ADFS requirements

We are in the process of finalizing a contract with a company to make the change for us. They are less expensive than Infor. We had Infor for another project and we were not happy with their performance. We have known about this since the middle of the year so it has been out there for a while.

Greg,
The requirement has been out there for about 9 months now. There are plenty of providers (me included) who can do it for less than Infor.

Let me know if you would like to discuss more, or like some guidance.

Kwane
505-433-7744

Please excuse my earlier vent/rant.

Rants always welcome here...
As Kwane points out, there are alternatives other than Infor — most of the partners in the Lawson ecosystem as well as independents.

I certainly understand Greg's struggle. As much as you can say that there was advanced warning, the announcement did not fit well into the budget cycle for some organizations. Some needed to budget this months before the announcement was made in order to fit into their fiscal year. I was curious how others deal with this.

I say AMEN to Greg's 'rant/vent'!!! Yes, we knew about it earlier in the year but didn't know how big it was until well after we started switching our DEV environment. Then the alleged 'training' session (Glenn R is most awesome trainer but I think he got sucked into doing the session to make the change seem more legitimate!) a couple weeks ago was kind of a joke and very late, given all it's taking to do and the cost. Training should mean we can then do it. But at least a dozen times in the training we were told "Don't do this on your own!" And it's not cheap. We're using an Infor partner (who we love! Seriously!) which is much less than ICS I'm sure. We *hope* to finish by the deadline but likely won't.

Shame on Infor for doing this the way they did. Kinda shows a lack of appreciation/understanding for the real world of their on-premise customers. And I hear the date isn't shifting. So you're not alone. Maybe we'll move to the cloud before then (ha ha)!
Lenny (lc@choa.org)

Lenny, thanks for that feedback--very helpful! And for everyone involved, would you share the name of the Infor Partner you are using?

We're using AVAAP. They're helping us wade through the mire. We're *always* happy with them. (I hope I'm allowed to say that in this forum)

Posted By Leonard Courchaine on 12/21/2018 3:20 PM
We're using AVAAP. They're helping us wade through the mire. We're *always* happy with them. (I hope I'm allowed to say that in this forum)

Of course, that's why I asked

Lenny,
I’ll say it with you. Diraj and his team worked very hard to build a solid firm, and has done a good job. The fact your organization is always happy with them, says they were successful.

They have are a solid team over there.

Greg, I am not a fan of how Infor handled the ADFS debacle either. Yes it was announced a while ago but nobody (including Infor IMHO) had a thorough understanding of the process or impact on IT infrastructure. We have no ADFS presently so jumped on the research bandwagon early on and initially got ridiculous quotes to do the implementation (months vs days). I was just at our local MRLUG user group meeting and was shocked by how many customers were either still unaware of the deadline or indifferent to being in an unsupported position (however unlikely an authentication related bug fix request would be). In any case, we are scheduled to be live before the end of January so I'll keep everyone posted on how things go.

We were told by Infor we didn't need to be concerned with this move until we were on LSF 10.0.10 - LS STS Authentication is being sunset after v10.0.9.  Is this not correct??

Deanna,
No that isn’t completely correct. While it is TECHNICALLY correct, it isn’t supported.

TECHNICALLY, if you don’t anticipate needing patches for LSF and potentially the S3 business apps, AND if Landmark doesn’t need a CU (especially one that affects the IPA bridge), then yes, you can wait until you need 10.0.10, or some Landmark CU that requires 10.0.10

BUT

According to the support notice, you will be out of compliance, and support has no obligation to provide support on an issue after March 1st.

I was told by a trusted Infor tech resource that LSF patches sometimes contain unadvertised security fixes. Therefore, it is wise to apply LSF patches as they become available, if for no other reason than to patch unknown security holes. From my understanding, any 10.0.9 LSF patches issued after the March 1 date will require ADFS.

Infor said exactly that on the latest ADFS-related webinar - after March 2019 ANY LSF patches may include fixes that would break LS-as-STS.

 

So, the only way to remain on 10.0.9 after March 1, would be not patching LSF, LM and related products.

Even after you migrated to ADFS authentication, there are modules within LSF/LMRK that do not support ADFS, so you will need to configure there modules to use... good old LDAPBIND authentication.

Could you please give more details on the modules which do not support ADFS? Thank you!

Lenny,

Thanks for the good words. I know how difficult it can be to sort through some of the changes that are required over the life cycle of your Lawson system and I'm glad we've been able to partner together and help you to be successful.

Brian

Brian B,
I’ve known you as you’ve progressed a number of places, you always do a great job of providing a solid experience to clients.

Kwane

ADFS will require special consideration with the following applications (LSF 10/LM 10.1.1 or 11.x):

 

1. MSCM. By default your handheld users will need to type UPN names when login in. We have tested and approved with Infor alternate solution for that one that will still allow them to use short names.

2. Rich Client. Users will need to use UPN names.

3. Old versions of Add-ins

4. IPA configuration

5. LBI configuration

6. Old versions of LSA (if needed)

7. Two-factor authentication configurations