PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 01/05/2019 8:54 PM by  Alex Tsekhansky
Moving from LS/STS to ADFS
 24 Replies
Sort:
You are not authorized to post a reply.
Page 2 of 5 << < 12345 > >>
Author Messages
Ed Corbett
System Engineer
Private
New Member
(8 points)
New Member
Posts:4


Send Message:

--
05/30/2018 2:43 PM
Alex, Are there any differences converting from LS/STS to installing on a new system.  We are working on upgrading our Windows servers from 2008 to 2012 we are building brand new boxes and then will be migrating the data over.
Alex Tsekhansky
Private
Private
Veteran Member
(237 points)
Veteran Member
Posts:79


Send Message:

--
06/02/2018 9:44 AM
There are some differences.

1. ADFS 2.0 (that's what you will get on Windows 2008) and ADFS 3.0 (that what you will get on Win2012R2) have somewhat different installation instructions and configuration with Lawson

2. If you have LSasSTS already, some of the items required by ADFS would be installed and configured on LSF servers already

Either way - you will be setting up a bunch of new things on multiple servers to make all of it work.
Joe O'Toole
Private
Private
Veteran Member
(802 points)
Veteran Member
Posts:312


Send Message:

--
06/04/2018 11:06 AM
This seems to be a move to coerce non cloud customers to use ADFS for the convenience of Infor.
We just got done upgrading to V10 a year ago and after expending the effort on SharePoint for Ming.le it has already been kicked to the curb.
For my company the ADFS requirement will generate a large and costly project with no tangible return for our end users.
If there are benefits from a security perspective, there were never communicated to us by Infor, SAML is not mentioned anywhere but I assume that is what is being used.
There is also a good deal of misinformation being handed out by Info.
On different occasions I was told by Infor support that they do and do not support Hosted Authentication providers such as Azure and Okta and also that they do an do not support MFA.
We were also told we could and could not continue to use the Loadusers utility once on ADFS as the primary mechanism for provisioning new accounts.
Aside from having an additional endpoint for EMSS to be accessible via public internet, we are a fairly simple shop using the S3 GL and HR modules.
Since we are bound to AD our users log into Ming.le (or Portal for EMSS) with their Windows accounts so I'm not seeing where all this single sign benefits will be occurring.
The announcement from Infor states that they will not be providing "discrepancy corrections", future environment cyclics are "expected" to support ADFS and that customers "run the risk of encountering issues" if they do not convert to ADFS which is vague and open ended.
Does anyone know what will happen if we simply do not install ADFS?
I am guessing that LS as STS will still work as it does today and would not be surprised to see a policy change by Infor if enough customers push back.
Alex, what is your take on this?
JimY
Private
Private
Veteran Member
(1237 points)
Veteran Member
Posts:443


Send Message:

--
06/04/2018 11:56 AM
We already have ADFS set up for other applications so It should not be a big deal on that end. My understanding is you can still use LS/STS, but you would not be able to upgrade to the Environment version of 10.0.10. I assume this also means any newer version of Landmark. Because they also would not be providing patches it may be a problem if the issue is causing a lot of headaches. I have found in the past that they will continue to provide help for a short time, but eventually they will tell you to make the switch.

Our security team wants us to switch to ADFS because they said it would be easier to implement Two Factor Authentication. I didn't get into the details of why.
Alex Tsekhansky
Private
Private
Veteran Member
(237 points)
Veteran Member
Posts:79


Send Message:

--
06/08/2018 9:39 PM

Hi, Joe.

 

1. ADFS is not quite "all-or-nothing" setup (unlike regular BIND, for example).

There are some applications (most notably MSCM and LM Rich Client) that do not support ADFS. For those Infor made a special provision, so they can continue to use BIND. This is done by essentially setting us yet another set of web servers/endpoints in LSF and LM with special service types that use regular LDAP BIND, like I assume you use now.

In theory some of the items you mentioned can go over these special services and still login to Lawson via BIND. As an example, we were able to use  LSA to connect to that special endpoint, and it indeed logged in with the regular screens.

2. The main idea, however, is that ALL users, including EMSS, will use ADFS. That means ADFS web server used by Lawson will indeed need to be exposed to all users, including the ones logged in from the "outside" (if you allow login directly from the "outside").

3. The protocol is SAML 2.0. So you can definitely use non-ADFS user repositories, such as Azure, PingFederate and a few others, but there are additional requirements for these repositories. I suspect most people, if they have AD, will simply use ADFS.

4. I do not see any reasons of NOT using loadusers. HOWEVER, with ADFS you will get extra identities that you may need to load as well, and loadusers is not capable of handling those. So you will need to supplement it with ssoconfig loads (if you really need to do command-line user loads and not IPA, for instance).

5. Re announcement - here is my take on it:

 

In May, 2019 Lawson will stop testing or releasing any patches that are specific to LSasSTS. Nevertheless they will still support older ESPs that have this option. Note that Infor suports 3 last ESPs. So, since we have ESP10 out, Infor suports ESP 10,9,8.

Infor plans to release 1 ESP per year. So, in May 2020 when ESP12 comes out, they will drop support for ESP9, and that will be the actual end of LSasSTS.

In a mean time - after May 2019 if they determine that your problem is related specifically to LSasSTS and not something else, they may ask you to switch to ADFS to fix it. In my view it's an unlikely event, but anything can happen.

 

Re: benefits - the primary benefits of ADFS as I see them are:

 

1. Final fix for the timeout issues. As you might know, it is actually not technically possible to fix all of the timeout issues in LSasSTS in a complex installation that involves LSF, Mingle, LM, IPA, GHR, LBI and MSCM. There are specific situations when some components will timeout and others will not, thus resulting in WEIRD issues on the screen.

2. Lawson will not get/process passwords. You will be authenticating BEFORE you get logged in to Lawson

3. Two-factor authentication will be MUCH easier to do.

4. Some weird user-name-related issues will be gone, such as case sensitivity etc.

5. If you decide to host some applications with Lawson (e.g. CloudSuite financials) and keep some on-premise (e.g. GHR), you can use the same users and authentication to login to both.

You are not authorized to post a reply.
Page 2 of 5 << < 12345 > >>