{"id":15055,"date":"2018-04-11T10:54:47","date_gmt":"2018-04-11T10:54:47","guid":{"rendered":"https:\/\/ephesoft.com\/docs\/?page_id=15055"},"modified":"2022-06-23T10:38:28","modified_gmt":"2022-06-23T17:38:28","slug":"saml-sso-multiple-groups-support","status":"publish","type":"docs","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/saml-sso-multiple-groups-support\/","title":{"rendered":"SAML SSO | Multiple Groups Support"},"content":{"rendered":"
Applies to:<\/strong> Transact version 4.5.0.0 or newer.<\/p>\n Ephesoft Transact supports multiple groups that can be assigned and used in the SSO authentication process. Multiple groups are supported only if the Authentication Type <\/strong>is defined as 2<\/strong> in the web.xml<\/strong> file (<Ephesoft Installation Directory>\\Application\\WEB-INF), i.e. when SSO covers both, authentication and authorization.<\/p>\n <\/p>\n Starting with this application release, the following roles are defined by default and considered while doing authorization based on SAML response:<\/p>\n Super-Admin<\/strong>: EPHESOFT-SYSTEMADMINISTRATOR<\/em> and Infor-SystemAdministrator<\/em>. The users with these roles have administrative privileges and have access to all pages:<\/p>\n Administrator<\/strong>: Ephesoft-Administrator<\/em>. The users with this role have access to all pages except SystemConfiguration.html page (only the batch classes assigned to these groups will be accessible):<\/p>\n Operator<\/strong>: Ephesoft-User<\/em>. The users with this role have access only to Operator Pages (only the batch classes assigned to these groups will be accessible):<\/p>\n Note: The roles are case-insensitive.<\/em><\/p>\n Super-Admin groups<\/strong> are defined in the application.properties<\/strong> file, while Admin and Operator groups<\/strong> are specified in the web.xml<\/strong> file (see the configuration procedure below<\/a>).<\/p>\n <\/p>\n The new groups as well as their associated privileges can be added to the Ephesoft Transact database (MariaDB, MS SQL, Oracle) as illustrated below.<\/p>\n <\/p>\n Ephesoft Transact will read all groups as values separated by the user defined delimiter (coma by default) in the \u201cGROUP_USER\u201d header to support the Multiple Groups functionality.<\/p>\n <\/p>\n A new section has been added to the web.xml<\/strong> file to implement Multiple Groups functionality.<\/p>\n <\/p>\n The section includes the following parameters:<\/p>\n <\/p>\n\n
\n
\n
Changes in the Database<\/strong><\/h4>\n
Changes in the web.xml file<\/strong><\/h4>\n
\n\n
\n Parameter Name<\/strong><\/td>\n Default Parameter Value<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n \n isMultipleGroupsAllowed<\/td>\n false<\/td>\n Can be true or false. Will be used to decide whether to search for multiple groups or not. If false, only the first group will be considered.<\/td>\n<\/tr>\n \n AdminGroups<\/td>\n Ephesoft-Administrator<\/td>\n Comma separated list of all Admin Groups. The users with these groups can access all Ephesoft pages except System Configuration.<\/td>\n<\/tr>\n \n OperatorGroups<\/td>\n Ephesoft-User<\/td>\n Comma separated list of all Operator Groups. The users with these groups can access all Ephesoft pages except System Configuration.<\/td>\n<\/tr>\n \n groupNameDelimiter<\/td>\n ;<\/td>\n The separator based on which incoming groups should be split.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n