Adding a Relying Party Trust - Legacy Authentication Methods - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - Essential - Premier - Standard - external - Standard - Essential - Premier

Legacy Authentication Methods

Legacy Authentication Methods
Foundation 23.1

The following instructions refer to third-party software and are included for illustration purposes only. Detailed instructions on how to configure AD FS and use the Add Relying Party Trust Wizard are available from Microsoft.

  1. Access the Add Relying Party Trust Wizard on the AD FS server.
  2. Under data source configuration, select the option to enter data about the relying party manually.
  3. Name the trust with a specific name that clearly identifies what resource this trust is for.
  4. When prompted to choose an AD FS profile, select AD FS 2.0 or AD FS 3.0, depending on your server.
  5. Under certificate configuration, click Browse to add a certificate and select the Token Encryption Certificate of the OnBase server you are establishing trust with.
  6. Under URL configuration, select the option to enable support for the WS-Federation Passive protocol.
  7. Enter the URL of the OnBase Web Server as the relying party WS-Federation Passive protocol URL. This is the fully qualified domain of the OnBase Web Server, for example

    The URL value is case sensitive. Make sure to include the trailing slash on the URL.

  8. Under identifiers configuration, add the same URL you configured as the relying party WS-Federation Passive protocol URL.

    The URL value is case sensitive. Make sure to include the trailing slash on the URL.

  9. Permit all users to access this relying party for the issuance authorization rules.

    AD FS 3.0 includes multi-factor authentication. Multi-factor authentication is supported by OnBase and there are currently no additional configuration steps needed to integrate multi-factor authentication with OnBase.

  10. At the verification screen, verify that the Encryption tab contains the encryption certificate and that the Endpoints tab is configured with the URL of the OnBase Web Server.

    If an encryption certificate was not provided for you to use, any trusted third-party encryption certificate can be used as long as the OnBase Web and Application Servers have the private key of that certificate installed in the LocalMachine\Personal store.

  11. After configuring the relying party you must add a claim rule.

    All listed claims must be configured with a claim rule in order to enable proper authentication.

  12. Select Send LDAP Attributes as Claims rule template for the rule type.
  13. Give the claim rule a descriptive name.
  14. Select Active Directory as the attribute store.
  15. Use the following table to map the LDAP attributes to outgoing claim types:

    LDAP Attribute

    Outgoing Claim Type


    Name ID


    The domain is stripped from the User-Principal-Name (UPN) value. The UPN can only be used if domain information is already configured in OnBase by using AD FS authentication along with AD Enhanced or LDAP authentication.



    Token-Groups – Unqualified Names



    E-Mail Address