The OnBase Entrust Configuration utility is used to generate and store the private key that is used to authenticate using OnBase Entrust. The private key is encrypted using the Windows Data Protection API and stored in a registry key protected using an Access Control List (ACL), such that only the Windows user specified and system administrators have access to the private key.
In order to authenticate a LOB application with Integration for Single Sign-On, the LOB application must be able to generate a valid token, which is passed to Integration for Single Sign-On.
The OnBase Entrust token generated contains the following information:
-
User name: The OnBase user name provided by the LOB application.
-
Time stamp: The time stamp when the token was generated, based on the application server time. The time stamp is used to prevent token reuse and to ensure that the token was generated within the last hour.
Note:OnBase Entrust uses the application server time when generating the token, but verification of the token usually occurs on the web server. For this reason, the application server and the web server must have their clocks synchronized to within one hour of each other for OnBase Entrust to validate the token generated.
-
Digital signature: The user name and time stamp are digitally signed using the OnBase Entrust private key, generated by the OnBase Entrust Configuration utility.
-
Public key: The public key of the OnBase Entrust public/private key pair, which is used to verify that the digitally signed token is valid and has not been modified during transmission.
Integration for Single Sign-On only trusts the token passed if the token is signed by the key that is configured using the Single Sign-On Configuration utility, and is provided with a SHA 512 hash of the public key.