The security system in ERP.net v.2020.1 has been completely revamped. It is now based on OAuth2 / OpenID Connect security standards. This has many effects and benefits. One of the benefits is the quick adding (also in v.2020.1) of the first 3rd party identity provider - Microsoft Azure Active Directory (Azure AD).
Companies can now setup their ERP security domains to accept Azure AD logins. Azure AD is the Internet version of the popular Windows Domains. It is hosted (and secured) by Microsoft on behalf of the organizations.
The integration is with the so called "Work or school accounts". This is the Microsoft term for Azure AD accounts, hosted by Microsoft on behalf of the organizations. Currently, Microsoft personal accounts, are not supported.
By utilizing the Azure AD account sign-in, your company can benefit in the many ways, including:
- Single Sign-On for your work accounts.
Users no longer need to have separate passwords for the ERP and other work-related resources.
- Use your existing security infrastructure.
Directly utilize your Azure AD setup.
- No longer store passwords in the ERP.
- Directly apply domain security policies (MFA, complexity, etc.) to the login security of the ERP.
In the future, we will gradually add many more security providers. There are plans for Google, Facebook, Microsoft, Okta, Auth0 and many more.
You can setup multiple identity providers, including multiple Azure ADs, for a single ERP user domain. They can all be used simultaneously for user login. Upon login, the users will be able to choose a security provider to use for their login.
NOTE: v.2020.1 supports multiple ID providers, but only Azure AD is supported. However, multiple different organizational Azure ADs are supported.
Azure AD is multi-tenant security provider. The same is true for Okta, Auth0 and many other single sign-on identity providers. This means, that the same security handler (for example, Microsoft Azure AD) can store the domains for many organizations. In contrast, Microsoft personal accounts, Facebook, Google, etc. are single-tenant providers.
Starting with multi-tenant providers, in the future we will support both multi-tenant and single-tenant providers.
Also, in the future, ERP.net as a central site and each organization (tenant) using ERP.net will be able to act as a Single Sign-On Identity Provider for other apps.
To setup the Azure AD integration, refer to the documentation. Basically, you need to register your ERP.net tenant in your Azure AD as application. Then, in the ERP, you need to create User Domain and then add Domain Provider for Azure AD with the registration codes, used in the Azure AD application registration.