Version 2026.1

XpreSSO®

Enterprise Sign-On for JD Edwards.
Without the Enterprise Overhead.

Your users sign in once — through the identity provider you already own, with whatever MFA policy you already enforce — and land directly in JDE. No new infrastructure. No months-long project. No surprises on the invoice.

Request a 15-minute fit check Get a quote
XpreSSO dashboard
Minutes
Typical install time
9+
Identity providers supported
Zero
Network changes required
100%
Standards-based — no lock-in

Why XpreSSO®

The business case is straightforward

🔐

Reduce risk, reduce cost

Eliminate shared JDE passwords. Enforce MFA on JDE access through the same 2FA policy your users already follow for email and other apps — at no extra cost and with no changes to JDE itself. Close a common audit finding and cut help-desk calls on forgotten credentials.

Fast path to value

Connects to the identity provider you already run. Typical deployments go live the same day. Subscription licensing means no capital approval cycles.

🏗️

No proxy, no single point of failure

No reverse proxy means no extra network hop, no additional TLS termination, and no new component that can take JDE authentication down with it. Authentication traffic stays on the shortest path; JDE keeps working even if the XpreSSO® host is momentarily unavailable.

What it is: a modern, right-sized SSO gateway for Oracle JD Edwards.   What it isn't: a bulky platform that rewires your network or becomes a single point of failure.

Identity provider support

Works with the IdP you already own

XpreSSO® speaks both SAML2 and OIDC/PKCE natively, so it connects to virtually any enterprise identity provider — with no custom connectors, no additional licences, and no professional services engagement from the IdP vendor.

Microsoft Entra ID / Azure AD Okta Google Workspace Oracle IDCS Auth0 ADFS AWS SSO / Identity Center Duo G-Suite + SAML2 / OIDC compatible IdPs

Multiple IdPs per deployment supported. Per-environment overrides available for complex enterprise topologies.

For architects & IT managers

Solid standards. No shortcuts.

XpreSSO® is built on the current best-practice federation flows — not older patterns with known weaknesses. The points below matter when your security team or auditor asks the right questions.

SP-initiated SAML2 with HTTP-Redirect AuthnRequest and HTTP-POST assertion delivery. AuthnRequests include Destination, ProtocolBinding, and NameIDPolicy attributes — required by strict IdPs such as Oracle IDCS and some Entra configurations. Assertion signatures are verified against the IdP's published X.509 signing certificate, with automatic cert-rotation detection and refresh. Full XML C14N, digest, and RSA-SHA256/512 signature validation. Multi-tenant deployments are supported: foreign tenants are held in an admin-controlled approval list, visible immediately after approval with no service restart.

Authorization Code flow with PKCE (Proof Key for Code Exchange, RFC 7636). The code verifier is generated with a CSPRNG and stored server-side per session — it never touches the browser. This eliminates the implicit flow's token-in-URL exposure and removes the need for a rotating client_secret (use the Mobile and Desktop Application registration type in Entra). The id_token is validated against the IdP's JWKS, with keys cached in the local configuration file and refreshed automatically on rotation. Supports all standard user identifier claims: upn, preferred_username, email, and sub.

Large deployments often have multiple JDE environments (PD, DV, UAT) that authenticate against different IdPs or use different JDE signing keys. XpreSSO® supports named IdP sections in its configuration file that override the cloud-type defaults per environment — no duplication of common settings. The [TENANTS] approval list supports foreign-tenant SSO in multi-company Shared Service Centre deployments, with tenant enable/disable effective on the next authentication attempt (no service restart needed).

After successful IdP authentication, XpreSSO® mints a signed JWT (RS256) for the JDE JAS or AIS endpoint, using a per-deployment RSA private key stored encrypted in the configuration file. The JDE environment, target server, and optional deep-link redirect are all resolved at runtime. Username translation maps IdP UPNs to legacy JDE user IDs where they differ. Full Unicode support for user identifiers — including names containing apostrophes, accented characters, and non-Latin scripts.

XpreSSO® runs as a lightweight Windows service directly on your JDE server or on a dedicated host (Linux available on request). There is no reverse proxy, no additional network tier, and no changes to your firewall or JDE configuration. The service exposes two HTTPS endpoints: the SSO initiator (/sso) and the assertion consumer / OIDC callback (/saml and /oauth). Configuration is a single INI file; sensitive values (PEM passphrases, secrets) are stored encrypted. Thread-safe, mutex-protected INI writes prevent configuration corruption under concurrent load.

What you get

Everything you need. Nothing you don't.

On day one
  • Seamless SSO into JDE via your chosen IdP
  • Orchestrator Studio SSO included
  • SAML2 and OIDC/PKCE — both protocols ready
  • 2FA / MFA on JDE access — enforced automatically by your IdP, nothing to configure in JDE
  • Installation by our team (Windows; Linux available on request)
  • Simple subscription — no capital outlay
Request a trial
As you scale
  • Username translation — map IdP UPNs to legacy JDE user IDs
  • Multiple JDE IDs per user for complex role structures
  • Fat Client & Developer Client SSO
  • Multi-environment with per-environment IdP overrides
  • Multi-tenant for Shared Service Centre deployments
  • Parameterized URL & Workflow message support — deep-link users directly into JDE tasks and Orchestrator workflows post-login; not possible when the IdP integrates with JDE directly
Ask about options
Included & ongoing
  • Updates & support — included in subscription, no extras
  • Zero-downtime IdP certificate rotation — new certs detected and cached automatically; no admin action needed
  • JWKS key cache with live refresh fallback
  • Tenant approval managed via config file — effective immediately, no restarts
  • ESI team available for CISO briefings & security reviews
Talk to us

Security posture

Built for the question your auditor will ask

XpreSSO® was designed from the ground up around current standards and best practices — not retrofitted onto an older architecture. Every authentication event is logged. Every sensitive configuration value is encrypted at rest.

Brief your CISO →
🔑
No browser-exposed tokens

PKCE code flow and SAML HTTP-POST bindings keep tokens and assertions off the URL bar and out of browser history — a material difference from older implicit OAuth flows.

🛡️
CSPRNG session isolation

PKCE code verifiers are generated using RtlGenRandom (Windows CNG) and stored server-side per session. Replay and CSRF attacks are structurally prevented.

📋
Zero-downtime certificate rotation

SAML assertions are verified against the IdP's X.509 signing certificate on every login. When the IdP rotates its signing certificate — a routine event that silently breaks other SSO implementations — XpreSSO® detects the change, fetches the new certificate, and retries the assertion in the same request. Users see no interruption; admins need take no action.

🔒
No proxy — no single point of failure, no extra latency

A reverse proxy that handles all authentication becomes a critical dependency: if it slows, JDE slows; if it fails, nobody logs in. XpreSSO® avoids this by design. Authentication traffic takes the shortest path and there is no additional component to patch, monitor, or keep highly available.

Ready to eliminate JDE password friction?

Tell us your environment size and current IdP. We'll come back with a tailored quote — usually same day.

Request a custom quote Book a 15-minute demo

Pricing

The most cost-efficient JDE SSO on the market.

XpreSSO® was deliberately designed to undercut the pricing of every competing JDE SSO solution — including well-known reverse-proxy-based alternatives — while delivering a more capable and more resilient result. Priced per deployment on an annual subscription sized to your user count, with updates and support included. No capital outlay. No separate maintenance contract. No surprise line items. Most customers recover the cost in reduced help-desk load within the first quarter.

Request a quote — indicate your user count