Home / SSO for Legacy Apps / Sage X3
ERP

SSO for Sage X3

by Sage

Add Modern SSO to Sage X3 Without Application Server Changes

Start Free Trial See How It Works
Overview

Why Sage X3 Needs Modern SSO

Sage X3 (formerly Sage ERP X3 / Adonix X3) is an enterprise resource planning system used by mid-market and large enterprises in manufacturing, distribution, chemicals, food and beverage, and services industries worldwide. Built on a proprietary 4GL runtime (Sage's own SAFE X3 engine) with a web-based Syracuse interface, Sage X3 manages financials, purchasing, sales, inventory, manufacturing, and CRM. Despite its modern web UI, Sage X3's authentication model remains isolated from corporate identity infrastructure. Users authenticate with Sage X3-specific credentials stored in the application's own user management system. The Syracuse web server (Node.js-based) does not support SAML SP or OIDC relying-party flows natively. Organizations must either accept the credential silo or invest in custom development to bridge Sage X3 with their IdP. OnePAM solves this by operating as an identity-aware reverse proxy in front of the Sage X3 Syracuse web server. Users authenticate through your corporate IdP, and OnePAM injects the authenticated identity into the Syracuse session via HTTP header propagation or session cookie injection. All Sage X3 web functions — financials, inventory, manufacturing, CRM — gain SSO without application server modifications or custom 4GL development.

The Problem

Authentication Challenges with Sage X3

These are the security and operational challenges organizations face when Sage X3 relies on its native authentication model.

Isolated User Management

Sage X3 maintains its own user database with credentials separate from your corporate directory and IdP, creating yet another credential silo.

No Native Federation

The Syracuse web server (Node.js-based) does not support SAML or OIDC natively. There is no built-in mechanism to delegate authentication to an external IdP.

Proprietary 4GL Runtime

Sage X3's SAFE X3 engine uses a proprietary 4GL language. Customizing authentication requires specialized Sage development expertise.

Syracuse Architecture

Syracuse is a multi-tier Node.js application with its own session management. Integrating external authentication requires deep knowledge of the Syracuse architecture.

Limited Sage Partner Options

Few Sage partners offer SSO solutions, and those available often require invasive changes to the Syracuse server or custom connector development.

Compliance Requirements

Manufacturing and distribution industries face increasing audit requirements (SOX, FDA 21 CFR Part 11) that demand centralized access control and audit trails.

The OnePAM Solution

How OnePAM Adds SSO to Sage X3

A step-by-step guide to deploying modern SSO for Sage X3 using OnePAM's identity-aware reverse proxy.

1

Deploy OnePAM Gateway

Install OnePAM as a reverse proxy in front of the Sage X3 Syracuse web server.

OnePAM deploys as a container or VM and handles TLS termination. It intercepts all HTTP/HTTPS requests to the Syracuse web interface before they reach the Node.js application layer.
2

Connect Your Identity Provider

Configure your corporate IdP (Okta, Azure AD, Google Workspace, or any SAML 2.0 / OIDC provider) as the authentication source.

OnePAM handles the full SAML/OIDC handshake: metadata exchange, assertion validation, MFA enforcement, and token lifecycle. SP-initiated and IdP-initiated flows are both supported.
3

Map IdP Users to Sage X3 Users

Define how IdP user attributes (email, employee ID, UPN) map to Sage X3 user codes and folders.

OnePAM maps IdP assertions to Sage X3 user codes using direct matching, lookup tables, or regex transformations. Multi-folder (multi-company) user assignments are handled automatically.
4

Enable Session Injection

OnePAM injects the authenticated identity into Sage X3 via HTTP header propagation or Syracuse session cookie injection.

After IdP authentication, OnePAM sets trusted HTTP headers or injects a Syracuse-compatible session cookie. The Sage X3 web client accepts the identity, and users land on their X3 home page without a second login.
5

Enforce Policies & Audit

Apply access policies per Sage X3 folder and function group, enforce MFA, enable session recording, and generate compliance reports.

Every Sage X3 access event is logged with full IdP context: user, MFA method, device, location, and folder accessed. Session recording captures the full web session for compliance playback.
Business Impact

Benefits of SSO for Sage X3

Measurable business outcomes from deploying OnePAM SSO in front of Sage X3.

Eliminate X3 Passwords

Users access Sage X3 with their corporate IdP credentials — no separate X3 password to maintain, expire, or reset.

85% fewer X3 password tickets

Enforce MFA for Sage X3

Apply your IdP's MFA policies to all Sage X3 access — push notifications, FIDO2 keys, or biometrics — without Syracuse modifications.

100% MFA-protected X3 access

Instant Deprovisioning

Disable a user in your IdP and their Sage X3 access stops immediately. No orphan X3 user accounts, no lingering sessions.

Real-time access revocation

No Custom Development

OnePAM provides SSO for Sage X3 without requiring custom 4GL development, Syracuse server modifications, or Sage partner engagement.

Zero development cost

Unified Compliance

Sage X3 access events appear alongside all other enterprise applications in a single audit trail with full IdP context and device information.

Audit-ready in minutes

No Syracuse Changes

No Node.js code modifications, no Syracuse configuration changes, no Sage X3 4GL patches. OnePAM works entirely at the HTTP layer.

Zero server changes
SSO Features

Sage X3 SSO Capabilities

Every feature needed to provide enterprise-grade SSO for Sage X3.

SAML 2.0 & OIDC SSO for Sage X3 web client
Syracuse web server session integration
HTTP header-based identity injection
Multi-folder (multi-company) support
Sage X3 function group access policies
Mobile Sage X3 web access SSO
Session recording and keystroke logging
Just-in-time user provisioning from IdP
Security

Security Features

Enterprise-grade security controls protecting the SSO integration layer.

End-to-end TLS between user, OnePAM, and Syracuse server
Signed and encrypted SAML assertions
Per-folder access policies and restrictions
IP allow-listing and geo-restriction per Sage X3 instance
Device compliance verification before X3 access
Automatic session termination on IdP logout
Real-World Scenarios

Sage X3 SSO Use Cases

Common scenarios where organizations deploy OnePAM SSO for Sage X3.

1
Manufacturing teams accessing Sage X3 production planning with corporate SSO
2
Finance departments using Sage X3 General Ledger and AP/AR with MFA enforcement
3
Distribution warehouse staff accessing Sage X3 inventory from handheld devices with device trust
4
Chemical industry compliance teams meeting FDA 21 CFR Part 11 access control requirements
5
External auditors given time-limited, recorded access to Sage X3 financial reports
6
Multi-site organizations unifying Sage X3 access across different folders and IdPs during mergers
Frequently Asked Questions

Sage X3 SSO FAQ

Common questions about deploying OnePAM SSO for Sage X3.

Does OnePAM require changes to the Sage X3 Syracuse server or 4GL code?

No. OnePAM operates as a reverse proxy in front of the Syracuse web server. It handles authentication at the HTTP layer. No Syracuse configuration changes, no 4GL code modifications, and no Sage X3 patches are needed.

Which Sage X3 versions are supported?

OnePAM supports Sage X3 Version 6, Version 7, Version 9, Version 11, and Version 12 (2021/2022/2023 releases). Any version using the Syracuse web server for browser access is compatible.

Does OnePAM work with Sage X3 multi-folder (multi-company) setups?

Yes. OnePAM supports per-folder access policies. IdP groups can be mapped to specific Sage X3 folders, and different MFA and session policies can be applied per folder.

How does OnePAM handle the Sage X3 Syracuse session lifecycle?

OnePAM manages the session lifecycle at the HTTP layer. When a user authenticates via the IdP, OnePAM creates a Syracuse-compatible session. Session timeout and idle policies are enforced by OnePAM, and IdP logout triggers immediate session termination.

Can we use OnePAM alongside Sage X3's built-in LDAP integration?

Yes. If Sage X3 is already configured for LDAP authentication, OnePAM can work alongside it. OnePAM handles the external IdP authentication, and the mapped user identity is injected into Sage X3 regardless of whether X3's user management uses LDAP or local credentials.

Does OnePAM support Sage X3 REST web services?

Yes. OnePAM can protect Sage X3 REST web services exposed by the Syracuse server. API clients authenticate via OIDC client credentials or bearer tokens, and OnePAM injects the identity into the Syracuse session for downstream authorization.
Also Supported

SSO for Other Legacy Applications

OnePAM adds modern SSO to all these legacy enterprise applications — same approach, zero code changes.

Oracle E-Business Suite
ERP · Oracle
SAP ECC
ERP · SAP
HCL Domino (Lotus Notes)
Collaboration · HCL Technologies (formerly IBM)
SharePoint Server (On-Premise)
Content Management · Microsoft
PeopleSoft
HR / Finance · Oracle
Siebel CRM
CRM · Oracle
IBM WebSphere
Application Server · IBM
Oracle WebLogic
Application Server · Oracle
SAP NetWeaver Portal
Portal · SAP
JD Edwards EnterpriseOne
ERP · Oracle
Microsoft Dynamics AX
ERP · Microsoft

Ready to Add SSO to Sage X3?

Deploy OnePAM in hours — not months. No Sage X3 code changes required. Start your free 14-day trial today.

Start Free Trial View All Legacy Apps