Authentication and single sign on principles

Sage X3 version 7 supports several authentication methods. The system-wide authentication method is configured in the global settings page. The administrator can also configure an alternate method for specific users, by editing the users' profiles.

The following authentication methods are supported in Sage ERP V12:

  • LDAP: this method is recommended if you already have an LDAP directory (Active Directory on MS/Windows). With this method user passwords will be verified against the passwords managed by the LDAP directory. In an MS/Windows environment, the user will authenticate to Sage X3 with his/her Windows session password. This setting guarantees that the company's password policies (password strength and renewal policy) are also enforced in Sage X3.

  • OAuth2: this method is recommended if you are already using external web identity providers to authenticate users, for example Google Accounts to access Google Office suite. This method provides a true Single Sign-On (SSO) experience as the user does not need to supply his/her password if he/she is already signed on with the external identity provider. If not already signed on, the user will be redirected to the identity provider's sign-on page. See ../how-to/how-to-set-up-gmail-account-SSO for a walk-through of the set-up of OAuth2 with Google Accounts.

  • Basic: this method is a fallback solution if you don't use one of the solutions above. With this method the user's password is stored (as a hash) in MongoDB. If you use this method you should configure the X3 web server in HTTPS mode because the credentials are exchanged in unencrypted form over the network. This method does not let you control your password policy (password strength and renewal rate). It is designed to be a fallback solution, primarily for demo purposes, and you are encouraged to use LDAP or OAuth2 whenever possible.

Note: the LDAP method provides a single password experience but not a true single sign-on experience, as the user is prompted for authentication every time a new session is opened in Sage X3. The user can avoid entering the password every time by selecting the "Remember my credentials" check box in the login dialog.

Once the user is authenticated on the X3 web server, his/her identity is sent as a security token to the different X3 endpoints, over trusted connections. The user's version 6 password, which was configured at the X3 folder level, is no longer used.