The following instructions refer to third-party software and are included for illustration purposes only. Detailed instructions on how to configure AD FS and use the Add Relying Party Trust Wizard are available from Microsoft.
- Access the Add Relying Party Trust Wizard on the AD FS server.
- Under data source configuration, select the option to enter data about the relying party manually.
- Name the trust with a specific name that clearly identifies what resource this trust is for.
- When prompted to choose an AD FS profile, select AD FS 2.0 or AD FS 3.0, depending on your server.
- Under certificate configuration, click Browse to add a certificate and select the Token Encryption Certificate of the OnBase server you are establishing trust with.
- Under URL configuration, select the option to enable support for the WS-Federation Passive protocol.
-
Enter the URL of the OnBase Web Server as the relying party WS-Federation Passive protocol URL. This is the fully qualified domain of the OnBase Web Server, for example https://my.domain.com/AppNet/
Note:
The URL value is case sensitive. Make sure to include the trailing slash on the URL.
-
Under identifiers configuration, add the same URL you configured as the relying party WS-Federation Passive protocol URL.
Note:
The URL value is case sensitive. Make sure to include the trailing slash on the URL.
-
Permit all users to access this relying party for the issuance authorization rules.
Note:
AD FS 3.0 includes multi-factor authentication. Multi-factor authentication is supported by OnBase and there are currently no additional configuration steps needed to integrate multi-factor authentication with OnBase.
-
At the verification screen, verify that the Encryption tab contains the encryption certificate and that the Endpoints tab is configured with the URL of the OnBase Web Server.
Note:
If an encryption certificate was not provided for you to use, any trusted third-party encryption certificate can be used as long as the OnBase Web and Application Servers have the private key of that certificate installed in the LocalMachine\Personal store.
-
After configuring the relying party you must add a claim rule.
Note:
All listed claims must be configured with a claim rule in order to enable proper authentication.
- Select Send LDAP Attributes as Claims rule template for the rule type.
- Give the claim rule a descriptive name.
- Select Active Directory as the attribute store.
-
Use the following table to map the LDAP attributes to outgoing claim types:
LDAP Attribute
Outgoing Claim Type
User-Principal-Name
Name ID
Note:The domain is stripped from the User-Principal-Name (UPN) value. The UPN can only be used if domain information is already configured in OnBase by using AD FS authentication along with AD Enhanced or LDAP authentication.
Display-Name
Name
Token-Groups – Unqualified Names
Role
E-Mail-Addresses
E-Mail Address