.
Purpose
To show how to parameterize Microsiga Protheus line to use Fluig Identity step by step.
Functionalities
The main functionalities of Fluig Identity for experience #1 are: Single login through Single Sign-on provisioning integrated between the ERP Protheus system with Fluig Identity.
Concept
Experience #1 consists of single access to Protheus System through Fluig Identity portal. Fluig Identity integration with ERP Protheus happens through SAML 2.0 protocol which the user accesses through Identity Provider (IdP) a service or application Service Provider (SP). In other words, the user accesses through Fluig Identity (IdP), the system ERP Protheus (SP). Identity Provider (IdP)/Asserting Party is the responsible by the Authentication of User and generation of Assertion (SSO). The Service Provider (SP)/Relying Party is responsible by the consumption of Assertion (ACS) and supply of resource. The single access is performed by using a propriety of access control of multiple named Single Sign-on. To use this resource, perform configurations in the Fluig Identity portal and in ERP Protheus.
The Provisioning consists of the transfer of ERP Protheus information to Fluig Identity portal through data synchronization. Such information is separately performed by company group and has the following information: Menu Item, Quick Query, Groups Register and User Register. For synchronization, the user registered in Protheus has an e-mail configured for it.
Advantages
The advantages to use the single Login tool through Fluig Identity are to improve the security and productivity when decreasing the tasks and costs associated to this activity.
Requirements
To use the integration with Fluig Identity, check if:
* To update the environment, query our Download Central in the following address: http://www.totvs.com.br/suporte
How to enable Fluig Identity
Step 1: Configure the HTTP server in TOTVS | AppServer.
To enable the Fluig Identity in Microsiga Protheus, check if HTTP configuration is enabled in AppServer.ini.
This configuration is necessary as the exchange of information between Fluig Identity (IdP) and the ERP Protheus (SP) happens through HTTP protocol.
The AppServer.ini is the configuration file of Protheus application server.
An example of AppServer.ini HTTP section example is displayed. The configuration in its environment can be different.
We highlight the keys below in the example:
enable=1 - Specifies the HTTP service is active
port=8085 - Specifies the port the HTTP answers
Environment= p12_fluig
It is important to stress the address:HTTP port of Protheus must be published.
A good tip to check if the HTTP server of Protheus is answering is to use a computer that is not a server, then enter the following address in the Internet browser:
In our example, Protheus server IP is 172.18.0.175. The HTTP port is 8085. Finally, the call would be as follows:
http://172.18.0.175:8085/time.apl
When calling, a page is returned with Protheus server time. In case of error, the HTTP server did not answer or the message did not reach the recipient. It can happen due to some net restriction as blocked ports for example.
For further information on how to configure the HTTP resource of Protheus, access: http://tdn.totvs.com.br/pages/viewpage.action?pageId=6064821
Step 2: Check the reading attribute of folder 'sso' from the 'Appserver'.
This folder must have the "only reading" attribute unselected. Otherwise, ERP Protheus will not save data in this folder.
To check/edit:
Access bin/AppServer folder, then click the mouse right button and select the folder 'sso', select 'Propriety'. In 'Propriety', remove the attribute 'Only Reading (folder files)', and click 'Apply'. Then select option: 'Apply changes to this folder, sub folder and files'. Click ‘OK’.
Step 3: Fluig Identity Configuration
Access Fluig Identity portal through URL (address) provided by TOTVS for your company.
As default, Fluig Identity has some application already configured in the Application page. Search 'Protheus' application.
After searching, click 'Protheus'. In Overview, click 'Clone'. When performing this action, you will create a customized application of the company with the same configuration of the original one.
Rename the Application to enable the application management. And click 'Save'. For configurations of Application. Click 'Enter' tab, then 'Edit'.
In our example, Protheus server IP is 172.18.0.175. The port defined for our HTTP (see above) is 8085. Soon, the address SERVER + PORT is 172.18.0.175:8085.
In the items below, replace the expression IP:Port or IP by data of the real environment.
Edit configurations of Protheus Application, as described as follows:
Login Mode: SAML Executable
SSO St Type: IDP_INITIATED
Domain Specific Identity ID
Domain: http://IP:Porta/cloudpass
Example: http://172.18.0.175:8085/cloudpass
Format of ID Name
Transient
Assertion Consumer URL:
Use the following address:
http://IP:Porta/cloudpass/SAML2/POST
Example:
http://172.18.0.175:8085/cloudpass/SAML2/POST
Recipient:
Use the following address:
http://IP:Porta/cloudpass/SAML2/POST
Example: http://172.18.0.175:8085/cloudpass/SAML2/POST
Audience:
Example: http://172.18.0.175:8085/cloudpass
Name of SP Issuer:
Example: http://172.18.0.175:8085/cloudpass
User Id Mapping: User Email
Executable or Shortcut Name: \\IP\Protheus12Fluig\bin\smartclient\SmartClient.exe -p=sigamdi -c=dev -e=environment
Example: \\172.18.0.175\Protheus12Fluig\bin\smartclient\SmartClient.exe -p=sigamdi -c=dev -e=environment
Login Customized URL: dev.thecloudpass.com/cloudpass/launchpad/launchApp/6psevrtoj5d7ytwi1424457934570/00ogp3uofsjlwhc11410389672381
Logout Customized URL:
After editing configurations, click 'Save'.
In Application page, search the customized application, then click 'Add'.
Therefore, add an application to Protheus Dev Launchpad screen. On this page, you will find all customized application.
Step 4: Configuration ERP Microsiga Protheus.
To enable the Fluig Identity in Microsiga Protheus, access module Configurator, menu 'Users\Passwords\Policy'.
When accessing the 'Policy' routine, go to folder 'Security Policy' and in this folder, select the folder 'Rules of Password'.
In the folder 'Rules of Password', enable the Single Sign-On by editing the value of the form field for Optional or Mandatory.
When the field 'Single Sign-on" is configured as Mandatory, only the access to the system by IdP is accepted, except the Administration modules (Example: Configurator) that continues with the default access method enabled. If the field 'Single Sign-On' is configured as Optional, the access to the system can be performed by IdP or by traditional format.
In the Application page, click 'Configuration Token'. Copy the content to add to the field 'Configuration Token' the configuration wizard of Fluig Identity by Microsiga Protheus.
To configure Fluig Identity in Microsiga Protheus, access module Configurator, menu 'Users\Passwords\Identity Config'.
When accessing the routine 'Password rule - Fluig Identity - Configuration wizard', access 'Fluig Identity - Configuration wizard' tab, then enter the Fluig Identity link to field 'Fluig Identity Address'.
Ex: http://protheus-dev.thecloudpass.com/cloudpass
Enter the content copied from Overview screen of Fluig Identity application to the field 'Configuration Token'.
To the field "List of URLs accepted for connection', click button 'Configure'. This method is know by ‘One Click Configuration’. Therefore, the Configuration between the IdP and the SP is automatic. Confirm the action clicking 'Yes'.
Click 'Close'.
For the Notification 'SAML Configuration', click 'No'.
After executing the 'One Click Configuration' in Protheus, follow the next step in Fluig Identity.
Step 5: Credentials Definition of Protheus application in Fluig Identity.
In the section 'Protheus Dev LauchPad' of Fluig Identity, click the '3 bars' displayed on the right side of the ERP Protheus icon. Then, click 'Define Credentials'. In this option, define the net patch where the SmartClient execution is called.
In this example, the executable of SmartClient ('SmartClient.exe') is mapped by unit 'S:' of the net. Follow the next steps to execute the Unit Mapping.
Step 6: Map the Net unit.
In the Local Disk unit of your computer, click option 'Map net unit'. It is responsible by the creation of a shortcut of a shared folder for net.
Choose favorite unit. In this case, the unit 'S:' is chosen. In the field 'Folder', the net address '\\172.18.0.175' was indicated as configured in the executable shortcut address in the configurations of Protheus application in Fluig Identity (as step 3).
Step 7: Executing Protheus application by Fluig Identity.
In the section 'Protheus Dev Launchpad', click the application to run through Fluig Identity. Then, a message notifying the information provided is sent by a normal connection is displayed (not safe). Click 'Continue'.
Then, a window with 'Start Parameters' from TOTVS | SmartClient is displayed. Click 'Ok'.
See the login is executed through Single Sign-On. And with this, the Experience #'1 single login through Single Sign-On in Fluig Identity is ended.
Provisioning
As mentioned before, the Provisioning Experience #1 consists of the transfer of ERP Protheus information to Fluig Identity portal through data synchronization.
The provisioning is very useful when there already is an active ERP Protheus and you want to transfer users information, menu and automatically accesses for Fluig.
To use this resource, activate the HTTP server of Protheus and the REST protocol that is part of the HTTP server.
The REST, with the SOAP as well, is a model of information transfer through WebServices.
Requirements
To use Fluig Provisioning, you must configure the HTTP Server in TOTVS | AppServer. As we will show as follows.
‘OnStart’ Section: Protheus Standard Section responsible by starting the Job.
‘HTTPJOB’ Section:
Main= Nome configured for the Job
Environment = Name of Protheus environment (configured in AppServer).
HTTPV11 Section: responsible by the configuration of the HTTP protocol version 1.1
Enable= Enable Section
AddressFamily=1 Obtains the address family of Socket.
Sockets= Key Name where the sockets are configured
Example: Sockets=HTTPREST, HTTPREST2
TimeOut= Define the time, in seconds, of thread timeout created and kept in the System server (ERP) to serve a request of AdvPL dynamic page through an URL/link with APL extension
‘HTTPREST’ Section – Configuration of Sockets.
Port= Specifies the port in which the HTTP answers
IPsBind= Valid values of IP to establish the connection
Example:
See the valid values for the key as follows
<0.0.0.0> - Define the server used executes the binding of all available interfaces (default)
<127.0.0.1> - Define the server used executes the binding of the interface whose IP is 127.0.0.1
<IP of the Server> - Define the server used executes the binding of the interface whose IP is <IP of the Server>
MaxQueue Section: Maximum quantity of requests that are in the sockets queue
These 3 attributes refer to the HTTPs protocol. For further information: SSL Configuration in TOTVS | Application Server.
SSLPublicKey
SSLPrivateKey
SSLPassWord
‘HTTPURI’ Section:
URL=/scim/v2/extensions - URL REST
PrepareIn=ALL - When it is configured as 'ALL', the environment is prepared for all company groups.
OnStart=REST_START
OnConnect=REST_CONNECT
OnExit=REST_EXIT
Instances=1,3,0,1
Example: 1 – minimum: indicates the start quantity of threads that are available.
2 – maximum: indicates the maximum quantity of threads that are available.
3 – free minimum: indicates the minimum quantity of free threads.
4 – input: indicates the quantity of new threads that are available when the number of free threads is below the value previously defined.
(selection) The input respects the maximum quantity of configured threads. Therefore, the quantity of new threads released is equal to the smallest value between the input and the difference of maximum and threads in use.
Step 1: Provisioning Configuration in Fluig Identity
In Fluig Identity portal, access Application page and select the desired Application. Click 'Provision' and then 'Edit'.
Edit configurations of Protheus Application, as described as follows:
Enable Provisioning: To enable the provisioning, the option must be selected.
Provisioning Mode: SCIM (Management System of Identity Cross-Domain)
The SCIM Protocol is an application level, the REST protocol for provisioning and management of identity data in web.
Authentication Type: HTTP Basic
URL Rest: http://172.19.0.175:8084/scim/v2/extensions/ (http://(server):(porta)/scim/v2/extensions/)
Name of Domain Administrator User: Admin (Logon of the Administrator user of ERP Protheus)
Password of Domain Administrator: ****** (Administrator Password)
User Temporary Password: Totvs@123
Resource Access Control
The Resource Access Control, as known as RAC, is a security system that provides the functionality of access control and audit
Enable Resource Access Control: To enable the RAC, the option must be selected.
RAC Mode: Role
RAC Model: Protheus Model
Limit of Characters in the Role Name: 28 Use this field: Yes
Limit of Characters in the Role Description: 30 Use this field: Yes
Click 'Save'.
To test the Provisioning, access the ERP Microsiga Protheus and register a user with an e-mail configured for the user, and associated to the Administrator group.
Access the routine of Identity Configuration through the menu path User \ Password \ Config. Identity
In this stage, execute Synchronization. In the section 'State', click 'Synchronization'. In the next step, click 'Next' for Menus Validation.
The synchronization process progress is displayed in the Configuration Wizard of Fluig Identity.
And it can also be followed by an icon in the notification area.
In Applications in Fluig Identity, click 'Resources'. When adding a new user in Protheus, the addition is synchronized with Fluig Identity page. As the following picture:
Click 'Manage'. Then, in Roles Management, the Companies of the Administrators group with access are displayed.
Then, click 'Menu Items'. And Menu Items the Administrator User with access are displayed.