I have had several inquiries into whether Sage ERP X3 LDAP (Lightweight Directory Access Protocol) for user authentication is supported. The answer is, yes support for LDAP has been added in V6. In fact here is an excerpt from one their whitepapers. You can read the entire whitepaper on our website at Security and Auditability with Sage X3.
The user authentication can be controlled through an access to a centralized LDAP directory, and the identity can be inherited via NTLM over http protocol (in Web mode) or through the Windows login information (in client-server). LDAP means Lightweight Directory Access Protocol. It refers to open structures used to manage identities in a centralized way, and all the authentication information linked to it. Several implementations exist (such as OpenLDAP). Active Directory is the corresponding implementation used by Microsoft to store identities and is LDAP compatible. In Sage ERP X3 version V6, a setup allows to declare that an LDAP directory exists somewhere on the network, and to map information usually stored in the user's or parameter's table with LDAP fields. Once this is done, the parameters stored in Sage ERP X3 database can automatically be refreshed according to the values stored in the LDAP directory (setup option): a central user's repository of the users can thus be managed.
General Overview
This will describe the User directory LDAP and SSO (Single Sign On) connection process in more detail. This corresponds to what happens in client-server mode, as soon as the corresponding setups described in the following paragraphs have been defined.
The various phases unfold as follows:
1 - The user logs in (under Windows, for example with 'john_doe'; in Web mode because the NTLM layer recovers the account).
2 - The user opens a SAFE X3 software session by double-clicking on the launch icon (or by clicking on a hyperlink). In client-server mode, the connection window opens (at least the first time! by clicking on the box "use these setups for the next connection", the connection box will no longer be displayed then, except when pressing the [Shift] key during the launching).
3 - If it is set in client-server mode, the user enters his/her user code as it is known in the software. The code can be JOHN, DOE, ADMIN, or any other code, but if the user wants to implement the SSO, the user code has to be JOHN_DOE.
4 - The software checks that JOHN_DOE exists in the user table (the field tested is the Login field in the user table). For instance, this code corresponds to the user code JOHND. The code JOHND (5 characters maximum) is stored in all the tables in which the AUS data type is used.
5 - Once the SSO has been activated and the JOHN_DOE code (corresponding to the original login) has been entered, the password control is no longer carried out (it is carried out in a blocking way if the user code does not correspond to the login system).
6 - The system uses then the Reference Active Directory field of the user to inquire the centralized directory (LDAP, Active Directory ... according to the global setups of supplied connections), and recovers a group of values in return (field values of the user table, setup values at the level of the user). It updates these values in the software if they have been changed in the directory (since the directory is the reference).
The management of authentications and access to the solutions based on the SAFE X3 technology rests on two complementary principles:
1) Centralizing the authentication data
In order to manage the user's authentication in the SAFE X3 software in a centralized way, it is possible to store some information in a directory LDAP (Lightweight Directory Access Protocol). This centralization can be carried out whatever the connection type.
2) The single sign on (SSO)
It is possible to consider that a user who logs in his/her workstation running with Windows has already signed in (the user has entered his/her password). As a consequence, the user does not want to enter his/her user code and password again every time he/she wants to be connected to SAFE X3.
Signing in once is called SSO (Single Sign-On).
There are some limitations. Currently in Sage X3 V6 the SSO works in two cases:
- for the connections in client-server, as soon as the setups have correctly been implemented
-
for the connections in Web mode, provided that the user is connected to a secure network (private or internal network) and that the protocol NTLM over http has been implemented (defined in the console)
NOTE: There are several documents that mention additional connectivity to NetVibes. It is my understanding that how this works is still applicable but the relationship and connectivity related to Sage ERP X3 and NetVibes is something no longer active at this time.
These functionalities can be implemented for Sage ERP X3, by means of a group of setups.
This is diagram is from the X3 Help.
