Exact Online is in the process of registering all users of Exact products into a large “user directory” called “One Exact Identity.” In this article you will find more about what One Exact Identity is, why it is deemed necessary and how the implementation is noticeable within Invantive products. All information in this article has been gathered from public sources and/or experiences in making Invantive products suitable for One Exact Identity, and then interpreted from the context of Invantive. The information is not necessarily consistent with other interpretations about the meaning of One Exact Identity.
What is One Exact Identity?
One Exact Identity is a central registration of identities (individuals and possibly others such as “service accounts”). In this central registration, often also called “user directory,” all users of Exact products should eventually be present based on the email address used for identification.
“One Exact Identity” is also known by the acronym “OEI”.
The email address used for identification should be traceable to the user’s person and the user should be able to receive emails on it.
In addition to the e-mail address and data to verify a password, such a user directory may include additional fields, such as name information or specific permissions, and/or be used to centralize a last name change, for example. It is currently unknown (May 2023, June 2023) whether this is the case for One Exact Identity, or whether this additional data can only be found in the Exact products themselves.
A central user directory such as OEI may also contain data for strong authentication based on TOTP. It has become known in June 2023 that OEI provides for strong authentication and/or strong authentication as known from Exact Online is retained and/or the use of authentication apps other than Microsoft Authenticator such as Google Authenticator. This includes compatibility from Exact Online where passwords and QR codes for TOTP are retained.
The need for strong authentication during login based on TOTP is differentiated. The behavior seems to be that if the “remember 30 days” checkbox is not turned on, then, all other things being equal (including IP address), an authentication code is not requested or is requested less frequently. Changing IP address to a supported country usually requires a new authentication code.
In this sense, One Exact Identity is very similar to the Invantive Cloud user directory and the Atlassian user directory. Visma will reportedly also register all user identities centrally across all Visma products. One Exact Identitiy (as far as we know) does not offer capabilities like SecureLogin and others for authentication on non-Exact products.
Technologically, One Exact Identity appears to be based on Azure B2C. The technology and production status thereof on which strong authentication is based has not been established by Invantive.
It is not known if or at what time One Exact Identity will work as a Single Sign-on method in addition to “Single Identity”. Here, “Single Sign-on” (“SSO”) is understood to mean that after logging in once, a user once logged in can also use other Exact products without further authentication and/or authorization.
One Exact Identity and Exact Online
Since mid-May, a limited target group of Exact Online users have been offered to switch to OEI. The password will be retained in the migration process.
It concerns exclusively (May 26, 2023, June 6, 2023) users in the Netherlands. No users in Belgium have been offered the choice to migrate to OEI.
Update June 9: those users who have been offered the option to switch to OEI will be forcibly transferred to OEI on June 16, 2023.
Compatibility One Exact Identity and Invantive products.
On the day of implementation of One Exact Identity for Exact Online, there were major failures in at least the AvailableFeatures API. This blocked logins completely. Also, the performance of the APIs seems to be down. The outage on the AvailableFeatures API and performance issues now seems to have resolved spontaneously.
Telnet Console Login with Implicit Grant Flow
It is currently known that logging in via a Telnet console on Exact Online via the Implicit Grant Flow is impossible with all Invantive products. This means that activation of OEI will cause a failure in combination with virtually all installations of Invantive Data Hub and Invantive Data Replicator on Windows, Linux and MacOS. Improved compatibility is being worked on.
A possible workaround is to replace the Windows variant of Invantive Data Hub with the multi-platform variant (release 22.0.664 or newer). The multi-platform variant is almost entirely compatible in terms of scripts and operation with the Windows variant. To switch to the multi-platform variant, follow the steps described in:
Windows Products Login with Implicit Grant Flow.
Logging in via the embedded Edge browser in the Invantive products for Windows GUI and Microsoft Office is not possible with versions older than 22.0.646. This means that activation of OEI will cause a failure when combined with older versions of Invantive Query Tool and Invantive Control for Excel.
An enhancement is available in all Windows products starting with version 22.0.646. These can also be found at https://download.invantive.com. All frequent users have received an e-mail requesting them to install, test and then put the new version into production.
Sign in Cloud products.
At this time (May 2023, June 2023) there are no known issues when using Get My Report and Invantive Cloud in combination with Exact Online accounts with OEI activated.
Advice Introduction of One Exact Identity
Based on experiences about the implementation of Atlassian’s central user directory, it is expected that the implementation of One Exact Identity could lead to disruptions for several months.
Advice is NOT to activate One Exact Identity as long as you can until an upgrade on all Invantive products a recent version is deployed.
General advice is to delay activation of One Exact Identity until larger groups of other users have successfully transitioned and have not experienced any issues as a result of this for at least 1 month.
Pointers for further reading
Related video:
https://files.exact.com/training/MM/NL-NL_OEI_MigrationU/
Related articles: