The following information is specific to Hyland Identity Provider (IdP) Authentication.
The Hyland IdP Server cannot be used for authentication when OnBase is configured to use Institutional Databases.
- Foundation EP4
-
The password validation protocol used by the Hyland SCIM server for OnBase Foundation EP4 was updated for compatibility with Hyland IdP 2.2.0. If you are unable to upgrade to the Hyland SCIM server for OnBase Foundation EP4, but are upgrading to Hyland IdP 2.2.0, you must configure an additional setting to allow the legacy protocol to still be used with Hyland IdP 2.2.0. This setting is in the appsettings.json file of the Hyland IdP server, in the Features block: change the value of the UseDeprecatedPasswordApi setting to true.
"UseDeprecatedPasswordApi": true,
- Foundation EP3
-
The value of the IdpUrl setting for the following modules no longer requires the tenant on the URL of the Hyland IdP server:
-
Unity Client
-
Agenda
-
Hyland Office Integrations
-
Medical Records Management (MRM) Client
-
Unity Client for Use with SAP ArchiveLink
For example, if your domain is my.domain and the Hyland IdP application name is identityprovider, then the IdpUrl value is now:
https://my.domain/identityprovider
Before this change, that value would have included the tenant name. For example:
https://my.domain/identityprovider/tenant
- Foundation EP1
-
Starting in OnBase Foundation EP1, the Hyland Identity Provider (IdP) server was redesigned and is now part of the new Hyland Identity and Access Management (IAM) Services.
Due to the nature of the redesign, versions of the Hyland IdP server before OnBase Foundation EP1 are not compatible with OnBase Foundation EP1. To continue to use identity provider services in OnBase Foundation EP1, you must install and configure the redesigned Hyland IdP server included with Hyland IAM Services.
The following table outlines the major differences between Hyland IdP authentication in Foundation EP1 and previous versions of the software.
Feature |
Versions before Foundation EP1 |
Foundation EP1 |
---|---|---|
Token protocol |
A proprietary token-exchange protocol |
OAuth2 OpenID Connect (oidc) |
Configuration |
Manually edited XML |
Graphical user interface with JSON |
Windows autologin |
Supported natively |
Supported by federating to a third-party provider |
Interactive AD/LDAP |
Supported natively |
Supported by federating to a third-party provider |
User name attribute syncing |
Supported for federated and directory service authentication |
Supported for federated authentication only |
Email attribute syncing |
Supported for federated and directory service authentication |
Supported for federated authentication only |
Real name attribute syncing |
Supported for federated and directory service authentication |
Not supported |
Role and User Group attribute syncing |
Supported for federated and directory service authentication |
Not supported |
Strip domain from user name |
Supported |
Supported for federated authentication only |
Usage terms page |
Supported |
Not supported |
Standard OnBase authentication |
Supported |
Supported |
SAML2 |
Supports SP-initiated SAML2 |
Supports SP-initiated SAML2 |
WS-Fed |
Supported |
Supported |
CAS |
Supported |
Supported |
Certificate-based authentication (CAC and PIV) |
Supported |
Not supported |