Authentication

It does not have authentication with any third party system. Therefore, all users of this type need to be created manually, or through APIs, within the platform itself, so that they can have access to the environment. This is the standard authentication model and must be adopted by users who request digital access to the senior X Platform.

By ticking the boxAllow the "Change password after authentication" option in user management, Technology > Administration > Tenant Management > Configure, on the Authentication tab, optionG7 authentication, it is possible to indicate a user to change their password when accessing the platform.

In some cases, the G7 Authentication type is not enabled on the tenant. To validate this information, check the documentation onTenant Management. Once the authentication type is enabled, simplycreate user that will have this specific type of authentication.

When determining thistenant authentication type, it is also determined that the Senior system database used is responsible. Therefore, all configurations for this type of user must be carried out in the system itself, for example, deleting a user and changing a password. If you have more than one Senior solution, it is essential that the bases are unified to use this authentication.

Furthermore, when using this integration model with the Senior system, it is necessary to configure the Integrator to replicate data from the system to the platform. As a result, all authentications carried out by users of this type of authentication will be carried out on the senior X Platform. Therefore, with user synchronization and for performance and security reasons, the authentication process does not validate data in the system.

Characteristics

• Two integration models are available, starting from theIntegrator, which have a screen to start, stop and monitor integrations. In the case of the Management Panel, People Management | HCM, there is aspecific integrator, responsible for all monitoring in the system;
• With this type of authentication defined, the option is availableAllows you to change password, responsible for indicating in the Senior solution database, who is responsible for the users. This makes it possible to change your password via the senior X Platform.
  
  However, this model can cause some situations, such as different passwords between platform and system or even password replication from the system to the platform without the user being aware of this action. Therefore, this option is only recommended for users with access only to the platform.

Retry

The integration process is a fundamental factor in the relationship between solution and platform. And the part regarding user replication is susceptible to external failures, such as in the database and loss of connection.

Therefore, the mechanismretry Senior X Platform (retry) is performed after an integration fails. In other words, a new integration attempt is made after a period of time, seconds or minutes.

In the case of the Management Panel, People Management | HCM, it is recommended to monitor the status of integrators from both locations, on the integration dashboard (hcm-monitor) and on the Synchronization screen, in Technology > Administration > Integration >Failed replications, which allows you to monitor failures. To manage replications, go to Technology > Administration > Integration > Replication.

For user integration between the Senior systems and the senior X Platform to occur correctly, it is necessary to configure theURL for JDBC connection, in the Senior Configuration Center, in Database > Enterprise Management (ERP) or People Management, in the Java Applications section, is appropriate.

Integrated authentication with network (or operating system) access permission.

With theauthentication made on the LDAP server, some requirements need to be met:

• NAT configuration (Network Address Translation) in the Senior cloud for the server;
• have a valid digital certificate to guarantee authentication security;
• firewall configuration to accept requests from the Senior cloud to the installed LDAP server.

In addition to meeting these requirements, it is necessary to synchronize LDAP/AD users with the platform, as the configuration of roles and permissions is carried out on the platform itself. Only authentication is carried out in LDAP (the user's password is not read).

After the connection to the server is confirmed, you must enter a username and password for the AD connection and search the LDAPs in order to identify the user ID (name, telephone number, email address and other information).

Synchronization

Synchronization is performed for LDAP groups and roles within the senior X Platform as follows: with users, roles are created and assigned to these users. So, simply inform which LDAP attributes identify a group in your database. Additionally, it is necessary to manually configure the permissions of these roles within the platform.

To automate this process, it is recommended to configure a period (night) in the platform scheduler, in Technology > Customization >Schedules, so that LDAP users/groups are synchronized.

User import

Import all existing users on the LDAP server into the senior X Platform user base. This base is kept synchronized. In other words, all additions, changes and deletions made on the server will be applied to this base.

This import can be done in the following way:

• immediate: from the buttonSync now of the screenTenant Settings, from Tenant Management. This synchronization between the bases is done immediately, the process is asynchronous and the synchronization time may vary according to the volume of users and roles. After completing the process, a notification is sent by the platform;
• scheduled: from the scheduling screen, schedule a recurring synchronization, which will run every time interval defined at the time of scheduling.

Similar to LDAP authentication, in which the user remains in the database and requires the configuration of a NAT between cloud and Senior, theSAML authentication In addition to having these features, it has its own login screen, with the need to enter its URL and the information that allows user mapping.

Currently, SAML 2.0 integration is only done with ADFS 3.0. If you have another provider, such as IBM One or CA Identity Manager, some tests are required for official approval, for configuration adjustments. Furthermore, in some cases, the platform is integrated via SAML to ADFS and then ADFS via NTLM to Windows. In this way, the user, when accessing Windows, automatically accesses the platform and, consequently, all the solutions configured on it.

When opting for SAML authentication, it is mandatory to inform the tenant using the parameter &tenant=<tenant_domain> in the URL of the page for two-step login, or &tenant=<tenant_domain>&saml=true to be redirected directly to the SAML login screen.

Example of access URL:

https://platform.senior.com.br/login/?redirectTO=https%3A%2F%2Fplatform.senior.com.br%2Fplataforma%2F&&tenant=tenant_domain&saml=true

Integration

The configuration of integration between a SAML/ADFS server and Senior X Platform can be done using a NAT, in which Senior provides limited fixed IPs as the source for this server.

The company must configure SAML/ADFS in a way that is compatible with the platform-defined attributes. And for theCallback For integration between SAML/ADFS and the platform, the URL https://platform.senior.com.br/auth/LoginWithCodeServlet must be used. In addition to being shared by Senior, the public key of the certificate, so that it can be added to the SAML/ADFS server.

Login

This process for SAML type users is done directly on the SAML server. In other words, with this type of authentication, when typing the login URL, a redirection will be made to the two-step login screen, the user types the username, and if no user is found in the G7, G5 or LDAP database, the user is redirected to the company's ADFS login screen. If you have already logged in externally, you will be redirected by the SAML server itself back to the platform. If you have not logged in, you will be sent to the SAML authentication screen, and after entering your username and password, this server authenticates the user and integrates the senior X Platform, which allows you to log in.

Requirements:

• If you want to authenticate from a public location, the SAML/ADFS server must be available on the internet.
• configure integration between SAML/ADFS server and platform.

Users

In this type of authentication, user synchronization is not necessary, as users are created automatically upon access. When a user is removed from the SAML server, they are not removed from the platform. In other words, this administration must be done manually, without any security risks. This is necessary, as a user that does not exist in the database will not be able to authenticate.

The SAML-synchronized logout process can be performed on the platform. This way, when the user logs off on the senior X Platform, it is also done on the SAML server (processSSO Logout). For this model to work properly, it is necessary to configure the server to support this model (Identity Provider).

Administrator user authentication

If the tenant exclusively uses the ADFS authentication type (with no other access via senior allows you to log in to the platform with the administrator user. Step by step:

1. With the administrator user, access Technology > Configuration > By Tenant;
2. On the Per Tenant Configuration screen, select the name of the desired tenant;
3. In Domains and Services, search for the domainplatform, then search for the serviceauthentication and click the buttonTo edit;
4. On the properties screen, click the System tab, then clickAllows admin authentication via G7 select the optionTRUE. Click on the buttonTo save to confirm the process.