Upgrade Considerations - Identity and Access Management Services - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - external

Integrating With Hyland IAM Services

Platform
OnBase
Product
Identity and Access Management Services
Release
Foundation 23.1
License

The following information is specific to Hyland Identity Provider (IdP) Authentication.

Note:

The Hyland IdP Server cannot be used for authentication when OnBase is configured to use Institutional Databases.

Foundation EP4

The password validation protocol used by the Hyland SCIM server for OnBase Foundation EP4 was updated for compatibility with Hyland IdP 2.2.0. If you are unable to upgrade to the Hyland SCIM server for OnBase Foundation EP4, but are upgrading to Hyland IdP 2.2.0, you must configure an additional setting to allow the legacy protocol to still be used with Hyland IdP 2.2.0. This setting is in the appsettings.json file of the Hyland IdP server, in the Features block: change the value of the UseDeprecatedPasswordApi setting to true.

"UseDeprecatedPasswordApi": true,
Foundation EP3

The value of the IdpUrl setting for the following modules no longer requires the tenant on the URL of the Hyland IdP server:

  • Unity Client

  • Agenda

  • Hyland Office Integrations

  • Medical Records Management (MRM) Client

  • Unity Client for Use with SAP ArchiveLink

For example, if your domain is my.domain and the Hyland IdP application name is identityprovider, then the IdpUrl value is now:

https://my.domain/identityprovider

Before this change, that value would have included the tenant name. For example:

https://my.domain/identityprovider/tenant
Foundation EP1

Starting in OnBase Foundation EP1, the Hyland Identity Provider (IdP) server was redesigned and is now part of the new Hyland Identity and Access Management (IAM) Services.

Due to the nature of the redesign, versions of the Hyland IdP server before OnBase Foundation EP1 are not compatible with OnBase Foundation EP1. To continue to use identity provider services in OnBase Foundation EP1, you must install and configure the redesigned Hyland IdP server included with Hyland IAM Services.

The following table outlines the major differences between Hyland IdP authentication in Foundation EP1 and previous versions of the software.

Feature

Versions before Foundation EP1

Foundation EP1

Token protocol

A proprietary token-exchange protocol

OAuth2

OpenID Connect (oidc)

Configuration

Manually edited XML

Graphical user interface with JSON

Windows autologin

Supported natively

Supported by federating to a third-party provider

Interactive AD/LDAP

Supported natively

Supported by federating to a third-party provider

User name attribute syncing

Supported for federated and directory service authentication

Supported for federated authentication only

Email attribute syncing

Supported for federated and directory service authentication

Supported for federated authentication only

Real name attribute syncing

Supported for federated and directory service authentication

Not supported

Role and User Group attribute syncing

Supported for federated and directory service authentication

Not supported

Strip domain from user name

Supported

Supported for federated authentication only

Usage terms page

Supported

Not supported

Standard OnBase authentication

Supported

Supported

SAML2

Supports SP-initiated SAML2

Supports SP-initiated SAML2

WS-Fed

Supported

Supported

CAS

Supported

Supported

Certificate-based authentication (CAC and PIV)

Supported

Not supported