Configuring the Client and Configuration Modules to Use IdP Authentication - Identity and Access Management Services - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - external

Integrating With Hyland IAM Services
Platform
OnBase
Product
Identity and Access Management Services
Release
Foundation 23.1
License

The OnBase Client and Configuration modules can be configured to use the Hyland IdP server for auto-logon authentication. Auto-logon authentication requires the -AL command-line switch and can be either interactive, which requires the user to enter login credentials, or non-interactive.

Note:

If auto-logons are not configured, the Client and Configuration modules revert to using standard OnBase authentication, even if OnBase is configured for IdP authentication.

To configure the Client and Configuration modules to use the Hyland IdP server for auto-logon authentication:

  1. Configure a client connection on the Hyland IdP server for the OnBase Client and Configuration modules to use.
    Tip:

    Complete details on configuring a client connection on the Hyland IdP server are documented in the separate Identity and Access Management Services documentation. Version compatibility with OnBase Foundation releases is documented in the Version section of that documentation.

    The client connection must have the following settings, as well as any standard required settings. All other settings can be left with the default values.

    Setting

    Value

    Protocol Type

    oidc

    Redirect URLs

    Enter http://localhost as the Redirect URL value.

    This value must match the value configured for the Redirect URI setting in the OnBase Configuration module.

    Note:

    This value is required by the grant type used, but a URL is not actually used by the OnBase Client and Configuration modules.

    Allowed Grant Types

    • Authorization Code

    • Password

    Allowed Scopes

    openid

    Authentication Restriction Settings

    Select Allow users to log in locally unless only an external authentication provider is used to authenticate users

    Secret

    Select Client Secret must be present

  2. Configure a client secret with a Value that is the plain-text value of the word or phrase configured as the client secret in the OnBase Configuration module, and set the Type to Shared Secret.
    Note:

    The value entered is converted to a hash of the value when the client connection is saved, but the value passed from the OnBase Configuration module must still be plain text.

  3. Save the client connection. The Client ID value is automatically populated.
  4. Copy the Client ID value to the clipboard by clicking the icon at the right of the Client ID field.
    Tip:

    Recycle the application pool of the Hyland IdP server in IIS for any configuration changes on the Hyland IdP server to take effect.

  5. Launch the OnBase Configuration module with the -ROMANZO switch applied. The user accessing IdP configuration must have the System Configuration right.
    CAUTION:

    Before using features enabled by the -ROMANZO switch, ensure that you understand the feature and implications of any changes to your system. Contact your service provider with any questions regarding these features. Features enabled by the -ROMANZO switch should not be made available to the casual user. Remove the -ROMANZO switch after completing necessary actions.

  6. Select IdP Authentication from the Utils menu. The Hyland IdP Client Authentication Settings dialog box is displayed.
  7. Paste the client ID you copied from the client connection into the Client ID field.
  8. Make sure Enable is selected. If this option is not selected, IdP authentication is not used and standard OnBase authentication is used instead.
  9. Update the values of the following settings:

    Setting

    Value

    IdP

    The URL of the Hyland IdP server. Do not include a tenant in the URL. This value is case sensitive.

    For example, if your domain is my.domain, the Hyland IdP application name is identityprovider, and the environment is configured for secure connections, then the value is: https://my.domain/identityprovider

    Tenant

    The name of the tenant on the Hyland IdP server. This value is case sensitive.

    Scope

    Enter openid as the scope.

    Client ID

    Paste the client ID you copied from the client connection into the Client ID field.

    This is the unique ID of the client on the Hyland IdP server. This value is case sensitive and must match exactly the value on the Hyland IdP server.

    Redirect URI

    Enter http://localhost as the redirect URI value.

    This value must match the value configured for the Redirect URLs setting of the client connection on the Hyland IdP server.

    Note:

    This value is required by the grant type used, but a URL is not actually used by the OnBase Client and Configuration modules.

    Client Secret

    Enter a plain-text word or phrase to use as the client secret. This value is required.

    You must also configure the corresponding client secret for the client connection on the Hyland IdP server.

    Tip:

    Complete details on configuring a client secret for a client connection on the Hyland IdP server are documented in the separate Identity and Access Management Services documentation. Version compatibility with OnBase Foundation releases is documented in the Version section of that documentation.

    Code Challenge Method

    The recommended value is S256.

    If plain is used as the challenge mode then Allow PKCE with a plaintext code challenge must be selected for the client connection on the Hyland IdP server.
  10. Click OK.
  11. Locate the onbase32.ini file and open it for editing.
    Tip:

    For details on changing INI settings, see the INI Settings module reference guide.

  12. Change the value of the IdP_Enable setting to 1.
  13. Save and close the INI file.

In order to use Hyland IdP authentication, the Client and Configuration modules must be launched with the -AL and -ODBC switches applied, where the value of the -ODBC switch is the name of the database configured for use with IdP authentication.

When the OnBase Client or Configuration modules are next accessed using IdP authentication, the configured Hyland IdP connection is used to authenticate users. If interactive authentication is configured, the user must enter their credentials in the Hyland IdP Login dialog box.