Configuration guide for
U4IDS on UBW applications (cloud clients)
About this document
Copyright
Copyright of the attached documentation is the property of Unit4 N.V. and/or its group companies. Reproduction of this documentation for any purposes is prohibited without the prior express written authorization of Unit4 N.V. or its group companies. Any unauthorized use, copying or sale of the above may constitute an infringement of copyright and may result in criminal or other legal proceedings.
Copyright © 2017 Unit4 N.V. and/or its group companies. All rights reserved. Any other brand names and/or trademarks referenced herein are either registered or unregistered trademarks of their respective proprietors.
Introduction
Unit4 Identity Services (U4IDS) is a single identity solution and architecture for the Unit4 ecosystem that allows users to have one single identity across multiple applications, allowing a Single Sign-On (SSO) experience.
U4IDS integrates with the organization's identity solution using industry standard protocols and is shared across Unit4 applications acting as a gateway for external authentication.
The information contained in this document covers the configuration of Unit4 Business World (UBW) for use with U4IDS. It assumes that U4IDS is correctly installed. For information on the installation of U4IDS, please refer to specific documentation on the subject.
UBW applications that can use U4IDS for authentication
UBW can be configured to perform authentication through U4IDS using the OpenID Connect protocol. U4IDS is an external service and setting up UBW to authenticate with U4IDS involves configuration both in UBW and U4IDS.
The following UBW applications can be configured to use U4IDS for authentication: - UBW web - UBW web services - UBW desktop
External authentication of UBW web and UBW mobile is also possible using claims-based authentication. In this case, the only supported protocol is WS-Federation and the configuration is done directly between the UBW installation and the customer's Identity Provider (IdP).
UBW web
UBW web is a client of U4IDS, so it must have a client registration to allow it to route authentication requests to it. The U4IDS administrator must set up a client. The administrator must know the URL of the UBW web site and will always give each web site a unique client identifier (clientId), prefixed with 'u4bw-web'. The client identifier is needed to configure UBW to use U4IDS.
IDS authenticator activation
The activation of the U4IDS authentication for web is done in the 'Authentication setup' window (UBW desktop) by choosing 'Identity Services authentication' for the platform 'Web'.
In 'Choose platform', the 'Web' option must be selected.
'Identity Services authentication' must be chosen in this step.
In the 'Authentication details' tab, the 'Default' checkbox must be selected for the default authentication.
Web application login
Login to the web application is made as displayed in the figure below. After the configuration is performed as described in the previous sections of this document, the default login is made through the U4 authentication and the user may change it to IDS authentication.
Login to the web application. The user can choose between the authentication mode.
ID configuration
To use the IDS authentication, the 'Unit4 ID' and 'Logon company' fields must be filled out in the 'User master file' window, 'Security' tab. The 'Unit4 ID' is the value that matches the one returned by the IdP via claims. Usually this is set up using the user e-mail. The 'Logon company' is the application client to which the user is logging in.
The 'Unit4 ID' and 'Logon company' fields must be filled out in the 'User master file' window, 'Security' tab.
UBW web services
The UBW web services (SOAP services) can be configured to require OpenID access tokens for authentication and internal user identification. Callers of web services will send the access tokens in the credentials part of the SOAP message.
The web services host requires a configured scope secret so that it can securely validate access tokens. The same scope secret can be used across web API and web services.
IDS authenticator activation
The activation of the U4IDS authentication for web services is done in the 'Authentication setup' window (UBW desktop) by choosing 'Identity Services authentication' for the platform 'Web services'.
In 'Choose platform', the 'Web services' option must be selected.
'Identity Services authentication' must be chosen in this step.
In the 'Authentication details' tab, the 'Default' checkbox must be selected for the default authentication.
UBW desktop
The UBW desktop client application supports logging in with the customer's IdP as set up in U4IDS.
UBW desktop is a client of U4IDS, so it must have a client registration to allow it to route authentication requests to it. The U4IDS administrator must set up a client. Given that the settings are the same throughout all installations, a single client registration can be used for UBW desktop. The default name for this client is 'u4bw-desktop'. This client ID is required to configure UBW to use U4IDS.
IDS authenticator activation
The activation of the U4IDS authentication for desktop is done in the 'Authentication setup' window (UBW desktop) by choosing 'Identity Services authentication' for the platform 'Desktop'.
In 'Choose platform', the 'Desktop' option must be selected.
'Identity Services authentication' must be chosen in this step.
In the 'Authentication details' tab, the 'Default' checkbox must be selected for the default authentication.