Recently, Infor Lawson communicated that they plan to stop providing discrepancy corrections and updates for Lawson Security as Security Token Services (LS/STS) by March 2019—in other words, sunsetting support for LS/STS. Therefore, customers that were using LS/STS for their authentication needs will need to move to another authentication service—such as Active Directory Federation Services (ADFS)—by that time. So if you’re planning on converting to Lawson ADFS for your authentication needs, here’s what you need to know to prepare.
What is authentication?
First, a brief primer on what authentication is and why you should care about it. Put simply, authentication is the process of confirming that someone or something actually is who they purport to be. An authentication service checks to see that a user’s credentials match those found in a database of authorized users, for example, or in a data authentication server. The most common example of this would be a user ID and password—so long as what the user provides matches what’s found in the database, that user gets access to the system.
This all comes into play because Infor Lawson is changing up which authentication solution they’re supporting, switching from LS/STS to ADFS.
Switch Now or Wait?
That’s a good question. While Infor Lawson recommends customers using LS/STS to switch to ADFS by March 2019, the absolute latest companies could get away with holding off on the conversion is early 2021. The Why relies on a bit of speculation—that’s when ESP 9 will probably no longer be supported, and ESP 9 is the last version that will support LS/STS—but the question remains: why should companies make the switch now?
There are a few reasons, including…
Product support and compatibility requirements
Some Lawson products—such as Ming.le™ 12— will require ADFS. If you don’t have it running, you’re out of luck if you want to continue to use those products.
By using ADFS, your Infor application never gets your username or password (since it’s only being handled by Microsoft’s ADFS), keeping them more secure.
Easier account management and maintenance
ADFS will allow you to enable/disable accounts directly in Windows instead of doing it in Lawson. Who doesn’t like saving time and effort?
Once you switch to ADFS, you’ll be able to implement new functionalities, some of which were difficult to pull off with LS/STS, such as two-factor authentication, for example.
How Will Converting to Lawson ADFS Affect My Setup?
Converting to Lawson ADFS from LS/STS will (obviously) change your current setup somewhat. The conversion could impact multiple servers (LSF, Landmark, Ming.le, SQL, etc.), and in addition to moving over to ADFS, you will need to assess if you are on the proper versions of LSF, Landmark, and other programs.
Be sure to keep a lookout for a trickle-down effect that this change will cause. For example, to account for ADFS, you may need to upgrade multiple servers, which might mean you need to move to 10.0.10 or newer Landmark versions. In addition to those possible server upgrades, there are quite a few steps you should take to prepare your business for making the switch to ADFS.
What Should I Do Before Making the Switch?
Check what ADFS version will be supported by your Active Directory
The box where you’ll be installing ADFS will be able to help you determine what version of ADFS you’ll need to use. For example, if that box is running Win2012, you’ll need to use ADFS version 3.0, whereas if your domain is still Win2008, you will have to update it to 20012R2 version or above or implement schema extensions that will allow that configuration.
Understand that you might need a new instance of ADFS
IFS must be installed on the same box where ADFS will sit, so even if you already have ADFS somewhere in your organization, that doesn’t mean you’ll be using that instance for your Lawson needs.
Check to see what will stay the same between LS/STS and ADFS
If you’re using LSF servers already, some of the items required by ADFS should be already installed and configured, which could save you some time.
Consider Infor and 3rd-party product requirements
There are minimum requirements that you’ll have to meet before implementing ADFS, such as a minimum LSF ESP and Landmark CU, as well as other products, like LBI and Mobile Supply Chain Management (MSCM), if you have those implemented.
Think about the infrastructure considerations
Ask yourself where you’re going to install ADFS. Are you planning on using existing corporate ADFS servers? Would you better served by using an ADFS server dedicated to Lawson applications? You may be considering installing ADFS in an existing Lawson server, but if you do, what will that installation do to the resource utilization on that server?
What are your colocation requirements?
Some ADFS components have colocation requirements. For example, one of your Infor products must be installed on the same Windows box where ADFS is installed.
How will the change affect your Infor users and services?
The switch to ADFS will mean you’ll need to change some of the identities defined in LSF and Landmark, as well as create new services and associated identities.
Consider ongoing maintenance
The switch to ADFS will also affect your user maintenance procedures. Post-ADFS changeover, you will need to configure and use new tools specific to the ADFS authentication.
Plan for User and Admin training
Any time you configure new tools and create new processes, you’ll need to make users and admins aware of them, so make sure everyone understands that training with the new system will be on the schedule.
Time your upgrades carefully
Ensure that you time your upgrade so that it causes minimum disruptions to your business processes, and remember—there’s a lot to this conversion process, so it could take longer to complete than you may expect. In addition to the time you’ll need to do the upgrade itself, you’ll also need time beforehand to confirm that you do it correctly as well as time afterward to fix any errors you made or found during the process.
Clearly, there are plenty of reasons for converting to Lawson ADFS from LS/STS, including meeting new app requirements, access to improved features, and an ever-approaching deadline. But switching authentication solutions isn’t a task to be undertaken lightly. If you need help to ensure everything goes smoothly the first time, get in touch. We have an expansive network of senior-level Infor Lawson security consultants who would be more than happy to ensure your system is in tip-top shape and ready to make the switch to ADFS.