For businesses managing multiple applications, Single Sign-On (SSO) is essential for streamlining user access and improving security. Acumatica ERP supports SSO via OpenID Connect, allowing users to log in through a central identity provider (IdP) like OKTA or OneLogin. With this setup, users authenticated by the IdP can access Acumatica ERP directly, without needing to re-enter their credentials. In this article, we’ll guide you through configuring Acumatica to leverage OpenID Connect for SSO, including setting up custom scopes and claims for precise access control.

Using Acumatica as an Identity Provider (IdP) with OpenID Connect for SSO Integration

Single Sign-On (SSO) integration with Acumatica ERP allows users to access multiple applications with a single set of credentials, simplifying the login experience and enhancing security. By configuring Acumatica as an OpenID Connect Identity Provider (IdP), users can log in via a central identity provider like OKTA or OneLogin and access Acumatica seamlessly. This guide will walk through setting up Acumatica for OpenID Connect SSO and configuring custom scopes and claims to control data access based on user roles.

Key Configuration Details for Acumatica as an OpenID Connect Provider

Referencing the configuration information provided, here are the main details you’ll need to set up Acumatica as an OpenID Connect provider:

●     Grant Type: Authorization Code

●     Auth URL: [ACUMATICA_SITE_BASE_URL]/identity/connect/authorize

●     Token URL: [ACUMATICA_SITE_BASE_URL]/identity/connect/token

●     User Info URL: [ACUMATICA_SITE_BASE_URL]/identity/connect/userinfo

●     Scope: Specify scopes such as openid profile email phone to allow access to user-specific information.

These details form the backbone of your SSO setup, allowing Acumatica to manage authentication and authorization for external applications through OpenID Connect.

Step 1: Register Acumatica ERP with Your OpenID Provider

1. Create a New Application on your chosen OpenID provider (e.g., OKTA, OneLogin) and enter the following values:

○     Client ID and Client Secret: These are generated by the OpenID provider and used for secure communication.

○     Redirect URI: After configuring the OpenID Provider in Acumatica, it will generate an Initiate Login URI. Copy this URI and add it to the OpenID provider’s settings as the redirect URI.

2. Set the Scope: Specify built-in scopes like openid profile email phone, which enable the provider to request specific user information as needed for the SSO process.

Step 2: Define Custom Scopes and Claims Using IPluginClaimProvider

Custom scopes and claims allow you to control what information each user can access in Acumatica based on their role. Acumatica’s IPluginClaimProvider interface helps you implement these scopes and claims, enhancing the security and functionality of the SSO integration.

Code Example: Implementing Custom Scopes and Claims

Here’s an example of how to define a custom scope named "insided" with claims for Id, Username, and CustomRoles.

Explanation of the Code

●     Plugin Description: A brief description of the claim provider.

●     Identity Resources (Scopes): Here, we define a custom scope called "insided" with specific claims (Id, Username, CustomRoles). This scope restricts access to only those claims, giving you control over what information each user can see.

●     GetCurrentUserClaims Method: This method fetches user-specific claims, which will be used to personalize access within Acumatica.

Step 3: Configure the OpenID Provider for Custom Scopes

In your OpenID provider, you’ll need to map the custom scope and claims you defined in Acumatica:

1. Create Custom Scope: Define the custom scope (e.g., "insided") in your OpenID provider platform.
2. Map Claims: Link the claims (Id, Username, CustomRoles) in the OpenID provider’s settings to ensure they match Acumatica’s configuration.

Understanding the OpenID Connect Flow

Referencing the OpenID Connect process diagram, here’s how the flow works between an integrated system and Acumatica as an IdP:

1. User Logs into Integrated System: The user initiates the login, and the integrated system redirects them to Acumatica’s Authorization URL.
2. Authentication and Authorization: Acumatica authenticates the user and, if needed, prompts for authorization consent.
3. Redirect with Authorization Code: Acumatica sends an authorization code back to the integrated system.
4. Token Exchange: The integrated system uses the authorization code to request an access token and ID token from Acumatica.
5. Validate Tokens and Retrieve User Info: The integrated system validates the tokens and retrieves user information as necessary.
6. Redirect with User Info: The user is redirected to the integrated system, complete with the requested user data.

This flow allows users to log in through a central IdP, making it easy to manage access while enhancing security.

Conclusion

By using Acumatica as an Identity Provider with OpenID Connect, you’re offering a streamlined login experience across systems while maintaining strict control over data access. With built-in and custom scopes, you can further personalize and secure the user experience, ensuring that each user only has the permissions they need.

Acumatica’s OpenID Connect integration is a powerful tool for multi-application environments, enabling centralized authentication and finely tuned access control through custom scopes and claims. This setup simplifies user access management and enhances security, allowing your organization to leverage SSO with confidence.