Configuring Desktop Host to Use IdP Authentication - Identity and Access Management Services - Foundation 23.1 - Foundation 23.1 - Ready - OnBase

Configure a client connection on the Hyland IdP server for Desktop Host to use.

Tip:

Complete details on configuring a client connection on the Hyland IdP server are documented in the separate Identity and Access Management Services documentation. Version compatibility with OnBase Foundation releases is documented in the Version section of that documentation.

The client connection must have the following settings, as well as any standard required settings. All other settings can be left with the default values.

Setting	Value
Redirect URLs	http://127.0.0.1
Allowed Grant Types	Select Authorization Code
Require PKCE	Select Require PKCE
Allowed Scopes	openid, offline_access
Allow users to login locally	Select Allow users to login locally
Allow clients to request a refresh token	Select Allow clients to request a refresh token
Allow issuing access tokens to browsers	Select Allow issuing access token to browsers
Post Logout Redirect URLs	http://127.0.0.1
Front Channel Logout requires session ID	Select Front Channel Logout requires session ID
Back Channel Logout requires session ID	Select Back Channel Logout requires session ID
Refresh Token Usage	Select OneTime
Include user claims in ID token	Select Include user claims in ID token

Save the client connection. The Client ID value is automatically populated.

Copy the Client ID value to the clipboard by clicking the icon at the right of the Client ID field.

Tip:

Recycle the application pool of the Hyland IdP server in IIS for any configuration changes on the Hyland IdP server to take effect.

Open the config.json file of Desktop Host for editing in a plain-text editor. In a default installation, this file is located at one of the following locations:

Before installation, the file is in the same directory as the installer.
After Windows installation, the file is in C:\ProgramData\Hyland\DesktopHost\bin
After macOS installation, the file is in /Library/Hyland/DesktopHost/bin

Locate the end of the WhitelistedAddress section and insert the following text after it to create a new IdP section:

"IdP": {
    "IdPConfigurations": [
        {
            "ServiceName": "IdP Service Name",
            "Issuer": "https://my.domain/identityprovider",
            "ClientID": "Client ID",
            "Scope": "openid offline_access"
        }
    ],
    "IdPServerTimeout":300
}

Note:

Each key and value must be in double quotation marks, and pairs of key and value elements must be separated with commas.

For the key "ServiceName", edit the value to specify the name of the IdP service.

For example, IdP Service Name.

For the key "Issuer", edit the value to specify the URL of the IdP server issuer endpoint.

For example, if the domain is my.domain, the IdP application name is identityprovider, and the environment is configured for secure connections, then the value is: https://my.domain/identityprovider.

For the key "ClientID", edit the value to specify the unique identifier of the IdP service that works with Desktop Host.

For the key "Scope", edit the value to specify a list of access privileges requested by the client. Each scope name must be separated with a space.

For example, openid offline_access.

For the key "IdPServerTimeout", edit the value to specify a time in seconds after which the server becomes unavailable.

Note: By default, the value is 300 seconds. If you do not specify a value, this value is used.

Save the config.json file.

Do one of the following:

If you have not yet installed Desktop Host, place the config.json file in either the same folder as the Desktop Host installer (for Windows) or in the Home folder (for macOS).
If you have already installed Desktop Host, restart the computer.

Configuring Desktop Host to Use IdP Authentication - Identity and Access Management Services - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - external

Integrating With Hyland IAM Services