Configuring the Web Server and Web Client to Use IdP Authentication - Identity and Access Management Services - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - external

Integrating With Hyland IAM Services

Platform
OnBase
Product
Identity and Access Management Services
Release
Foundation 23.1
License

The OnBase Web Server includes the OnBase Web Client. Configuring the Web Server for IdP authentication also configures the Web Client.

Note:

The Web Server requires the OnBase Application Server to communicate with OnBase. You must also configure the Application Server to use IdP authentication. See Configuring the Application Server to Use IdP Authentication.

To configure the Web Server to use the Hyland IdP server for authentication:

  1. Configure a client connection on the Hyland IdP server for the Web Server to use.
    Tip:

    Complete details on configuring a client connection on the Hyland IdP server are documented in the separate Identity and Access Management Services documentation. Version compatibility with OnBase Foundation releases is documented in the Version section of that documentation.

    The client connection must have the following settings, as well as any standard required settings. All other settings can be left with the default values.

    Setting

    Value

    Protocol Type

    oidc

    Redirect URLs

    The login.aspx page of the OnBase Web Server. This value is case sensitive.

    For example, if your domain is my.domain, the OnBase Web Server application name is AppNet, and the environment is configured for secure connections, then the value is: https://my.domain/AppNet/login.aspx.

    Note:

    Additional redirect URL values may need to be configured for other OnBase modules that use the Web Server. The URLs to add for those modules are documented in the sections specific to those modules. See Configuring DocPop, FolderPop, FormPop, WorkflowPop, and PDFPop to Use IdP Authentication and Configuring Other Modules to Use IdP Authentication.

    Allowed Grant Types

    Authorization Code

    Allowed Scopes

    openid

    Post Logout Redirect URLs

    The logout.aspx page of the OnBase Web Server. This value is case sensitive.

    For example, if your domain is my.domain, the OnBase Web Server application name is AppNet, and the environment is configured for secure connections, then the value is: https://my.domain/AppNet/logout.aspx

    Note:

    Additional redirect URL values may need to be configured for other OnBase modules that use the Web Server. The URLs to add for those modules are documented in the sections specific to those modules. See Configuring DocPop, FolderPop, FormPop, WorkflowPop, and PDFPop to Use IdP Authentication and Configuring Other Modules to Use IdP Authentication.

    Pkce

    Do not select Require PKCE

    Secret

    Select Client Secret must be present

  2. Configure a client secret with a Value that is the plain-text value of the word or phrase configured as the client secret on the OnBase Web Server, and set the Type to Shared Secret.
    Note:

    The value entered is converted to a hash of the value when the client connection is saved, but the value passed from the OnBase Web Server must still be plain text.

  3. Save the client connection. The Client ID value is automatically populated.
  4. Copy the Client ID value to the clipboard by clicking the icon at the right of the Client ID field.
    Tip:

    Recycle the application pool of the Hyland IdP server in IIS for any configuration changes on the Hyland IdP server to take effect.

  5. Launch the Web Application Management Console and select your OnBase Web Server to configure.
    Tip:

    The Web Application Management Console is included with the OnBase Web Server. For details on using it, see the Web Application Management Console module reference guide.

  6. Select the Login tab. The Identity Provider settings are in the lower right of the page.
  7. Paste the client ID value you copied from the Hyland IdP server into the IdpClient field. This is the unique ID of the client on the Hyland IdP server. This value is case sensitive and must match exactly the value on the Hyland IdP server.
  8. Update the values of the remaining options:

    Option

    Value

    IdPServerLocation

    The URL of the Hyland IdP server.

    For example, if your domain is my.domain, the Hyland IdP application name is identityprovider, and the environment is configured for secure connections, then the value is: https://my.domain/identityprovider

    IdPTenant

    The name of the Hyland IdP server tenant to use. This value is case sensitive and must match exactly the tenant name on the Hyland IdP server.

    IdPClient

    The unique ID of the client connection to use on the Hyland IdP server. This value is case sensitive and must match exactly the value on the Hyland IdP server.

    IdPSecret

    Enter a plain-text word or phrase to use as the client secret. This value is required.

    You must also configure the corresponding client secret for the client connection on the Hyland IdP server.

    Tip:

    Complete details on configuring a client secret for a client connection on the Hyland IdP server are documented in the separate Identity and Access Management Services documentation. Version compatibility with OnBase Foundation releases is documented in the Version section of that documentation.

  9. Click Save or select File | Save. You are prompted to confirm this action.
  10. Recycle the application pool of the OnBase Web Server for the changes to take effect.