Is there a Single Sign ON (SSO) option available for Cloud Customers.
We are on Epicor Gov cloud and would like to have single source for controlling security and we are wondering if there is an SSO option for cloud?
I have seen the SSO for OnPrem customers and that works well.
I do not know how this would work since Epicor would have to “talk” to our AD?
If we wish to pass CMMC,ITAR,DFARS,NIST, etc. it would be nice to have a single control point for security.
We use Kinetic Public Cloud on cadence with Azure AD SSO and it works for both the Kinetic web interface and the smart client. It took quite a bit of work to get everything correct. I don’t know if that helps for the Government Cloud question.
Mr. John: Thank you so much for the reply.
It seems like you are breathing rarified air Not many have responded.
I will ask about the Gov Cloud this afternoon. We have a Hoot-N-Annie at 2:45pm today with the project manager.
So do we need to establish our own Microsoft Azure instance for the purpose of Syncronization? I did get a PDF from Epicor however it presumes you have an Azure setup already.
John - how did you get it to work with both web and client. I am interested to know. Did the single sign on work with other epicor applications such as quickship, ECM, EpicCare, Epicweb, Grow, and so on.
I work with a client who is on government cloud and uses Epicor’s IdP (Identity Provider). It’s described as “Epicor Identity (IdP) is a centralized single sign-on (SSO) and multifactor authentication (MFA) service provided by Epicor to help organizations regulate, control, secure, and streamline the way users access Epicor products and customer portals.”
Mr. @jgreenaway: Thank you for the reply.
I am not using the Epicor Idp - but my simple understanding is that it offers a unified login for everything “Epicor” - however, i was hoping there might be a solution out there that integrates with the Microsoft Active Directory (AD)?
Yes there is, but its not a simple deployment, unless you are 100% browser (don’t have to worry about client install) and you have no shared accounts (i.e. every Epicor user already has their own individual azure identity). We are struggling with it right now because we have both problems (shared accounts, and still use classic screens so client based).
The issue is that the config file needs to be different for the client if you are using basic or Azure. You can’t have one single config file and then let the user pick which login method to use.
If you are serving your installs from download.epicorsaas.com, there is no way to manage this via the server, you have to do it all with scripting to deploy the right config files on every workstation. Then you have to think, does it make sense to continue to get installs from the epicor site and then have a separate script that has to run? Or does it make sense to script the entire install process? And store the installation files internally? And update the whole thing twice a year?
Ms. Alisa: Thank you for the input.
Yes we currently have mostly Smart Client.
However, with the new Edge Agent functionality (i.e. running classic screens from Kinetic Web) - using the Web Browser is a real possibility.
That isn’t really what is happening - the edge agent is just launching the classic screen in the client that is installed on your desktop from your browser. If you are relying on that functionality you are still client based, period. You can’t actually run classic screens in the browser.
Our Azure/Entra AD connection doesn’t support EpicCare/Epicweb and the other non-kinetic applications. It took us close to a year to get the Kinetic Web connection to work, the Smart client side worked without too much pain. I’m thinking about moving to IdP but my scars from Azure haven’t healed enough to motivate me to start over.
I don’t have a single change that was made that solved the Web access issue. We tried so many things for such a long time that I’m not 100% sure what it took to get it all working. I’ll put together documentation of our settings on the Azure side as well as Kinetic.
I’m super interested in your issues John. I’ve been testing Entra(Azure) ID and have had no problems with the Kinetic Web/Data Discover/Enterprise Search/.Net Client.
Yes, EpicCare and EpicWeb are different, but I thought there was something IdP could do and I’m asking an expert offline.
You can map IDP accounts to Azure AD/Entra accounts and user will be redirected to Azure on login.
This of course requires supporting this user mapping list.
I’ve created a document that shows how we have configured Azure AD SSO for Live and Pilot in the Public Cloud. We can access the Smart Client and Kinetic Web Access using Azure AD SSO. The shortness of the document does not accurately portray the scars, frustration, and indignities we suffered.
We are Public Gov Cloud Hosted with Epicor, and we are using Epicor IdP integrated with Azure AD to provide SSO for everything that Epicor offers, that takes advantage of Epicor IdP. Its a bit odd to setup at first, but I would go to Log In - Epicor Identity (if you already have Epicor IdP) and read the help on Azure AD intergration. Once its setup, its pretty slick.
Let me know you need specifics, and I should be able to help you out !
Not many have responded.