The following certificates are used by OnBase or AD FS to complete authentication. Make sure you have the required certificates before attempting configuration.
-
AD FS SSL: The SSL certificate used by IIS on the AD FS server to encrypt traffic. It is required. The private key resides on the AD FS server, and the OnBase Web Server and the client machine must trust the issuer (ROOT CA) of the certificate.
-
Token Encryption: The certificate used by AD FS to encrypt the token sent to the client. It is not required but it is recommended.
-
Token Signing: The certificate used by AD FS to sign SAML tokens. It is required. The the public key resides on the OnBase Web Server.
-
Request Signing: The certificate used by OnBase to sign the request sent to the AD FS server. It is not required but it is recommended.
-
Web Server SSL: The SSL certificate used by IIS on the OnBase Web Server to encrypt traffic. It is required. The private key resides on the OnBase Web Server, and the AD FS server and the client machine must trust the issuer (ROOT CA) of the certificate.
OnBase using AD FS authentication does not support CNG (Cryptographic Next Generation) certificates.
All certificates should be in the local computer account. If the OnBase Application Server is on a different machine from the OnBase Web Server, the certificates on both servers must match.
All private keys should be stored in the Local Computer\Personal certificate store. Private keys in that store should have a matching public key stored in either the Local Computer\Trusted Root Certification Authorities or Local Computer\Trusted People certificate stores. All other public keys should be stored in the Local Computer\Trusted People certificate store.
The Application Pool Identity account or impersonation account configured for the servers requires Read access to the certificates.
Certificate thumbprints are used to correctly identify the certificate to use for communication. The thumbprint value can be found in the certificate manager.