The Grid uses a pluggable architecture to authenticate users. All authentication is handled by a special Grid application called a session provider. SAML Session Provider is the only session provider that enables single sign on with Security Roles from Infor Federation Services, which is a prerequisite for running M3 in Infor Ming.le™ with SSO.
For new installations, install SAML Session Provider.
Existing installations running either Windows Session Provider or LDAP Session provider must replace the existing session provider with SAML Session Provider to enable SSO with Infor Ming.le.
The SAML Session Provider authenticates users using SAML to communicate with AD FS. User credentials are stored in AD but extended attributes (for example Security Roles) are also stored in Infor Federation Services (IFS) and emitted as claims during logon.
The session provider supports the following authentication methods:
basic authentication (restricted to single AD FS scenarios)
The SAML Session Provider implements the SAML protocol to authenticate users to AD FS (for browser clients that can be automatically redirected). The basic authentication method uses WS-Trust (for active, non-browser based clients).
For more detailed information about the Session Providers refer to Infor ION Grid Security Administration Guide.
Your system must meet the following requirements:
AD FS is used as the Identity Provider (IdP). Federated set-ups with multiple AD FS servers are only supported for browser-based clients.
Infor Xi Platform is installed.
You have a domain account with the Infor Ming.le Security Roles IFSApplicationAdmin and AttributeServiceCaller. The password for this account should not expire, since it will be used for web service calls to IFS during runtime.
In AD FS the Endpoint "/adfs/services/trust/13/usernamemixed" for WS-Trust 1.3 is both Enabled and Proxy Enabled.
The IFS security mode is set to "SAMLToken" or "SAMLToken Allowing Windows for Web Services".
If the ADFS and IFS do not use the same ports, the SAML session provider must be set up using the Custom ADFS profile.