then be on an unsupported product version.  It is look like this will happen sometime early 2021.

 

MYTH: User maintenance in Lawson Security is going to change

ADFS is an Authentication Method, while Lawson Security is an Authorization Method.  So, you will continue to use Lawson Security Administrator (LSA) or Infor Security Services (ISS) to maintain users and roles.  The ADFS authentication will not impact these roles at all.

 

MYTH: We use IPA, so we will have to update Landmark too

Infor Lawson products are actually the only products that allow LS/STS authentication method.  So, you will not need to make any updates to your Landmark products, including IPA.

Contact us when you are ready for your move to ADFS.  Our expert installers at Nogalis can make the process simple and pain-free.

What is ADFS?

There has been a lot of confusion in the Infor client community lately over what ADFS is and what the impact of implementing it will be on the organization as a whole.
Active Directory Federation Services (ADFS) is a Microsoft solution created to facilitate Single Sign-On. It provides user with authenticated access to applications like Lawson without the need to provide the password information to the application.
ADFS manages user authentication through a service hosted between the active directory and the target application. It grants access to application users by using Federated trust. The users can then authenticate their identity through Single Sign-On without having to do so on the application itself. The authentication process is usually as follows:
1) The user navigates to the Lawson URL
2) The unauthenticated user is re-directed to the ADFS service
3) The user signs into ADFS
4) ADFS service authenticates the user via the Active Directory
5) The user is then given an authentication claim (in the form of a cookie) by the ADFS
6) The user is forwarded to the Lawson application with the claim which either grants or denies access based on the federated trust service
Note: The Lawson Server never sees the password information which in the case of external applications (like a cloud implementation) is a lot more secure.
 
What are some drawbacks of implementing ADFS?
 
Although ADFS is a new requirement, it comes with a few small drawbacks that you should consider:
– The additional server license and maintenance – You will need an additional server (likely one per environment) to host ADFS
– ADFS is actually somewhat complex and this new skill set can create a new challenge for smaller clients who aren’t already using ADFS for other applications
– A standard ADFS installation is not all that secure and several steps should be taken to ensure good security. Microsoft provides these best practices recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
There is also a great free e-book published by Microsoft about claims-based identity and access control: https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff423674(v=pandp.10)
To find out more about ADFS and how it can impact your organization, join our webinars or contact us.