SSO for Microsoft Dynamics AX

Overview

Why Microsoft Dynamics AX Needs Modern SSO

Microsoft Dynamics AX (now succeeded by Dynamics 365 Finance and Operations) is a tier-one ERP system used by thousands of mid-to-large enterprises for financials, supply chain management, manufacturing, retail, and human resources. Despite Microsoft's push toward the cloud-based Dynamics 365, many organizations continue to run Dynamics AX 2009 and Dynamics AX 2012 (R2/R3) on-premise due to deep customizations, regulatory requirements, or migration complexity. Dynamics AX's authentication model relies on Windows Integrated Authentication (Kerberos/NTLM) via Active Directory, or claims-based authentication using AD FS for the web-facing Enterprise Portal and AIF services. Organizations using non-Microsoft IdPs (Okta, Google Workspace, Ping Identity) face a significant challenge: Dynamics AX does not natively support SAML SP or OIDC relying-party flows without AD FS as an intermediary. OnePAM solves this by operating as an identity-aware reverse proxy in front of the Dynamics AX Enterprise Portal (SharePoint-based), AIF web services, and the new Dynamics AX 2012 R3 web client. Users authenticate through any corporate IdP, and OnePAM injects the authenticated identity via trusted HTTP headers or Kerberos constrained delegation. All AX web interfaces gain SSO without AOS code changes, X++ modifications, or AD FS dependency.

The Problem

Authentication Challenges with Microsoft Dynamics AX

These are the security and operational challenges organizations face when Microsoft Dynamics AX relies on its native authentication model.

AD FS Dependency

Dynamics AX claims-based authentication requires AD FS, creating a hard dependency on Windows Server infrastructure and limiting IdP flexibility.

No Direct SAML/OIDC

Dynamics AX 2012 does not support SAML SP or OIDC relying-party flows natively. All federation must pass through AD FS as a claims provider.

Kerberos Constraints

Windows Integrated Authentication works only within the Active Directory forest. Remote workers, contractors, and partners outside the domain cannot use SSO.

Enterprise Portal Complexity

AX Enterprise Portal runs on SharePoint, adding another layer of authentication configuration on top of AOS and AX batch servers.

Customization Risk

Dynamics AX deployments carry heavy X++ customizations. Changing authentication touches the AOS security model and risks breaking custom business logic.

Multi-Company Complexity

Dynamics AX multi-company setups require users to access different legal entities — each potentially needing different access policies.

The OnePAM Solution

How OnePAM Adds SSO to Microsoft Dynamics AX

A step-by-step guide to deploying modern SSO for Microsoft Dynamics AX using OnePAM's identity-aware reverse proxy.

1

Deploy OnePAM Gateway

Install OnePAM as a reverse proxy in front of Dynamics AX Enterprise Portal, web client, or AIF service endpoints.

OnePAM deploys as a container or VM and handles TLS termination. It intercepts all HTTP/HTTPS requests to AX web interfaces before they reach SharePoint (Enterprise Portal) or IIS (web client).

2

Connect Your Identity Provider

Configure your corporate IdP (Okta, Azure AD, Google Workspace, Ping, or any SAML 2.0 / OIDC provider) as the authentication source.

OnePAM handles the full SAML/OIDC handshake: metadata exchange, assertion validation, MFA enforcement, and token lifecycle. Users authenticate via their IdP and are returned with a signed assertion.

3

Map IdP Users to AX Users

Define how IdP user attributes (email, UPN, employee ID) map to Dynamics AX user accounts and network aliases.

OnePAM maps IdP assertions to AX user records using Active Directory lookups, UPN matching, or custom attribute mapping. Multi-company user assignments are preserved.

4

Enable Identity Injection

OnePAM injects the authenticated identity via Kerberos constrained delegation or trusted HTTP header propagation.

After IdP authentication, OnePAM performs Kerberos constrained delegation to obtain a service ticket for the AX AOS, or injects trusted HTTP headers that AX Enterprise Portal accepts. Users land in AX without a second login.

5

Enforce Policies & Audit

Apply access policies per AX company, enforce MFA, enable session recording, and generate compliance reports.

Every AX access event is logged with full IdP context: user, MFA method, device, location, and company accessed. Session recording captures the full AX web session for compliance playback.

Business Impact

Benefits of SSO for Microsoft Dynamics AX

Measurable business outcomes from deploying OnePAM SSO in front of Microsoft Dynamics AX.

SSO Beyond Active Directory

Users authenticate with any corporate IdP — not just Active Directory. Okta, Google Workspace, and non-Microsoft IdPs work seamlessly.

Any IdP, not just AD

MFA for Dynamics AX

Apply your IdP's MFA policies to AX access — push notifications, FIDO2 keys, or biometrics — without AD FS complexity.

100% MFA-protected AX access

Instant Offboarding

Disable a user in your IdP and their Dynamics AX access is immediately revoked — no waiting for AD replication or AX user cleanup.

Real-time access revocation

Eliminate AD FS Dependency

OnePAM replaces AD FS for Dynamics AX SSO, removing a critical Windows Server infrastructure dependency.

No AD FS servers to manage

Unified Audit Trail

Dynamics AX access events appear alongside all other enterprise applications in a single audit trail with full IdP and device context.

Single pane of glass

No AOS or X++ Changes

No AOS configuration modifications, no X++ code changes, no AX model store updates. OnePAM operates at the HTTP layer.

Zero code changes

SSO Features

Microsoft Dynamics AX SSO Capabilities

Every feature needed to provide enterprise-grade SSO for Microsoft Dynamics AX.

SAML 2.0 & OIDC SSO for Dynamics AX Enterprise Portal

Dynamics AX 2012 R3 web client SSO

AIF web service endpoint protection

Kerberos constrained delegation to AOS

HTTP header-based identity injection

Multi-company (legal entity) access policies

Session recording and keystroke logging

Just-in-time user provisioning from IdP

Security

Security Features

Enterprise-grade security controls protecting the SSO integration layer.

End-to-end TLS between user, OnePAM, and Dynamics AX

Signed and encrypted SAML assertions

Per-company access policies and restrictions

IP allow-listing and geo-restriction

Device compliance verification before AX access

Automatic session termination on IdP logout

Real-World Scenarios

Microsoft Dynamics AX SSO Use Cases

Common scenarios where organizations deploy OnePAM SSO for Microsoft Dynamics AX.

1

Finance teams accessing Dynamics AX General Ledger with corporate SSO and MFA

2

Supply chain operators using AX inventory management from warehouse devices with device trust

3

Manufacturing floor managers accessing AX production orders via Enterprise Portal with role-based access

4

Remote workers accessing Dynamics AX web client from outside the Active Directory domain

5

External auditors given time-limited, recorded access to AX financial reports

6

Multi-subsidiary organizations unifying Dynamics AX access across different IdPs during mergers

Frequently Asked Questions

Microsoft Dynamics AX SSO FAQ

Common questions about deploying OnePAM SSO for Microsoft Dynamics AX.

Does OnePAM require changes to Dynamics AX AOS or X++ code?

No. OnePAM operates as a reverse proxy in front of Dynamics AX web interfaces. It handles authentication at the HTTP layer. No AOS configuration changes, no X++ modifications, and no model store updates are needed.

Which Dynamics AX versions are supported?

OnePAM supports Dynamics AX 2009 SP1, Dynamics AX 2012, 2012 R2, and 2012 R3. Any version that exposes web interfaces (Enterprise Portal, web client, or AIF services) is compatible.

Do we still need AD FS with OnePAM?

No. OnePAM replaces AD FS for Dynamics AX SSO. Users can authenticate through any SAML/OIDC IdP directly, without AD FS as an intermediary. However, if you prefer to keep AD FS, OnePAM can work alongside it.

How does OnePAM handle Dynamics AX multi-company access?

OnePAM supports per-company access policies. IdP groups can be mapped to specific AX legal entities, and different MFA and session policies can be applied per company.

Can external users (vendors, partners) access Dynamics AX through OnePAM?

Yes. OnePAM supports external IdP federation, allowing vendors and partners to authenticate through their own IdPs while accessing your Dynamics AX Enterprise Portal with scoped permissions.

What about the thick client (Dynamics AX Windows client)?

OnePAM directly supports all web-based Dynamics AX interfaces. For the Windows thick client that connects to AOS via RPC, OnePAM can provide SSO through Kerberos constrained delegation when the client accesses AOS through a OnePAM-protected endpoint.