Seeking a Secure, Efficient Single-Sign On Solution
Background
Taubman, a Michigan-based real estate development company, specializes in a varied portfolio of shopping malls, including regional, super-regional and outlet, found in major markets across the nation and in Asia. Taubman’s biggest retail tenants include Forever 21, The Gap, and Williams Sonoma, among others. ERP Suites has handled their technical managed services since 2013.
Business challenge
As part of our managed services protocol with Taubman, we have performed several tools release upgrades within JD Edwards. The conversation between client and account manager preceding upgrades entails understanding the client’s most up-to-date requirements, including secure sign-on options. Taubman wanted a single sign-on solution to streamline the process for their user community that was secure, efficient, and would preferably coincide with their next upgrade.
Taubman considered implementing the EnterpriseOne Lightweight Direct Access Protocol (LDAP) sign-on method, but ERP Suites advised against this for several reasons: LDAP implementation required all users to be within that LDAP – no one could opt out. The way Taubman provisioned users would have to be changed to use LDAP, and finally, LDAP was not feasible in some parts of the company, due to multiple domain controllers and users in Asia.
Reducing risk and invigorating sales
Our team instead recommended a new feature, that would already be included in Taubman’s upgrade to Release 23, the JSON Web Token Single Sign-On (JWT SSO) for the following reasons:
- The JWT SSO utilized Microsoft’s Azure Active Directory, so a user only needs to sign in once.
- The login is cached, so that the user is taken directly into any application under the umbrella of Azure AD (which is now known as Microsoft Entra ID.)
- The JWT SSO has a user-directed pace of adoption, which allows users to utilize it on their own desired timelines. It does not require a “big bang” approach of all users, and the traditional E1 login is still available for certain use cases such as system users, fat client development, etc.
A default consequence of using Azure AD/Entra ID was Microsoft provides public rolling keys/certificates that can change. They expect the application to automatically update when the keys change, but currently, E1 does not currently support rolling keys or automated keystore updates. Consequently, ERP Suites also developed a solution to leverage a custom signed key that only E1 web instances use.
This solution provides improved ease of use for the E1 web users along with leveraging security features and policies available in Microsoft Entra ID/Azure AD. Taubman has been using this solution for over a year with positive user feedback.