Configuring Environment Value Management to Use IdP Authentication - Identity and Access Management Services - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - external

Integrating With Hyland IAM Services
Platform
OnBase
Product
Identity and Access Management Services
Release
Foundation 23.1
License

Environment Value Management (EVM) can be configured to use Hyland IdP authentication.

To configure EVM to use the Hyland IdP server for authentication:

  1. Configure a client connection on the Hyland IdP server for EVM to use.
    Tip:

    Complete details on configuring a client connection on the Hyland IdP server are documented in the separate Identity and Access Management Services documentation. Version compatibility with OnBase Foundation releases is documented in the Version section of that documentation.

    The client connection must have the following settings, as well as any standard required settings. All other settings can be left with the default values.
    Setting Value

    Protocol Type

    oidc

    Allowed Grant Types

    Authorization Code

    Allowed Scopes

    openid

    Redirect URLs

    The URL to the authentication-confirmation location for the EVM UI installation. This value is case-sensitive.

    For example, if your domain is my.domain, the EVM UI application name is EVM-UI, and the environment is configured for secure connections, then the value is: https://my.domain/EVM-UI/view/authentication-confirmation

    Post Logout Redirect URLs

    The URL to the unauthenticated location for the EVM UI installation. This value is case-sensitive.

    For example, if your domain is my.domain, the EVM UI application name is EVM-UI, and the environment is configured for secure connections, then the value is: https://my.domain/EVM-UI/view/unauthenticated

  2. After saving the client connection, copy the Client ID value to the clipboard by clicking the icon at the right of the Client ID field.
    Tip: Recycle the application pool of the Hyland IdP server in IIS for any configuration changes on the Hyland IdP server to take effect.
  3. Open the appsettings.json file of the EVM UI for editing in a plain-text editor. In a default installation, this is located at C:\Program Files\Hyland\EVM-UI\config.
    CAUTION: Be very careful when updating the JSON configuration files. If a copy exists with a similar naming scheme (for example, appsettings.backup.json), and that copy is not deleted, the incorrect JSON configuration file may be used. Configuration files are read in lexicographic order, or the order in which they are loaded. This means that the last file saved is the first file loaded. The order of precedence for the loading of the configuration sources is: 1) appsettings.json file, 2) appsettings.{AltName}.json file, 3) Key-per-file directories, 4) Environment variables, and 5) Command Line arguments. As a result, if a JSON configuration file is configured with an alternate name, and is the most recently saved version of the JSON configuration file, the file with the alternate name will take precedence, which causes major errors during login.
  4. Locate the authConfig element in the hyConfigMappings section.
  5. Update the values of the following attributes:

    Attribute

    Description

    issuer

    The URL of the Hyland IdP server. This value must match the casing of the application name in IIS.

    For example, if the public origin of the Hyland IdP server is https://server.domain.com and the default application name was used, then the issuer value is https://server.domain.com/identityprovider

    scope

    The scope of the client connection (openid).

    clientId

    The unique Client ID value you copied to the clipboard after saving the client connection.

    customQueryParams

    Leave this value empty.

    idp-tenant

    Leave this value empty.

    redirectUri

    The URL to the authentication-confirmation location for the EVM UI installation. This value is case-sensitive.

    For example, if your domain is my.domain, the EVM UI application name is EVM-UI, and the environment is configured for secure connections, then the value is: https://my.domain/EVM-UI/view/authentication-confirmation

    postLogoutRedirectUri

    The URL to the unauthenticated location for the EVM UI installation. This value is case-sensitive.

    For example, if your domain is my.domain, the EVM UI application name is EVM-UI, and the environment is configured for secure connections, then the value is: https://my.domain/EVM-UI/view/unauthenticated

    silentRefreshRedirectUri

    Leave this value empty.

    requireHttps

    Set this value to true.

    apiEndpoints

    The API endpoint of the EVM-API.

    For example, if your domain is my.domain and the EVM-API application name is EVM-API, then the value is: https://my.domain/EVM-API/api

  6. Save the appsettings.json file.
  7. Recycle the application pool of the EVM-UI server for the changes to take effect.
  8. Open the appsettings.json file of the EVM-API for editing in a plain-text editor. In a default installation, this is located at C:\Program Files\Hyland\EVM-API\config.
    CAUTION: Be very careful when updating the JSON configuration files. If a copy exists with a similar naming scheme (for example, appsettings.backup.json), and that copy is not deleted, the incorrect JSON configuration file may be used. Configuration files are read in lexicographic order, or the order in which they are loaded. This means that the last file saved is the first file loaded. The order of precedence for the loading of the configuration sources is: 1) appsettings.json file, 2) appsettings.{AltName}.json file, 3) Key-per-file directories, 4) Environment variables, and 5) Command Line arguments. As a result, if a JSON configuration file is configured with an alternate name, and is the most recently saved version of the JSON configuration file, the file with the alternate name will take precedence, which causes major errors during login.
  9. Locate the Scope element under the IDP element.
  10. Set the value of the Name attribute to openid. For example: 
    "IDP":  {
"Scope":  {
     "Name":  "openid"
  11. Locate the IdPConfig element.
  12. Update the values of the following attributes:

    Attribute

    Value

    IdP

    The endpoint of the Hyland IdP server without the tenant. This value is case-sensitive.

    For example, if your domain is my.domain, the Hyland IdP application name is identityprovider, and the environment is configured for secure connections, then the value is: https://my.domain/identityprovider

    Audience

    The resources endpoint of the Hyland IdP server configured as the IdP value. This value is case-sensitive.

    For example, if your domain is my.domain, the Hyland IdP application name is identityprovider, and the environment is configured for secure connections, then the value is: https://my.domain/identityprovider/resources

    NameClaimType

    The claim in the access token that contains the user name of the user logging in. The default value is username.

    ApiName

    Leave this value empty.

    ApiSecret

    Leave this value empty.

    RequireHttpsMetadata

    Set this value to true.
  13. Save the appsettings.json file.
  14. Recycle the application pool of the EVM-API server for the changes to take effect.