Security & User Management
Overview
Infor Cloud Identity & Access Management is where Infor User Management and access will be handled by IFS (Infor Federation Service) along with the Infor Federated Hub for the Authentication and Authorization of User Account Management. This component of the Infor Platform is utilized by those accessing the Infor Cloud from a browser based app, mobile app, or API.
An Overview of how Infor Federated Services (IFS) facilitates the management of users and permissions.
Key Concepts & Definitions
| Identity and Access Management (IAM) | Access management is the process of managing a user’s login and access across a wide range of applications, systems, and resources belonging to an organization. IAM services authorize user access to protected resources, but delegate the authorization decisions to the applications’ owners. |
| Identity Provider (IdP) | A system that validates the identity of a user in a federated system. The service provider (or SP; see below) uses the IdP to get the identity of the current user. |
| Service Provider (SP) | A system that provides a generic service to the user in a federated system. To users, a service provider is the same thing as the application they are trying to use. |
| Federation | An agreement ( trust ) between identity providers and service providers that allows for the sharing of information. It lets users of a service sign on to said service through one single identity provider. Also known as federated identity management, this is a technical implementation that enables identity information to be developed and shared among several entities and across trust domains. |
| Security Assertion Markup Language (SAML) | SAML is an industry standard XML-based framework for communicating user authentication and attribute information. The SAML 2.0 protocol standard is leveraged by Infor applications |
| Single Sign On (SSO) | A service model in which users log into one single platform that gives them automatic log-in access to multiple applications for a certain period of time. Users using this system only have to remember one set of credentials, as opposed to learning a new password for each application. |
| Single Log Out (SLO) | Enables a user to log out of all participating sites in a created session. The party that authenticated the user handles all logout requests and responses for participating sites. |
| Identity Stores | User information stored across a variety of technologies, including databases, LDAP, Active Directory, etc. |
| User Provisioning | A set of technologies that create, modify, and de-activate user accounts and their profiles across IT infrastructure and business applications. |
| System for Cross-domain Identity Management (SCIM) | SCIM is a standard for automating the exchange of user identity information between identity domains, or IT systems. SCIM communicates user identity data between identity providers and service providers requiring user identity information. |
| Just In Time (JIT) | Process where a user account can be created on demand after successful authentication occurs. |
| Authentication | Authentication is the process of validating an identity, whether it be the identity of a user or, as in the Identity of Things, a device. The classic method of validation is the username/password combination. Authentication ensures that the individual is who he/she claims to be. |
| Authorization | The process of determining if a user has the right to access a service or perform an action or the process of giving individuals access to system objects based on their identity. |
Component Parts
Single Sign On (SSO) Overview
User authentication process that authenticates the user for all the applications they have been given rights to and eliminates further password prompts.
Authentication and SSO details
- Infor OS in the cloud leverages Infor Security Token Service (InforSTS) as the identity provider used for authentication.
- Infor Federation Services (IFS) is the identity store, users requiring access to Infor OS Cloud must have a cloud identity account.
- InforSTS is a SAML 2.0 complaint identity provider.
- Infor applications existing in the Infor Multi Tenant cloud will be integrated with the Portal Federation Hub in order to achieve SSO. The Portal Federation Hub is the interface designed to allow authentication flows between applications and InforSTS. Once a user authenticates to the Infor Cloud portal they will have access to all other applications without being challenged for credentials due to the token supplied by the Portal Federation Hub to the user browser session.
- Infor Cloud is SP initiated SSO, user accesses the Infor Cloud portal and is redirected to the identity provider if authentication is required.
SSO Options
- Infor OS Cloud can be federated with other identity providers to allow for authentication and SSO from other sources, typically this would be done to grant customer accounts access to the Infor OS Cloud portal and eliminate the need to create and maintain cloud identity accounts for users.
- Federations can be created with any SAML 2.0 capable identity provider.
- Infor OS Cloud now supports Open ID Connect which relies on the OAuth 2.0 protocol for federations.
- Federating with identity providers provides flexibility for customers on the identity providers used and the identity stores used by those identity providers.
Authorization and IFS Overview
- After authentication occurs access to the Infor OS portal requires authorization. This is handled by Infor Federation Services (IFS), this is Infor’s user management application.
- In order to be authorized a user must have an account within IFS.
- In order to access applications a user must have security roles assigned to their account. These security roles are defined by application and functions within the applications that exist within the Infor OS portal.
- Some applications rely solely on IFS for security purposes and some Cloudsuites have their own security in addition to IFS security roles. In order for a user to access these applications they would require the correct IFS security roles for the application and would need to have an account within the specific application in order to gain access and run features and functions.
- Access to the Infor OS portal requires authentication and authorization, both have equal importance when it comes to application security.
User provisioning – Cloud
- Infor OS Cloud does not have the ability to bind to an Active Directory like the on-premise version.
- Users can be manually created within the IFS user management application. When a user is created, they will be sent an email asking them to verify their account and to create a password for that account.
- Other user provisioning options are manual import of user information from a CSV or XML file.
- SCIM can be used to publish or get user information between a SCIM capable application and Infor OS Cloud. Infor OS is SCIM 1.1 and 2.0 compliant. Infor OS Cloud has SCIM service only capability.
- If Infor OS Cloud is federated with another identity provider, then the requirement to have a user verify their account and create a password is not needed. The option to generate the verification email when users are added to IFS can be turned off.
- If Infor OS Cloud is federated with another identity provider, then there is an option to use Just In Time (JIT) to have user accounts created on demand.
- Users can also be provisioned to IFS via a Security User Master ( SUM ) BOD (Business Object document) generated from another application that has a user repository and supports BODs. Infor GHR is an example of a cloud application that generates a SUM BOD that IFS can consume for user provisioning purposes.
Authentication and Provisioning Flow
The Authentication and Provisioning flow diagram illustrates the configuration and flow of the Federation (Authentication) and User Provisioning (Authorization) to a Identity Provider using SCIM for user provisioning automation and maintenance.
SCIM User and Security Role Flow
The SCIM User and Security Role flow diagram illustrates how SCIM groups are used to assign security roles to IFS users using the Azure AD identity provider SCIM interface.
GHR CSV Integration Diagram
The GHR CSV Integration Diagram illustrates how user provisioning can be automated from the GHR application source of record to a customers corporate HR application system using a CSV file format.
GHR API Integration Diagram
The GHR API Integration Diagram illustrates how user provisioning can be automated from the GHR application source of record to a customers corporate HR application system using a API call.
Want to learn more?
Topical videos
Need information on a specific feature, function, or a quick overview? Then short videos may be just what you are looking for. Check out our playlist on YouTube.
Written Guides
Product documentation is the go-to reference for how specific parts of the product work. For online, searchable, easy to understand docs see this component’s documentation:
- IFS User Management documentation.
- Security Roles specific to IFS User Management
- IFS Federated Security
- IFS User Management General Setting
Community
Collaborating with others in your industry is a great way to learn and help others. Start participating in this component’s online community today!
Courses
Infor Campus offers learning tracks that combine video based and instructor led teaching. If you are an Infor customer then check out courses on Campus. We recommend the following courses specifically for this component:
- Infor OS: Identity and Access management Fundamentals Workshop