EWA and IIS in DMZ Topology / Structure / Architecture

(Jim Downey) #1

Does Epicor 10 support ADFS? I too am trying to setup IIS and EWA in our DMZ. Can we point the application server for an EWA installation, within the DMZ, to our existing, internal live / production, application and database servers? Can we allow windows authentication from EWA / IIS, within the DMZ, to our existing, internal Active Directory / Domain Controllers?

(Bart Elia) #2

ADFS is just Windows Authentication from the POV of Erp 10 so yes. We assume you do all the magic in the background between your ADs to make the trust relationships.

(Jim Downey) #3

Well, I am looking for some help with doing / understanding all the “magic”…

I found this post on the web of someone also looking to understand the “magic”: https://social.technet.microsoft.com/Forums/windowsserver/en-US/92a34798-65ee-4e5e-a185-036c6da9da3b/allowing-iis-web-application-in-dmz-to-authenticate-ad-users?forum=winserverDS

A user at the bottom responded:
The app needs to be configured for SAML not the IIS itself. Check this: https://blogs.msdn.microsoft.com/alextch/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts/

ADFS can be configured in a way that if the users are accessing the app from the inside they would have sso expirience and wouldn’t be asked for creds twice. Check this: https://blogs.technet.microsoft.com/askpfeplat/2014/11/02/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/

(Jim Downey) #4

Does Epicor support SAML 2.0?

(Bart Elia) #5

As of this time, no announcement on any other User Authentication mechanisms. Epicor User/password and MS Windows Auth.

There are tools out in the wild to convert SAML to WIndows Auth but none I have seen tried with Epicor ERP.

What’s the high level need? An integration or?

(Jim Downey) #6

I’m starting to understand this a little more… We are hoping we can use Azure to authenticate from the DMZ.

Now that I see how to deploy EWA as an extension I am hoping we can use an install path of the external DMZ’s dns name or IP address and file location for the install path field. Does the Install Path for EWA support that or would it have to be local to the application server?

(Bart Elia) #7

ok, now that we are in ‘Pilot’ in Cloud - any SaaS customers can review the change log for 10.2.200 so I am sort of out from under our embargo on many things… we haven’t shipped YET so last minute stuff does happen so take commentary with a grain of salt, etc, etc</>

We are adding Azure AD support to the core app, the rich client, REST, EWA and a few more apps. Anyone who has ever played in Azure AD - it’s your SSO approach for cloud just as Windows Active Directory is the SSO approach to on premise.

More details to follow but for what you describe you can count on 10.2.200 support.

More apps will be made available during the 200 timeline - not everything has the same release cycle as 200 so some ‘Extension’ products will be release a little later. I honestly do not know which and when as the Azure AD effort was the last ERP 10 effort I was on before I moved into a new role.

When all the details come out I’ll do a post here on my take of the feature that will probably be relevant to the folks up here and my historical interactions. @josecgomez.sixs don’t get too excited it’s not OAuth - but it is Azure AD and cloud SSO.