Connect an identity provider (IdP) to Ongoing WMS
Table of contents
- Introduction
- Supported IdPs
- Features
- Configuration
- Best practices
- Troubleshooting SSO login problems
Introduction
An identity provider (abbreviated IdP) is a system entity that creates, maintains, and manages identity information for users and also provides authentication services. Integrating Ongoing WMS with an identity provider has several advantages:
- Decreased administration. Because the IdP serves as the source of truth for users, you will no longer have to create or delete users in Ongoing WMS. Instead, it will be administered in the IdP and flow to Ongoing WMS via an integration.
- Improved security. If an employee quits, you no longer have to deactivate their account in both the IdP and Ongoing WMS. All you have to do is deactivate their account in the IdP, and Ongoing WMS will automatically be informed. This decreases the risk that the account remains active even if the employee has quit.
- Increased authentication level. When a user tries to log in, Ongoing WMS hands over the authentication to the IdP. In most IdPs, you have great control over exactly how you want your users to be authenticated (e.g. password strength, multi-factor authentication, geographical checks)
Supported IdPs
Ongoing WMS has an integration with Microsoft Entra ID (formerly Microsoft Azure AD).
Technically, Ongoing WMS can integrate with any system which implements SCIM for user provisioning and SAML for single sign-on. Before we officially add support for any IdP, we would like to test that the integration works. Please get in touch with us if you want to integrate with another IdP.
Features
Our IdP integration has two features. They can be turned on individually.
User provisioning
User provisioning means that user information flows from the IdP to Ongoing WMS:
- When a user is created in the IdP, it will be created in Ongoing WMS.
- If a username is changed in the IdP, it will be changed in Ongoing WMS.
- If a user is deactivated or deleted in the IdP, it will be deactivated or deleted in Ongoing WMS.
These attributes are supported:
- Username.
- Active status.
- The groups which the user belongs to.
The following restrictions apply:
- The username must not start with "Ongoing", "WSI" or contain "ongoingwarehouse.com". These users are reserved for internal use by Ongoing.
- The user must be of type Administrator, Warehouse worker, Customer, Reseller or Supplier.
Currently, no information about the user type or which goods owners the user has access to is transferred to Ongoing WMS. When the IdP creates a new user in Ongoing WMS, it is created as a Customer user with access to no goods owners. You have to go into Ongoing WMS and manually correct these settings on the user. If you are interested in automating this step, please get in touch with us.
Single sign-on
Single sign-on (SSO) means that when a user tries to log in to Ongoing WMS, we hand off the authentication to the IdP so that the user has to authenticate inside the IdP. If the user has already been authenticated by the IdP, then they don't have to authenticate again, and are immediately logged in to Ongoing WMS. The user starts the process by clicking on the "Log in via SSO" button in Ongoing WMS.
Note on Ongoing WMS security features
In Ongoing WMS, you can restrict user logins to certain IP ranges, and also require multi-factor authentication (MFA). If a user logs in via single sign-on, then Ongoing WMS' own solutions for IP restriction and MFA do NOT apply. If you want to combine SSO with IP restrictions and MFA, then you have to configure that in the IdP.
Configuration
To add an integration with Microsoft Entra ID, go to Administration ⇒ Identity providers. Click Create new identity provider.
Then go to Entra ID and add a new custom enterprise application. At this point, some information must be transferred from Ongoing WMS to the application in Entra ID, and vice versa.
For user provisioning, the following information has to be transferred from Ongoing WMS to Entra ID:
- Bearer token.
- SCIM endpoint URL.
For single sign-on, the following information has to be transferred from Ongoing WMS to Entra ID:
- Reply URL.
- Identifier.
For single sign-on, the following information has to be transferred from Entra ID to Ongoing WMS:
- Entra identifier.
- Login URL.
- Certificate (Base 64).
All information that has to be transferred from Ongoing WMS to Entra ID is visible when you click Create new identity provider.
The above is the bare minimum that needs to be configured. There are other things to be configured in Entra ID, for instance which users should be provisioned and allowed to use single sign-on. We recommend that you speak to someone with knowledge about Entra ID to help you configure those things.
Best practices
Monitor the certificate's expiry date
If you are using SSO, then you will need to copy a certificate from the identity provider to Ongoing WMS. This certificate is usually valid for 3 years. It is very important that you generate a new certificate and copy it into Ongoing WMS before it expires, or you won't be able to log in.
In Microsoft Entra ID, you can set up an automatic email reminder to remind you to replace the certificate before the expiry date.
You can view the expiry date in Ongoing WMS by going to Administration ⇒ Identity providers.
Restrict access to some pages
By default, all administrators have access to Administration ⇒ Users and Administration ⇒ Identity providers. Consider restricting access to these pages to just a few, highly trusted administrators. This can be arranged by your contact person at Ongoing.
Restrict ability to log in using passwords
By default, a user can log in to Ongoing WMS using either single sign-on or by using their password. Consider requiring login via SSO for particular user types. For instance, you can configure it so that administrators and warehouse workers have to use SSO to log in. This can be arranged by your contact person at Ongoing.
Troubleshooting SSO login problems
When you set up SSO, you may encounter some issues the first time you try to log in via SSO. Here are some common issues and solutions to them.
Blank page after clicking on Log in
If you get a blank page, verify that you have:
- Correctly copied the Destination URL from Entra to Ongoing WMS.
- Correctly copied the Assertion consumer service URL from Ongoing WMS to Entra.
Error message about "identifier"
If you get an error message along the lines of "Application with identifier 'xx' was not found in the directory 'yy'", then check that you correctly copied the Issuer from Ongoing WMS to Entra.
Error message about contacting the administrator
If you get the error message "An error was encountered while logging in. Please contact the administrator. Login key: 'xx'", go to Administration ⇒ Identity providers and click on Show SSO log.
Find the row which has the same login key that appeared in the error message.
If the Response key column is empty, then verify that you have correctly copied Allowed issuer from Entra to Ongoing WMS.
Otherwise, look at the column Login error type and see what it says:
| Login error type | Explanation |
|---|---|
| NoGoodsOwnersSpecifiedForUser | The user does not have access to any goods owners. Go to Administration ⇒ Users and give the user access to at least one goods owner. |
| SingleSignOnAssertionConsumerServiceUnknownException | Contact Ongoing WMS and we will investigate further. |
| SingleSignOnAttemptKeyIsTooOld | The user took too long to log in. There is a time limit of 5 minutes for each login attempt. |
| SingleSignOnInvalidCertificate | Your certificate is invalid. It may be expired (it is only valid for 3 years by default). Go to Entra and generate a new certificate, then copy the certificate to the identity provider in Ongoing WMS. |
| SingleSignOnInvalidIssuer | The Issuer is invalid. Verify that you have correctly copied the Issuer from Ongoing WMS to Entra. |
| SingleSignOnInvalidUserNameForLogin | The username starts with "Ongoing", "WSI" or it contains "ongoingwarehouse.com". These are reserved usernames and may not be used for SSO. Change the username in both Entra and Ongoing WMS (Administration ⇒ Users). |
| SingleSignOnUserNotFound | There is no user with a matching username in Ongoing WMS. Check what the username is in Entra and adjust the username in Ongoing WMS accordingly (Administration ⇒ Users). |
| SingleSignOnWrongStatus | Entra responded with a message indicating that the user was not allowed to log in. Investigate further in Entra. |
| SingleSignOnWrongUserType | The user has the wrong user type. Check the user type in Administration ⇒ Users. Only users of type Administrator, Warehouse worker, Customer, Reseller or Supplier may log in using SSO. |
| SingleSignOnWrongUserTypeForScanning | The user is trying to log in to the scanning module, but their user type does not allow them access to the scanning module. Only Administrators and Warehouse workers may use the scanning module. Verify the user type in Administration ⇒ Users. |
| UserIsInactived | The user is not active. Activate the user in both Entra and Ongoing WMS (Administration ⇒ Users). |
If it still doesn't work, please contact Ongoing WMS and we will investigate.