Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
As a best practice security perspective, Deltek recommends that every customer configure their system to integrate to one of the third-party Identity Providers supported by Maconomy: Microsoft Windows Azure Active Directory, OneLogin ,or OKTA, including the setup of multi-factor authentication through the same vendor.
The Basics
Before the inception of more modern authentication and single sign on, Users would directly authenticate from their Client or Clients, to the Server or Servers hosting the Applications they wanted to access, using a username and password.
Modern authentication introduces an additional and more secure element to Client/Server communication, with integration to a Third Party Identity Provider or IdP. IdPs offer consolidated, cloud-based identity and access management systems that work to grant or deny access across Applications and their interfaces.
If using an IdP, a Username and Password is no longer sent and validated directly between the Client and Server. Instead, the Client retrieves a security token from a given and trusted IdP. This token is then presented to the Server, which has its own trusted relationship with the IdP. The Server uses the signing key of the IdP to check the cryptographic signature of the token to ensure its validity before granting or denying access to the Application.
Third Party Identity Provider Support
The Maconomy Enterprise Cloud offering supports single sign-on using one of three third party IdPs. Each provide authentication across all Maconomy Interfaces, including its User Interfaces (Workspace Client, iAccess and Touch) and RESTful API.
The three supported third party Identity Providers are as follows:
-
Microsoft Windows Azure Active Directory
-
OneLogin
-
OKTA
Deltek has no preference for, or direct relationship with these third parties when it comes to their IdP solutions. Customers bear complete responsibility for deciding which IdP best meets their needs, and for setup, support and maintenance of these solutions.
Once a Third Party IdP is selected and configured for a Customer, more detailed technical information pertaining to the integration requirements can be found in the Core Maconomy System Admin Guide or in a specific Azure Setup Guide.
Supported Authentication Protocols
Each of these three IdPs utilize the industry standard OAuth 2.0 Open ID Connect (OIDC) authentication protocol however, each have their own different pre-requisites and specific configuration options, including additional features such as Active Directory (AD) Integration or Multi-Factor Authentication (MFA).
Maconomy supports the following protocols for integrating to IdPs
-
OAuth 2.0 Open ID Connect (OIDC)
-
OAuth 2.0 JWT Bearer Tokens (supported from 2.4.5 CU13, 2.4.7 & 2.5.1 CU1)
The Maconomy Enterprise Cloud offering does not support other authentication protocols such as Kerberos, LDAP or SAML.
Integration to Other Deltek Products
The Maconomy Enterprise Cloud offering can include other elements integrated into the core Maconomy solution such as Business Performance Management (BPM) and People Planner. Maconomy uses Trusted Authentication to authenticate seamlessly between core Maconomy and these other elements. This means that Users authenticate to Maconomy via one of its User Interfaces, and Maconomy in turn handles authentication to the other product or products.
Direct SSO to these products is not supported.
Requesting SSO for Maconomy Enterprise Cloud
To request the activation of SSO via one of the supported IdPs, use the Activate Other Features service request from the Deltek Support Center.
For further information on individual Service Requests, see the Related Topics section below.
- Related Topics:
- Activate Other Features
This request can be used to activate additional features in your environment. To do so, please go to the Deltek Support Center and use the "Activate Other Features" Service Request to fill in the appropriate information.