Authentication
The definitions of authentication types for eachtenant It is a fundamental procedure for user administration and requires consideration when changing.
For example, when adding an authentication type to a tenant, existing users and roles remain in the database, they are not deleted, as this is a high-impact operation. Therefore, it is recommended that this change process be evaluated carefully and, preferably, with specialized support from Senior.Regardless of the authentication method chosen, do not use spaces in the user name to access the platform.
To define the types of authentication for a tenant, simply access Technology > Administration > Tenant Management >Configure, select the desired tenant and click settings. On the Authentication tab, in the fieldAuthentication Type, the following types are available:
Important
Currently, it is not possible to integrate roles through SAML/ADFS integration for the senior X Platform. The linking of these roles must be done manually.

It does not have authentication with any third party system. Therefore, all users of this type need to be created manually, or through APIs, within the platform itself, so that they can have access to the environment. This is the standard authentication model and must be adopted by users who request digital access to the senior X Platform.
By ticking the boxAllow the "Change password after authentication" option in user management, Technology > Administration > Tenant Management > Configure, on the Authentication tab, optionG7 authentication, it is possible to indicate a user to change their password when accessing the platform.
In some cases, the G7 Authentication type is not enabled on the tenant. To validate this information, check the documentation onTenant Management. Once the authentication type is enabled, simplycreate user that will have this specific type of authentication.

When determining thistenant authentication type, it is also determined that the Senior system database used is responsible. Therefore, all configurations for this type of user must be carried out in the system itself, for example, deleting a user and changing a password. If you have more than one Senior solution, it is essential that the bases are unified to use this authentication.
Furthermore, when using this integration model with the Senior system, it is necessary to configure the Integrator to replicate data from the system to the platform. As a result, all authentications carried out by users of this type of authentication will be carried out on the senior X Platform. Therefore, with user synchronization and for performance and security reasons, the authentication process does not validate data in the system.
Observation
When accessing the senior
If access is made using our standard URL (https://platform.senior.com.br/login/?redirectTo=https%3A%2F%2Fplatform.senior.com.br%2Fplataforma%2F) you must enter your login @dominiodotenant.com.br
Characteristics
- Two integration models are available, starting from theIntegrator, which have a screen to start, stop and monitor integrations. In the case of the Management Panel, People Management | HCM, there is aspecific integrator, responsible for all monitoring in the system;
- With this type of authentication defined, the option is availableAllows you to change password, responsible for indicating in the Senior solution database, who is responsible for the users. This makes it possible to change your password via the senior X Platform.
However, this model can cause some situations, such as different passwords between platform and system or even password replication from the system to the platform without the user being aware of this action. Therefore, this option is only recommended for users with access only to the platform.
Retry
The integration process is a fundamental factor in the relationship between solution and platform. And the part regarding user replication is susceptible to external failures, such as in the database and loss of connection.
Therefore, the mechanismretry Senior X Platform (retry) is performed after an integration fails. In other words, a new integration attempt is made after a period of time, seconds or minutes.
In the case of the Management Panel, People Management | HCM, it is recommended to monitor the status of integrators from both locations, on the integration dashboard (hcm-monitor) and on the Synchronization screen, in Technology > Administration > Integration >Failed replications, which allows you to monitor failures. To manage replications, go to Technology > Administration > Integration > Replication.
Important
When selecting the optionUser must change password at next logon, in the user properties in the Senior User Manager, when accessing the platform it is mandatory to change the user's password via integration. If access and password change are made first on the platform, this field in the SGU will not be deselected and will remain active until access is made there.
For user integration between the Senior systems and the senior X Platform to occur correctly, it is necessary to configure theURL for JDBC connection, in the Senior Configuration Center, in Database > Enterprise Management (ERP) or People Management, in the Java Applications section, is appropriate.

Integrated authentication with network (or operating system) access permission.
With theauthentication made on the LDAP server, some requirements need to be met:
- NAT configuration (Network Address Translation) in the Senior cloud for the server;
- have a valid digital certificate to guarantee authentication security;
- firewall configuration to accept requests from the Senior cloud to the installed LDAP server.
In addition to meeting these requirements, it is necessary to synchronize LDAP/AD users with the platform, as the configuration of roles and permissions is carried out on the platform itself. Only authentication is carried out in LDAP (the user's password is not read).
After the connection to the server is confirmed, you must enter a username and password for the AD connection and search the LDAPs in order to identify the user ID (name, telephone number, email address and other information).
Synchronization
Synchronization is performed for LDAP groups and roles within the senior X Platform as follows: with users, roles are created and assigned to these users. So, simply inform which LDAP attributes identify a group in your database. Additionally, it is necessary to manually configure the permissions of these roles within the platform.
To automate this process, it is recommended to configure a period (night) in the platform scheduler, in Technology > Customization >Schedules, so that LDAP users/groups are synchronized.
User import
Import all existing users on the LDAP server into the senior X Platform user base. This base is kept synchronized. In other words, all additions, changes and deletions made on the server will be applied to this base.
This import can be done in the following way:
- immediate: from the buttonSync now of the screenTenant Settings, from Tenant Management. This synchronization between the bases is done immediately, the process is asynchronous and the synchronization time may vary according to the volume of users and roles. After completing the process, a notification is sent by the platform;
- scheduled: from the scheduling screen, schedule a recurring synchronization, which will run every time interval defined at the time of scheduling.
Observation
As user registration is carried out on the LDAP server, it is not possible to change users for this type of authentication through the platform interface. When opting for LDAP/AD authentication, it is necessary to confirm that database users do not have attributes with line breaks. Because, if they do, it will not be possible to use the system properly.
The senior X Platform uses IPs 52.67.236.215, 52.67.76.60 and 52.67.144.189 for LDAP connection. Make sure the addresses are cleared in the firewall.

Similar to LDAP authentication, in which the user remains in the database and requires the configuration of a NAT between cloud and Senior, theSAML authentication In addition to having these features, it has its own login screen, with the need to enter its URL and the information that allows user mapping.
Currently, SAML 2.0 integration is only done with ADFS 3.0. If you have another provider, such as IBM One or CA Identity Manager, some tests are required for official approval, for configuration adjustments. Furthermore, in some cases, the platform is integrated via SAML to ADFS and then ADFS via NTLM to Windows. In this way, the user, when accessing Windows, automatically accesses the platform and, consequently, all the solutions configured on it.
Observation
If you choose to change the authentication mode to SAML, before logging out with the administrator user, associate the administrator role with an ADFS user so that authentication can be done properly at the next login, without any hindrance in managing the environment.
When opting for SAML authentication, it is mandatory to inform the tenant using the parameter &tenant=<tenant_domain> in the URL of the page for two-step login, or &tenant=<tenant_domain>&saml=true to be redirected directly to the SAML login screen.
Example of access URL:
https://platform.senior.com.br/login/?redirectTO=https%3A%2F%2Fplatform.senior.com.br%2Fplataforma%2F&&tenant=tenant_domain&saml=true
Integration
The configuration of integration between a SAML/ADFS server and Senior X Platform can be done using a NAT, in which Senior provides limited fixed IPs as the source for this server.
The company must configure SAML/ADFS in a way that is compatible with the platform-defined attributes. And for theCallback For integration between SAML/ADFS and the platform, the URL https://platform.senior.com.br/auth/LoginWithCodeServlet must be used. In addition to being shared by Senior, the public key of the certificate, so that it can be added to the SAML/ADFS server.
Login
This process for SAML type users is done directly on the SAML server. In other words, with this type of authentication, when typing the login URL, a redirection will be made to the two-step login screen, the user types the username, and if no user is found in the G7, G5 or LDAP database, the user is redirected to the company's ADFS login screen. If you have already logged in externally, you will be redirected by the SAML server itself back to the platform. If you have not logged in, you will be sent to the SAML authentication screen, and after entering your username and password, this server authenticates the user and integrates the senior X Platform, which allows you to log in.
Requirements:
- If you want to authenticate from a public location, the SAML/ADFS server must be available on the internet.
- configure integration between SAML/ADFS server and platform.
Users
In this type of authentication, user synchronization is not necessary, as users are created automatically upon access. When a user is removed from the SAML server, they are not removed from the platform. In other words, this administration must be done manually, without any security risks. This is necessary, as a user that does not exist in the database will not be able to authenticate.
The SAML-synchronized logout process can be performed on the platform. This way, when the user logs off on the senior X Platform, it is also done on the SAML server (processSSO Logout). For this model to work properly, it is necessary to configure the server to support this model (Identity Provider).
Administrator user authentication
If the tenant exclusively uses the ADFS authentication type (with no other access via senior allows you to log in to the platform with the administrator user. Step by step:
- With the administrator user, access Technology > Configuration > By Tenant;
- On the Per Tenant Configuration screen, select the name of the desired tenant;
- In Domains and Services, search for the domainplatform, then search for the serviceauthentication and click the buttonTo edit;
- On the properties screen, click the System tab, then clickAllows admin authentication via G7 select the optionTRUE. Click on the buttonTo save to confirm the process.
Note
For LDAP and SAML authentication, it is necessary to contract the service offered by the IT Services area. Please contact your account executive for more information.
When using G7, G5 or SAML authentication, the language is configured on the platform itself. If you use LDAP authentication, the user's language is configured and updated in AD.