Posts

Updating Landmark Main Configuration Set After AD FS Implementation

After AD FS is implemented for your Landmark and LSF environments, Landmark will need to connect to the LSF server using the thick client URL and the user principal name of your admin account.  This means that all of your LSF connections will need to be updated in Rich Client, including the Infor Lawson Connection, File Activity Connection, System Command Connection, and Web Run Connection.  You will need to update the Web Root in each of these connections to the Thick Client URL, which is most likely your LSF server URL with port 1447 (i.e. https://lsf.company.com:1447).  Check with your installer to verify the port.  The User will need to be updated to the UPN value, for instance lawson@company.com.

Customize AD FS Login Screen – Illustration

To update the left-hand illustration on your AD FS login screen, open PowerShell as administrator on the AD FS server, and type the command:

set-adfswebtheme -targetname <your theme name> -illustration @{path=”<path to the  image>”}

The theme name that is delivered with the AD FS configuration is “default”, but you have the option of creating and customizing your own themes.

 

Customize AD FS Login Screen – Company Logo

To update the company logo on your AD FS login screen, open PowerShell as administrator on the AD FS server, and type the command:

set-adfswebtheme -targetname <your theme name> -logo @{path=”<path to the  image”}

The theme name that is delivered with the AD FS configuration is “default”, but you have the option of creating and customizing your own themes.

 

AD FS Configuration Errors – gMSA/Insufficient Privileges

If you are configuring AD FS, it is important to remember that you must have at least one domain controller hosted on Windows Server 2012 (at a minimum).  If your infrastructure does not meet these requirements, you will receive the below errors during the AD FS configuration.  Update those domain controllers!

 

Update ADFS Certificate

When it is time to renew the certificate on your AD FS server, you will need to import the new certificate.  To do this, you will first need to get the thumbprint of your newly installed certificate.  Then, run the Set-AdfsSslCertificate command and provide the thumbprint value you retrieved.

Setting session timeout for ADFS and Lawson

It is recommended that the session timeout for AD FS and Lawson be synchronized. You can modify the session timeout in Lawson for Lawson in ssoconfig option 1. To modify the session timeout for AD FS, set the TokenLifetime for your relying party trust using the command below.

Nogalis Webinar: Everything you need to know about implementing ADFS (July 11th, 9 AM PST)

We have implemented ADFS for over a dozen Infor customers and have gained some great real-world experience with a few surprises along the way. Our ADFS implementation lead will share with you her experience and some of the surprises you might encounter as you implement ADFS. If you have already implemented ADFS, there are still a few nuggets of information we think you will find useful.

We use anymeeting for our webinars. The application sometimes asks you to install a plugin. In order to be ready on time. Please give yourself an additional 10 minutes before the webinar begins.

When: Thursday July 11, 2019

9:00 AM to 10:00 AM PST

This webinar is free to attend. Register Now

Configure LBI for ADFS

When you configure LSF for ADFS, you will need to make some changes to your LBI configuration so that users will be able to access LBI with the userPrincipalName (username@company.com).

The first thing you need to do is ensure that you have a user in Lawson security where RMID = SSOP = UPN (userPrincipalName).  The RM User that is used to search LSF for LBI users must have an account where RMID and SSOP match.  It is recommended that you have a new AD user created for this purpose (such as lbirmadmin).

Add the new user to Lawson, ensuring that their ID and SSOP values both use UPN.  (lbirmadin@company.com)  Also make sure the new user is in the appropriate LBI groups for LBI access.

The next change will take place in the sysconfig.xml file located in <LBI install directory>/FrameworkServices/conf.  The ssoRMUserid should be the UPN of your LBI user mentioned above.  After you make these changes, restart the application server, clear the IOS cache in Lawson, and try logging into LBI.