Prev
Next
Forums Integration / Customization IPA/ProcessFlow

UserAction from iPhone?

 9 Replies
 0 Subscribed to this topic
 52 Subscribed to this forum
Sort:
Author
Messages
Thibaud Lopez Schneider
Advanced Member
Posts: 30
Advanced Member
6/17/2014 11:28 PM
    Hi there,

    How do we control the URL that's generated by the UserAction activity node to take actions by HTML email?

    My customer has an approval flow in Infor Process Automation (IPA) to approve/reject requests. The approvers take action by email with Approve/Reject buttons in the email. Technically speaking, I have a flow with a UserAction activity node, with two actions Approve/Reject, with a notification message that has the checkboxes "HTML content" and "Allow actions via email". The result is an email sent to the approver with Approve/Reject buttons. The buttons are generated with a URL like http://host:81/bpm/submit...data=wZ5nVkjAJWuU... The encrypted data is self-sufficient to take action with a single-click. (We can talk about impersonation problems and the lack of reason/message in a separate discussion.) The approvers can click Approve/Reject from their Microsoft Outlook or Lotus Notes in the office network and it works fine. They can also take action from the Inbasket in Smart Office or from the Web Inbasket. The customer wants their approvers to take action from their iPhone while on the road because not all their users use Smart Office at the office and many of them are on the road, and they exclude VPN on the iPhone as an option. For that I have to solve the problem with the network administrators of how to securely put the server on the DMZ with DNS, reverse proxy, firewall, port forwarding, defense in depth, and all that. I'm OK with that. But I have another problem where I need your help.

    The URL is generated with a non-routable internal host of the form host.internal.domain.com. And it's unsecure over un-encrypted HTTP. And we might want to change the port number. The question is, how do we control those parts of the URL? I.e. I need to change the scheme (I need HTTPS, not HTTP), the host, and port number of the URL. Where is that configured? That's where I need help with.

    Thank you,

    Thibaud Lopez Schneider
    http://thibaudlopez.net/

    PS: We could have used the Mobile Inbasket, but my understading of the Mobile Inbasket is that it was a product for ProcessFlow Integrator and was discontinued for IPA. So my question still stands.






    John Henley
    Posts: 3353
    6/18/2014 5:03 PM
      You have indeed uncovered some shortcomings of using email-enabled user actions in IPA. It should have been the one of the "killer features" in IPA, but I can't recommend it until they address the issues you highlight (in particular, URL translation, user validation/authentication are my two pet peeves). I discussed, argued, debated, etc. during the beta that these were significant issues that needed to be addressed in order to use it in anything but a very simple/generic setting.
      We can discuss in more detail if you have specific questions..

      Have you tried the IPA Notifications app for the iPhone? Since it uses up-front authentication (i.e. you have to point it to a specific URL and authenticate), it might work for what you want.
      Thanks for using the LawsonGuru.com forums!
      John
      Thibaud Lopez Schneider
      Advanced Member
      Posts: 30
      Advanced Member
      6/18/2014 9:56 PM

        Hi John,

        Thank you for your answer. I'm glad you're corroborating the problems I found.

        Yes, I'd like to discuss more about this. Can you email me or call me at work? You can find my contact info on my website thibaudlopez.net (captcha'd to not leave it here to spammers).

        Thibaud

        SP
        Veteran Member
        Posts: 122
        Veteran Member
        6/18/2014 10:39 PM
          John,

          We have this exact thing setup and working at Kennedy. We had to setup an "EXTBPMINBASKET" (Allows external access so inbasket actions for mail flows work) for the PRODLINE.LPA.LAWSON-STRUTS Service. We set this up with HTTPS enabled endpoint to a server residing in the DMZ. The emails from the flows are modified so that the action buttons in the emails direct the calls the external facing inbasket. It doesn't matter where you are in the world, or what device the email notifications come to, all you have to do is click the action and it gets processed all the way back in a secure manner.

          For what it's worth, Conover helped developed and implement the solution.
          Thibaud Lopez Schneider
          Advanced Member
          Posts: 30
          Advanced Member
          6/18/2014 11:45 PM
            Hi Shane,

            Thanks for your valuable feedback. I know Cary. I'll contact him.

            Thibaud Lopez Schneider
            http://thibaudatwork.wordpress.com/
            Thibaud Lopez Schneider
            Advanced Member
            Posts: 30
            Advanced Member
            7/3/2014 10:34 PM
              I think I found a workaround that involves simple URL-rewriting:

              1) I'll have the mail server (Lotus Domino) intercept any email coming from ipa@domain.com, get to the email body, find the action URL, and re-write it from internal.domain.com to public.domain.com.

              2) I'll configure the public-facing firewall to allow that URL to pass thru and do port forwarding to reach internal.domain.com.

              3) For defense in depth I might even implement a simple reverse proxy in JSP and put it in the DMZ with dual firewall configuration.

              I'm confident it will work.
              John Henley
              Posts: 3353
              7/7/2014 1:34 PM
                I have done similar with IIS (using application URI rewriting/routing) with some success; it does function like a reverse proxy. Unfortunately, it does become a bit of a "whack-a-mole", in that you end up covering 90% of the URLs, and more just keep popping up. I have tried to convince Infor/Lawson to just adopt IIS and ARR as a standard solution for adding remote/external-facing sites, however they want to remain platform-agnostic.
                Thanks for using the LawsonGuru.com forums!
                John
                Thibaud Lopez Schneider
                Advanced Member
                Posts: 30
                Advanced Member
                7/16/2014 12:34 AM
                  I learned a new term, "whack-a-mole", and I watched the funny images of the game on the Internet. In our case we'll only have one set of URLs so it should be OK, hopefully...
                  Thibaud Lopez Schneider
                  Advanced Member
                  Posts: 30
                  Advanced Member
                  7/18/2014 11:40 PM
                    James J at Infor said we can override the base URL sent as part of the email action buttons; it's in Rich Client Admin > Configuration > Email > Base Uri. That solves the problem of the hostname and routable IP address; no need for rules in Domino to rewrite the email bodies.

                    Also, he asked me if I was setting "multiple end points in IPA". I don't understand his question, and I'm waiting for his clarification. Any ideas?
                    Thibaud Lopez Schneider
                    Advanced Member
                    Posts: 30
                    Advanced Member
                    8/19/2014 12:27 AM
                      UPDATE - The Email Base URL must be set in IPA Admin > Configuration > system (not main).