Solved

Aurena logging for Customers with SSO

  • 19 May 2021
  • 1 reply
  • 633 views
X
Rank
Userlevel 7
Badge +20

Hi Team,

Is there an option to bypass SSO, such as admin mode in Aurena same as IEE in customers with SSO? Appreciate if you could share any tips on conducting investigations on Aurena customer environments with SSO.

icon

Best answer by Charith Epitawatta 19 May 2021, 01:06

View original

1 reply

Charith Epitawatta
Rank
Userlevel 7
Badge +31

Hi @Xavier Fernando,

The answer is no and following is the answer given by R&D regarding allowing IFSAPP and IFSADMIN users with database authentication into Aurena:

“We fully understand that this is needed and today's method (or non-existing method) is cumbersome.But, we won't implement the suggested solution in Aurena.


It would decrease our Security-posture by providing a backdoor to Customer environments (that they themselves is probably not aware of), that only allows the 2 most powerful users in Applications to access, and also through a weaker authentication mechanism. From our group's standpoint, that is a big Security-risk that we will not introduce.


In conjunction with that, we must start moving away from utilizing IFSAPP and IFSADMIN in these kinds of scenarios. We know that is not easy today, but that is the vision that we must have. So that adds on to our statement.


So, this remains a feature request for Apps10 that we will consider together with all other development that we do. It can be said - since Authentication has changed for IFS 2020 R1, this problem will not be there.

There are two workarounds that can work for critical investigations - It's not pretty, but it works:

1. Inviting guest users into Azure AD.


This works when Azure AD is used and allows the customer to invite users that they don’t really have to manage. You just use Azure AD B2B collaboration to invite the support user’s IFS account and set up a Foundation1 user for that. This is seen as preferable because the account simply needs to be invited and does not have to be granted any rights at all, just being able to log into IFS.

2. Reconfiguring temporarily to use database authentication.


This works due to the fact that reconfiguring to use database authentication can be done with minimal downtime in Apps 10 due to the fact that it does not require any server restarts. Still, it may be more viable on a test environment or a clone than a live production one.

This is how to do it:

  • Go into the IFS Middleware Server Admin Console and look up the authentication configuration for the application type you need to access. Take the config here and copy it to some form of backup.
  • Change the Identity Provider to IFS Database and click save.
  • Log in to the application. You now have an authenticated session.
  • Restore the configuration you backed up in the Middleware Server admin console. Click save. The interruptions experienced by others are now over.
  • You will notice your authenticated session is still active. You now have a session that will let you use the application, but it cannot be renewed. If you let the session expire, you need to repeat the steps above to get a new one.”

Source - global solution ID 281788/case - G2155506

Hope this answers your question. 

Charith - https://charith.xyz

Reply


Terms & ConditionsCookie settings