Skip to content

Etendo RX

Javapackage: com.etendoerp.etendorx

Etendo SSO Login

Etendo allows you to authenticate using these external provider accounts: Google, Microsoft, LinkedIn, GitHub and Facebook. Using the Single Sign-On (SSO) protocol is possible due to the integration through:

To enable login to Etendo using external providers (Google, Microsoft, LinkedIn, GitHub or Facebook), you need to perform two main steps:

  • Enable the SSO (Single Sign-On) feature through a system preference
  • Configure the connection settings in gradle.properties

  1. Enable the SSO Login Preference

    1. Log in as System Administrator
    2. Go to the Preferences window
    3. Create a new preference with the following settings:

      • Property: Allow SSO Login
      • Selected: Yes
      • Value: Y

      SSO Preference

  2. Configure EtendoAuth Middleware Integration

    To authenticate via the EtendoAuth Middleware, follow these steps:

    1. Open the gradle.properties file
    2. Add the following properties:

      gradle.properties
      sso.auth.type=Middleware
      sso.middleware.url=https://sso.etendo.cloud
      sso.middleware.redirectUri=http://localhost:8080/etendo/secureApp/LoginHandler.html
      authentication.class=com.etendoerp.etendorx.auth.SWSAuthenticationManager
      

      Warning

      This module cannot be configured together with Etendo Advanced Security because both use the authentication.class property.

      Note

      During development, you can use localhost. However, for production, set your actual domain.

      With these settings, Etendo will be able to authenticate users through external login providers using the middleware.

      Potential SSO Configuration Mismatch

      Misconfigured SSO

      If any of the steps above are omitted, attempting to log in using an external provider will display the following error message:

      To resolve this issue, ensure that both the SSO preference and the corresponding entry in gradle.properties are correctly configured and consistent with each other.

Info

For more information about the use of the SSO Login functionality, visit the SSO Login User Guide.

How to Integrate your own Auth0 Login Provider with Etendo (Optional)

This option is recommended only if you need to implement your own authentication service and cannot use the EtendoAuth Middleware service. Follow this guide to configure an Auth0 application and enable social login in Etendo.

  1. Create a New Auth0 Application

    1. Go to the Auth0 Dashboard: https://manage.auth0.com/dashboard
    2. Sign up or log in to your Auth0 account.
    3. Create a new application for the Etendo integration:

      • In the left-hand menu, go to ApplicationsApplications.
      • Click Create Application in the top-right corner. Applications
      • Choose a name and select Regular Web Application.
  2. Choose the Technology Stack

    1. After creating the application, choose the technology used in the project. For Etendo, select Java.

      Choose Technology

    2. You will be redirected to the Quick Start tab of the newly created application.

      App Quick Start

  3. Configure Social Login Providers

    1. In the left-hand menu, go to AuthenticationSocial.

      Social

    2. Click Create Social Connection.

    3. Choose the selected social login providers (Google, Facebook, etc.).

      New Social Connection

    4. Follow the configuration steps provided by Auth0 for each provider.

      Config New Social Connection

    5. After setup, go to the Applications tab within the connection and link it to your application.

      Link Social With App

    6. Repeat this process for every provider you want to enable.

  4. Retrieve and Set Credentials

    1. Return to the application and go to the Settings tab.

      App Settings

    2. Locate the following credentials:

      • Domain
      • Client ID
      • Client Secret
    3. Add them to the gradle.properties file in the following format:

      gradle.properties
      sso.domain.url=your-domain.auth0.com
      sso.client.id=your-client-id
      sso.client.secret=your-client-secret
      sso.auth.type=Auth0
      authentication.class=com.etendoerp.etendorx.auth.SWSAuthenticationManager
      

      Warning

      This module cannot be configured together with Etendo Advanced Security because both use the authentication.class property.

  5. Configure Callback and Logout URLs

    In the Settings tab, configure the following allowed URLs:

    • Allowed Callback URLs:

      The URLs Auth0 redirects to after a successful login.

      http://localhost:8080/etendo/secureApp/LoginHandler.html,
      http://localhost:8080/etendo,
      http://localhost:8080/etendo/web/com.etendoerp.etendorx/LinkAuth0Account.html
      
    • Allowed Logout URLs:

      The URLs Auth0 redirects to after the user logs out.

      http://localhost:8080/etendo,
      http://localhost:8080/etendo/web/com.etendoerp.etendorx/resources/logout-auth0.html
      

      Application URIs

    Note

    During development, you can use localhost. However, for production, set your actual domain in Application Login URI. If you're still in development, you may leave it blank.

  6. Set the Callback URL

    Add the callback URL to the gradle.properties:

    gradle.properties
    sso.callback.url=http://localhost:8080/etendo/secureApp/LoginHandler.html
    
  7. Compile the Project

    Once all properties are configured, compile the project:

    Terminal
    ./gradlew setup smartbuild
    
  8. Log In via External Providers

    1. Start the Tomcat server.
    2. Open the Etendo login page and click Use a Social Account to Sign In
    3. Here you will see the Auth0 login page with the configured providers.

    Auth0 Login

    Tip

    Customize the login screen in Branding > Universal Login in the Auth0 dashboard.

Info

For more information about the use of the SSO Login functionality, visit the SSO Login User Guide.

OAuth Provider

Overview

This section describes the OAuth Authentication service included in Etendo RX module.

The OAuth authentication process facilitates the provider type configuration, allowing users to securely authenticate and authorize access to their information using their preferred provider.

OAuth enables an authentication method through a security protocol for obtaining a token needed to make API calls to access specific resources on behalf of their owner. This authentication allows Etendo to retrieve the necessary information to access third-party applications.

OAuth Provider Window

Application> Etendo RX> OAuth Provider.

This document explains how to configure an OAuth provider to request access tokens. In addition, the implementation to connect Google Drive with Etendo via Etendo Middleware is explained.

You can choose between two methods:

  • Etendo Middleware

    Use the preconfigured provider offered by Etendo Middleware, which simplifies the process (Recommended method).

  • Custom Provider

    Manually configure an external provider if you prefer not to use our middleware, giving you full control over the configuration.

Warning

When using manual configurations, EtendoRX must be installed and properly configured, as it handles the communication with OAuth providers directly. For more information, visit Etendo RX

Configuration Variables

Add the following properties to the gradle.properties file:

gradle.properties
## Middleware Configs
sso.middleware.url=https://sso.etendo.cloud
sso.middleware.redirectUri=http://localhost:8080/etendo/secureApp/LoginHandler.html
sso.google.api.key=AIzaSyAiJGP3Tnlg7-PgZyHrwtAID4i7NuBUbRo
sso.google.api.id=743458387087

Note

During development, you can use localhost. However, for production, set your actual domain.

Compile Environment

Run the following command to compile and set up the environment:

./gradlew setup smartbuild

Create the Connection with Etendo Middleware

  • Log in as admin.
  • Open the oAuth Provider window.
  • Use the toolbar button: Create Etendo Middleware Provider.

    Configure Middleware Provider

  • After clicking the button, refresh the grid. A new record will appear, containing the default configuration to connect with Etendo Middleware.

    Etendo Middleware Provider

Get Access Token

  • Select the newly created middleware.
  • Click on Get Middleware Token.

Get Middleware Token

  • Choose Drive File as the scope.

Drive File Scope

  • Accept Google’s consent screen.

Provider Consent

Token Created in the Token Info Tab

Once the flow is completed, an access token will be generated and can be viewed in the Token Info tab.

Info

Tokens obtained via Etendo Middleware have a default validity period of 1 hour. Once expired, a new token must be requested in order to maintain access to the associated third-party services.

New Middleware Token

Allowing Etendo to access a Document

When the token was created on the Token Info tab, if you select it, the button will show up: Approve Google Doc.

Approve Google Doc

Clicking this button opens a pop-up window listing all documents from the Google Drive linked to the account selected during the token authorization process.

Google Picker

When you select a document, the process will authorize Etendo to access that document.

Approved Doc

Info

Both the token and the granted permission can be used by other functionalities within the Etendo platform.

Info

To revoke access, simply delete the token record. Once removed, the connection to the third-party service will no longer be valid.

Manually Configure a Provider (Optional)

This method is intended for users who prefer to register a custom OAuth provider without using EtendoMiddleware. It provides full control over registration, authorization, and token handling parameters.

Warning

Manual provider configuration requires EtendoRX to be installed and enabled. RX is responsible for managing the direct connection with external OAuth providers. For more information, visit Etendo RX

OAuth Provider Window

Fields to note:

  • Organization: Defines the organization scope for this provider.
  • oAuth API URL: Base URL of the external OAuth API provider. It is used as the primary endpoint for communication with the provider’s authentication and token services. (optional)
  • Active: Checkbox to enable or disable this provider configuration.

Section: Registration

This section defines how your application is registered with the OAuth provider. It includes credentials, the authorization flow, requested scopes, and essential URLs for completing the authentication.

Fields to note:

  • Value: Internal technical identifier for the provider.
  • ID for Client: client_id provided by the OAuth provider.
  • Client Secret: client_secret provided by the OAuth provider.
  • Scope: List of requested permissions (These scopes can be found in the provider documentation. e.g., openid, profile, email, https://www.googleapis.com/auth/drive).
  • Client Name: Display name for the client.
  • Authorization Grant Type: Flow type (e.g., authorization_code, client_credentials, password).
  • Redirect URI: Redirect URL to receive the authorization code or token. This should point to the RX Auth Service URL.
  • Code Challenge Method: PKCE method (S256 or plain).
  • Client Authentication Method: Method to send client credentials (e.g., client_secret_post, client_secret_basic).
  • Token URI: Endpoint to exchange authorization code for tokens (access_token and optional refresh_token).

Section: Provider

This section defines the OAuth provider's endpoints required for your app to connect and validate tokens properly.

  • Authorization URI: Endpoint to initiate the authorization flow.
  • User Info URI: Endpoint to fetch user details using the access_token.
  • User Name Attribute: Attribute used to identify the user (e.g., email, sub).
  • Authorization Endpoint: Endpoint used to request the provider token through the RX Auth Service.
  • JWK Set URI: URL where the provider publishes public keys to verify signed JWTs.

Token Info tab

This tab stores the tokens generated through the ERP. While full tokens are not displayed for security reasons, the following information is available:

  • User: ERP user who generated the token.
  • Provider: The OAuth provider from which the token was issued.
  • Valid Until: Token expiration date and time.

Buttons

  • Refresh Config

    Restarts the services defined in RX Config, useful if configuration changes were made.

  • Get Token: Starts the authorization flow with the external OAuth provider.

    If everything is properly configured, clicking Get Token and accepting the consent will generate the desired access token.

    After refreshing the grid in the Token Info tab, a new record will appear.

Info

To revoke access, simply delete the token record. Once removed, the connection to the third-party service will no longer be valid.


This work is licensed under CC BY-SA 2.5 ES by Futit Services S.L..