What’s New In Transact 4.5?


SAML SSO | Multiple Groups Support

In earlier versions of Transact, only one group was handled as a part of SAML response. Thus, if multiple groups were received in SAML response, only the first group would be taken into consideration.

In Ephesoft Transact v.4.5.0.0, the support is provided for multiple groups that can be assigned and used in SSO authentication process. Multiple groups are supported only if the Authentication Type is defined as 2 in the web.xml file (<Ephesoft Installation Directory>\Application\WEB-INF), i.e. when SSO covers both, authentication and authorization.

Starting with this application release, the following roles are defined by default and considered while doing authorization based on SAML response:

Super-Admin: EPHESOFT-SYSTEMADMINISTRATOR and Infor-SystemAdministrator. The users with these roles have administrative privileges and have access to all pages:

  • ReviewValidate
  • BatchList
  • WebScanner
  • UploadBatch
  • BatchClassManagement
  • BatchInstanceManagement
  • FolderManagement
  • Reporting
  • SystemConfiguration

Administrator: Ephesoft-Administrator. The users with this role have access to all pages except SystemConfiguration.html page (only the batch classes assigned to these groups will be accessible):

  • ReviewValidate
  • BatchList
  • WebScanner
  • UploadBatch
  • BatchClassManagement
  • BatchInstanceManagement
  • FolderManagement
  • Reporting

Operator: Ephesoft-User. The users with this role have access only to Operator Pages (only the batch classes assigned to these groups will be accessible):

  • ReviewValidate
  • BatchList
  • WebScanner
  • UploadBatch

Note: The roles are case-insensitive.

Super-Admin groups are defined in the application.properties file, while Admin and Operator groups are specified in the web.xml file (see the configuration procedure below).

 

Changes in the Database

The new groups as well as their associated privileges can be added to the Ephesoft Transact database (MariaDB, MS SQL, Oracle) as illustrated below.

Ephesoft Transact will read all groups as values separated by the user defined delimiter (coma by default) in the “GROUP_USER” header to support the Multiple Groups functionality.

 

Changes in the web.xml file

A new section has been added to the web.xml file to implement Multiple Groups functionality.

The section includes the following parameters:

Parameter Name Default Parameter Value Description
isMultipleGroupsAllowed false Can be true or false. Will be used to decide whether to search for multiple groups or not. If false, only the first group will be considered.
AdminGroups Ephesoft-Administrator Comma separated list of all Admin Groups. The users with these groups can access all Ephesoft pages except System Configuration.
OperatorGroups Ephesoft-User Comma separated list of all Operator Groups. The users with these groups can access all Ephesoft pages except System Configuration.
groupNameDelimiter ; The separator based on which incoming groups should be split.

 

To configure the Multi-Group functionality:

1. Make sure that Authentication Type is defined as 2 in the web.xml file.

2. Define your groups and corresponding privileges in the Ephesoft Transact database (or use the groups provided by default).

3. Uncomment and set the “isMultipleGroupsAllowed” parameter to true in the web.xml file (<Ephesoft Installation Directory>\Application\WEB-INF). Ephesoft Transact will first refer to this parameter to handle all possible multi-group cases.

4. In the same file, uncomment and define “AdminGroups” and “OperatorGroups” parameters (specify the required groups as configured in the database). These parameters are used to determine any Admin/Operator groups present in the incoming request. All the matched groups privileges will be accordingly applied to the user.

5. Uncomment and define “groupNameDelimiter” parameter in the same file.

6. Define Super-Admin groups in the application.properties file (<Ephesoft Installation Directory>\Application\WEB-INF\classes\META-INF) using the “user.super_admin” parameter.

If there are several Super -Admin groups, they need to be separated by double semi-colon (;;). For example, user.super_admin= EPHESOFT-SYSTEMADMINISTRATOR;; Infor-SystemAdministrator.

If access to the Ephesoft Transact Pages needs to be changed for any group, it can be done by the Super-Admin group user via the System Configuration screen (see Access Manager).

 

Now, let us consider several possible scenarios. Suppose, the database contains the following details:

Security Groups:

Security User:

Authorized Resources:

Here, we will consider two scenarios, where

  • “isMultipleGroupsAllowed” property in the web.xml is set as TRUE
  • “isMultipleGroupsAllowed” property in the web.xml is set as FALSE

Scenario 1:

The “isMultipleGroupsAllowed” parameter in web.xml is set to TRUE.
Super-Admin groups are defined as: EPHESOFT-SYSTEMADMINISTRATOR,Infor-SystemAdministrator.
Admin group is defined as: Ephesoft-Administrator.
Operator group is defined as: Ephesoft-User

Case 1:

Only the Operator group is present in the SAML response

Input:

User name: Sukriti
Group: Ephesoft-User

Output:

The user has access to the privileges as per the input group (all Operator pages)

 

Case 2:

Only Admin group is present in the SAML response

Input:

User name: Sukriti
Group: Ephesoft-Administrator

Output:

The user has access to the privileges as per the input group (all Admin and Operator pages)

 

Case 3:

Only the Super-Admin group is present in the SAML response

Input:

User name: Sukriti
Group: EPHESOFT- SYSTEMADMINISTRATOR

Output:

The user has access to the privileges as per the input group (all pages including the System Configuration screen)

 

Case 4:

All groups are present in the SAML response

Input:

User name: Sukriti
Group: Ephesoft-User,EPHESOFT-SYSTEMADMINISTRATOR,Ephesoft-Administrator

Output:

The user has access to all Super-Admin privileges (all pages including the System Configuration screen)

 

Case 5:

Admin and Operator groups are present in the SAML response

Input:

User name: Sukriti
Group: Ephesoft-User,Ephesoft-Administrator

Output:

The user has access to the privileges of both groups (Admin and Operator pages)

 

Case 6:

The group delimiter in web.xml is changed to semi-colon (;)

Input:

User name: Sukriti
Group: Ephesoft-User;Ephesoft-Administrator

Output:

The user has access to privileges of both the groups (Admin and Operator pages)

 

Case 7:

The user can see only those Batch Classes that have been assigned to the input role

Input:

User name: Sukriti
Group: Ephesoft-User

Output:

The user has no access to BC7 batch classes as it is not provided access by admin on the Batch Class Management screen

 

Scenario 2:

The “isMultipleGroupsAllowed” parameter in web.xml is set to FALSE.

Case 1:

One group is present in the SAML response

Input:

User name: Sukriti
Group: Ephesoft-User

Output:

The user has access to the privileges as per the input group (all Operator pages)

 

Case 2:

More than one group is present in the SAML Response

Input:

User name: Sukriti
Group: Ephesoft-User,Ephesoft-Administrator

Output:

The user is not authorized, as “Ephesoft-User, Ephesoft-Administrator” is saved as a single entity in the security_group database table.