With the release of Microsoft Dynamics GP 2013 R2, a couple of new features were included for the Web Client. One of these new features is Identity Management.

A user in Dynamics GP has multiple identities. These include the GP User ID, the SQL login that supports the GP User ID and the network credentials used to log onto the machine from which GP is accessed. The goal of Identity Management is to leverage the relationships that a user has to its various entities so that Dynamics GP better understands who you are.

What does this mean for the Web Client? With the ability to tie a GP login to a Windows account, a single sign-on experience is available. The next question you may be asking yourself is whether the single sign-on experience will also be available for the Desktop client. The answer to that question is that the Web Client is the only platform that will have this experience.

The historical challenge with single sign-on with Dynamics GP has always come down to security. Let's step briefly through why this can cause us some headaches. Let's imagine that the GP login process allows us to enter in our domain credentials (Domain\User) for the User Name. This means that these credentials must be set up in SQL as a login, have access to each GP database and be a part of the DYNGRP database role. With an application that could setup a connection to SQL (like Microsoft Excel) and a simple search online, an accounts payable clerk could be viewing payroll information.

So, how is getting single sign-on achieved without sacrificing security? The Windows Account is tied to a GP User Account, but the Windows Account is NOT in SQL as a login. Next, a common SQL Login is created for the Web Client in Dynamics Utilities. This SQL Login is added to each database and is added to the DYNGRP database role, but is NOT added to Dynamics GP as a user. This means that when you are logging onto the Web Client with a Windows Account, the common SQL Login is used to access the tables, but your security inside of Dynamics GP is covered by the User ID to which the User Account is tied.

There are three windows that govern the login process for the Web Client. They are:

  1. Logon.aspx page (where Network credentials are supplied)
  2. GP Login Page (where the GP User ID and Password are supplied)
  3. GP Company Selection Page

Let's break down each of the windows to understand the enhancements that were added with Identity Management.

Logon.aspx

Up until the Dynamics GP 2013 R2 release, we only utilized Session Cookies for the Web Client session. This means that when you entered your network credentials into the Logon.aspx, it would write those credentials down to the machine and they would only be valid for three minutes. Upon the next login, the previously-entered credentials could not be used and must be entered again.

With Dynamics GP 2013 R2 release, a Persistent Cookie is now available. This means that you can choose to save your credentials and those credentials will be used on your future logins into the Web Client. This was accomplished by adding the following section to the Logon.aspx:

 If This is a private computer is selected and the option to Remember my user name and password is checked, a persistent cookie is created. As long as the credentials in the persistent cookie are valid, you will not be presented the Logon.aspx page on future logins. To remove a persistent cookie, you can either flush the cookies from your browser or you can remove it in the Web Client by Exiting GP and then selecting the Sign Out option.

GP Login Page

This page was modified in both the Desktop Client and the Web Client to add an Authentication field. In the Desktop Client,  this field is grayed out and only SQL Server Account can be utilized. In the Web Client either SQL Server Account or Windows Account can be used.

Here is a quick look at the page in the Web Client:

If the credentials passed on the Logon.aspx (or included with the Persistent Cookie) are tied to a user in User Setup in Dynamics GP, you will not see this window. You will be logged into the Web Client with the Authentication set to Windows Account.

Company Selection Page

The Company Selection Page functions exactly as it did previously. The only thing to highlight is that if the default company option is selected, you will not see this window in the Login Process.

So, with all this information, how will this affect the end user? With a persistent cookie in place and with that user's network credentials being mapped to a GP User ID and with a default company being marked, an end user will go from entering in the URL for the Web Client to being in the Home Area Page for the default company.

Now that we know what Identity Management is, what changed to make this possible. The following areas were changed:

  • Dynamics Utilities - Changes were made to create the Common SQL login that is used for the Web Client
  • Dynamics GP - The following forms were altered:
    • User Login
    • User Setup
    • User Access Setup
    • User Preferences
  • Web Client - The following changes were made:
    •  Installation to include Common SQL Login for single tenant deployments
    • Logon.aspx was modified for the security section
    • Information.aspx was added to facilitate exiting GP
  • Tenant Services - The following changes were made
    • Application Properties page contains some new properties and columns
    • Add Tenant \ Tenant Properties Pages include fields to enter in the Common SQL login
    • Add User \ User Properties include a checkbox to see protected settings

For detailed information on the changes that were made to the forms, you will want to click HERE  for detailed documentation. 

Check out the VIDEO!!