Simplifying SSO with Infor LTR as STS

, ,

In today’s enterprise environment, seamless and secure access across applications is critical. Organizations increasingly rely on Single Sign-On (SSO) to simplify user authentication and improve security posture. If you’re already leveraging Infor’s suite of products, you might be surprised to learn that Infor LTR (Lawson Technology Runtime)—commonly seen as middleware—can act as a powerful SSO tool, much like Infor OS.

At Nogalis, we’ve helped numerous organizations harness Infor LTR as a Security Token Service (STS), enabling robust, federated SSO integrations across Azure AD, AD FS, Okta, and other SAML 2.0-compliant identity providers. This article outlines how Infor LTR can simplify your authentication landscape while ensuring scalability and security.

What Is Infor LTR?

Infor LTR is the core runtime wrapper for Infor web applications and will be supported until at least 2029. While often viewed as an infrastructure component, it also functions as a flexible STS, enabling secure federated identity across your enterprise apps.

Why Use Infor LTR as Your STS?

  • Federated SSO across multiple Identity Providers (IdPs)
    Infor STS supports Azure AD, MS Entra, AD FS, Okta, and any SAML 2.0-compliant provider.
  • Centralized SAML Authentication
    You can configure all your applications to use Infor STS as the single point of SSO integration.
  • Long-Term Viability
    With support guaranteed into 2029, LTR is a stable investment in your identity infrastructure.

How It Works – The Big Picture

  1. Establish Trust between your application and identity provider using STS.
  2. Exchange Federation Metadata between STS and your IdP.
  3. Configure your applications to delegate authentication to Infor STS.
  4. SAML-based handshake manages identity, assertions, and access.

Installation & Setup

Step 1: Migrate LTR to STS Mode

Using the LTR ISO, mount and run (in a command utility):

setup.exe –v”MIGRATETOSTS=true”

Step 2: Access STS Admin

This is your hub for managing Identity Providers (IdPs) and Service Providers (SPs). You’ll:

  • Add/Edit IdP connections
  • Add/Edit SP connections
  • Download metadata files and certificates

Identity Provider Configuration

🔹 Azure AD

  • Create a Non-Gallery App in Azure
  • Upload the Infor STS SP Metadata file
  • Export the Azure AD IdP Metadata and import it into STSAdmin

🔹 AD FS

  • Add a new Claims-Aware Relying Party Trust
  • Import the Infor STS SP Metadata XML
  • Download FederationMetadata.xml from AD FS and import it into STS

🔹 Okta

  • Create a SAML App Integration in Okta
  • Manually configure Entity ID and endpoints (Okta doesn’t accept SP metadata files)
  • Download and import Okta’s IdP Metadata XML into STS

Application Configuration

In your Infor or third-party app:

  1. Set SSO Service URL to:

https://your-ltr-server.com:9553/inforsts/infor/{GUID}/idp/samlSSO

  1. Configure SAML properties:
    • UsernameField
    • PasswordField
    • SLOUrl
  2. Upload STS signing certificate as the IdP certificate in your app
  3. Export app’s signing cert, then import it into STS Admin

Final Checklist – What You’ve Done

✅ Downloaded IdP federation metadata
✅ Downloaded STS SAML SP metadata
✅ Uploaded metadata files to STS and your IdP
✅ Configured your app to use Infor STS as the SSO provider
✅ Completed mutual trust between your application, STS, and identity provider

Ready to Get Started?

At Nogalis, we specialize in Lawson and CloudSuite implementations, migrations, and custom development. Whether you’re looking to modernize your identity strategy or get more from your Infor investment, we’re here to help.

📧 Contact us at:
Desi Houze[email protected]
Tan Rezaei[email protected]

🔗 Learn more about our Lawson Data Archive Solution

 

Export service and identity information using ‘ssoconfig -c’

, ,

A. To export a service, for example, the SSOP without identities:

From the command prompt, type ssoconfig -c  and press Enter.
Enter your password for ssoconfig.
Type 5 for option (5) Manage Lawson Services.
Type 6 for option (6) Export service and identity info.
At the prompt “Do you want to export all services?” type 2 for (2) No.
At the prompt “Enter the services name separated by comma to be exported” type SSOP and press Enter.
At the prompt “Do you want to export the identities (“ALL” or “NONE”).” type NONE and press Enter.
Enter a filename for the export file, such as ssop.xml.
Type 12 or 13 to exit the menu
Locate the file in your current working directory.

 

B. To export ALL services without identities:

Type ssoconfig -c  and press Enter .
Enter your password for ssoconfig.
Type 5  for option (5) Manage Lawson Services.
Type 6  for option (6) Export service and identity info.
At the prompt “Do you want to export all services?” type 1  for (1) Yes.
At the prompt “Do you want to export the identities (“ALL” or “NONE”).” type NONE  and press Enter .
Enter a filename for the export file, such as AllServices.xml
Type 12 for option 12 (Exit).
Locate the file in your current working directory.

 

C. To export ALL services and ALL identities:

From the command prompt, type ssoconfig -c  and press Enter.
Enter your password for ssoconfig.
Type 5 for option (5) Manage Lawson Services.
Type 6 for option (6) Export service and identity info.
At the prompt “Do you want to export all services?” type 1 for (1) Yes.
At the prompt “Do you want to export the identities (“ALL” or “NONE”).” type ALL and press Enter.
Enter a filename for the export file, such as servicesIdent.xml.
The next message will be “Choose format that Lawson Software should export credential information as.”
(1) Encrypted
(2) Opaque
(3) Back
(4) Exit
Type for (Opaque).
Type 12 or 13 to exit the menu
Locate the file in your current working directory.

 

D. To export the SSOP service with identities:

From the command prompt, type ssoconfig -c  and press Enter.
Enter your password for ssoconfig.
Type 5 for option (5) Manage Lawson Services.
Type 6 for option (6) Export service and identity info.
At the prompt “Do you want to export all services?” type 2 for (2) No.
At the prompt “Enter the services name separated by comma to be exported” type SSOP and press Enter.
At the prompt “Do you want to export the identities (“ALL” or “NONE”).” type ALL and press Enter.
Enter a filename for the export file, such as ssopIdent.xml.
The next message will be “Choose format that Lawson Software should export credential information as.”
(1) Encrypted
(2) Opaque
(3) Back
(4) Exit
Type 2 for (Opaque).
Type 12 or 13 to exit the menu

 

E. To list service properties for SSOP:

From the command prompt, type ssoconfig -c   and press Enter.
Enter your password for ssoconfig.
Type 5 for option (5) Manage Lawson Services.
Type 10 for option (10) Manage Service Properties.
Type 3 for option (3) View/List Service Property.
At the prompt for “Enter the SERVICE NAME:” type SSOP and press Enter.
Attach a screenshot of the output.
Type for option 5 (Exit).

 

Lawson PR140 is Currently Running – How to Resolve

, ,

Sometimes  you will get this notice: PR140 is Currently Running (Invalid Parameters) may occur even when no PR140 job is waiting for recovery.

 

To fix this issue, look in the LSF database and check for a run flag below.

 

Check PRSYSTEM field PR140_RUN_FLG is R (blank it out or find out why the record is bad).

Also check PRMONITOR (LP00.1) to see if a run flag is flipped there as well. Fix if needed.

 

Then re-run PR132 and PR140 again.

Above is an example of a R (run flag), clear this field and re-run PR132 and PR140. This should resolve everything.

AM40.4 error: Security Violation

, ,

If user gets security violation when adding the disposal journal entry on AM40.4, follow the information below to resolve.

Verify the user has security access to the company. If not, the asset goes into a “disposal in progress” status. The entries could not be added due to the security error.

If a user received the security violation during the journal entry addition, they must go back into AM40.1 (Disposals) and delete the “disposal in progress” status asset. This way it will not release an incomplete disposal. If the user releases the disposal, the asset would change to a “disposed” status, but it would not contain any disposal journal entries.
You must then find a user who has security access to the company and have that user perform the complete disposal.

If you accidentally released the disposal, you can reinstate the asset using AM41.1.

Displaying A List of Files That Need To Be Secured When A User Drills

, ,

Description:

I am attempting to secure drill access for Lawson Security users. How can I view the required files?

 

Resolution:

In Lawson Security, open an existing security class.  Then click on either the Add Rule or View/Modify Rule.

Locate and right click on the specific field that you’re looking to secure drill access.  Then select the option Drill Explorer.

 

Below is an example showing the Drill Explorer option on the AM20.1 (Quick Addition) > Company field.

The Drill Explorer will display all of the files that a specific drill goes after.  In this example below, to secure the drill on AM20.1 Company field the following files need to be secured:

 

Only the fields with a drillable icon will have this list.  Below is an example of the drillable icon

How to Hardcode Fields in Lawson Design Studio

, ,

Follow these steps to hardcode fields in Lawson Design Studio.

 

Changing a changeable, drillable field

To a hardcoded field

In your organization’s Design Studio: https://lawson.yourDomain.net/lawson/studio/

Go to Source and find the field line you want to change and change the following below:

Change tp=”Text” to tp=”Out”

 

Remember that whenever you customize a Lawson form like HR11, you’re taking a snapshot of that form and potentially making it incompatible with future official Infor patches. In addition to this, you also risk Infor not supporting issues with that form assuming you don’t have a dedicated Lawson team such as Nogalis to support you.

 

User Does Not Have Access To Submit Job; security violation

, ,

Description:

Error when accessing a form in Lawson Portal
” An Error occurred outside of IOS while accessing Lawson Security” then “No Programs or bookmarks were found for ‘<token>‘.”

You may find this stack trace in the lase_server_x_x.log and ios.log files:

Stack Trace : com.lawson.lawsec.author.runtime.LawsonSecurityException:Exception while checking security on token <FIELD-NAME> for user <username>. Message: org.mozilla.javascript.EcmaError: ReferenceError: “MISSING” is not defined. (<RuleAttribute>#1)
Stack Trace : org.mozilla.javascript.EcmaError: ReferenceError: “MISSING” is not defined. (<RuleAttribute>#1)
 

Resolution:

This message in the ios.log file indicates the security server (LASE process that runs) lost its connection to the ldap instance where the rules are stored for Lawson Security.

Run a User Security Report for the application profile in question. Within that report, look for the word MISSING on the right hand side of the report where the ruleText is listed.
Most of the time, when this error is presented, you can use the Lawson Security Administrator (LSA) tool to fix the issue without doing a full restart of the Lawson related services.

If you do see the word MISSING, do the following from within the LSA tool:

  1. Click on “Server Management”
  2. Click on “Clear Cache”
  3. Go open a brand new browser session.
  4. Log into Infor Lawson for Portal as a “Portal Administrator” and run the “Clear IOS Cache” option.
  5. Ask one of the users to open a new browser session, not a new TAB within an existing browser, then duplicate the issue.