App Server Configuration - Legacy Authentication Methods - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - Essential - Premier - Standard - external - Standard - Essential - Premier

Legacy Authentication Methods

Legacy Authentication Methods
Foundation 23.1

The Integration for Single Sign-On installation wizard must be run on both the OnBase Web and Application Servers before configuring an Authentication Server model.


Before configuring the Application Server, ensure that you have completed the steps for Web Server Configuration (see Web Server Configuration). If the Application is on a different machine from the Web Server, Integration for Single Sign-On must first be installed on that machine (see Installation).

  1. Launch the Single Sign On Config utility (SingleSignOnConfig.exe).

    If Windows UAC is enabled, the executable must be run as an administrator.

    The Single Sign On Config dialog is displayed.

  2. Select App Server. The Type drop-down list is enabled and the Public Key Token input is displayed.
  3. Change the Virtual Directory to point to the server that is acting as the authentication server. This is typically the OnBase Application Server. In a default installation, the Application Server is installed to C:\inetpub\wwwroot\AppServer.
  4. Select Standard from the drop-down list unless you are using a custom authenticator.

    Select CUSTOM... if you are using a custom authenticator.


    If you are using a CUSTOM authenticator, you must complete the steps under Using Custom Authenticators before continuing.

  5. Click in the white area beneath the Public Key Token column heading. (null) is displayed.
  6. Make sure the Public Key Token you copied during Web Server configuration has been copied to the clipboard. If you copied the public key to a text file on the authentication server, you must first copy the value from the text file to place it in the clipboard.
  7. Right-click on (null) and select Paste. The Public Key Token you copied to the clipboard is added to the list.
  8. Select an option under Synchronize User Groups to allow Integration for Single Sign-On to mimic some of the features of Active Directory or LDAP authentication.

    The option selected is used to synchronize OnBase users and user groups with the authentication method selected. For example, if a user exists in an LDAP user group but not in OnBase, and LDAP is selected, that user is automatically created in OnBase and placed in all matching OnBase user groups, allowing for a seamless log in.


    If you select to synchronize user groups you must configure a default User Group. If no default User Group is configured, users are not created or synchronized in OnBase. See Enabling Automatic User Creation with Single Sign-On.

    • Do not synchronize: Users are not created automatically in OnBase and no synchronization takes place regarding user groups, even if an authentication method is being used. Select this option if you intend to pass credentials for existing OnBase users and you do not want user group synchronization to take place.

    • LDAP: Users are created and/or user groups are synchronized automatically in OnBase according to the user's groups in LDAP. The matching user groups must already exist in OnBase.

    • Active Directory - Basic: This authentication method was removed after OnBase 18. To continue using Active Directory to synchronize users, you must change the configuration of OnBase to Active Directory - Enhanced or LDAP, then select the matching option under Synchronize User Groups. See Configuring Standard Authentication for information on moving OnBase authentication to Active Directory Enhanced or LDAP.

    • Active Directory - Enhanced: Users are created and/or user groups are synchronized automatically in OnBase according to the user's groups in Active Directory. Active Directory Enhanced is a Windows-based integrated security model that provides control over domain group mapping. It is the recommended choice for multiple-domain OnBase environments. Group mapping and user authentication is achieved using the Active Directory Security ID (SID) of the group and user logging in, so name matching is not required with Active Directory Enhanced.


      If you select Active Directory - Enhanced, after completing these configuration steps, the steps in the Synchronizing User Groups Via Active Directory topic must also be completed.

  9. Click Configure.
  10. Click Close to close the Single Sign On Config utility.

    To complete the integration, see Additional Configuration for Single Sign-On.