Setting Up the Hyland IdP Server - Identity and Access Management Services - 4.4 - 4.4 - Ready - Other - external

Identity and Access Management Services

Platform
Other
Product
Identity and Access Management Services
Release
4.4
License

After preparing the environment for initialization, you must set up the Hyland IdP server by completing the base configuration for it.

Note:

It is assumed that the environment has already been prepared for setting up the Hyland IdP server. If you have not yet prepared the environment, first complete the instructions under Preparing the Environment for Initialization.

Configuration can be complete using the graphical initialization client. This section includes the instructions to use the initialization client.

Note: These instructions include some settings that must be configured to successfully create a load-balanced environment on the Hyland IdP server. See Configuring Load Balancing for the Hyland IdP Server for a list of general considerations to account for when creating a load-balanced environment.
Tip:

The same actions can also be completed using a command-line utility. See Setting Up the Hyland IdP Server From the Command Line.

To set up the base configuration for the Hyland IdP server:

  1. Launch the Hyland IdP server by using a localhost URL to the Hyland IdP server application in IIS.

    For example, in a default installation, the Hyland IdP server is installed to IIS as the identityprovider application, so the URL is localhost/identityprovider

    The Hyland IdP initialization page is displayed.

  2. Under IdP Base Data, enter the following values in the fields provided.

    Field

    Value

    Public Origin

    The root URL of the server in IIS hosting the Hyland IdP server. Do not include the virtual directory of the Hyland IdP server in the Public Origin value.

    For example, if the URL of the Hyland IdP server is https://server.domain.com/identityprovider, then the Public Origin value is https://server.domain.com

    Note:

    The Hyland IdP server must be configured for secure connections (HTTPS).

    Issuer

    The URL of the Hyland IdP server. This value must match the casing of the application name in IIS.

    For example, if the public origin of the Hyland IdP server is https://server.domain.com and the default application name was used, then the Issuer value is https://server.domain.com/identityprovider

    If you want to use URIs that are not in lowercase, then you must set the issuer URI manually.

    Note:

    The Hyland IdP server must be configured for secure connections (HTTPS).

    IdPConfig File Path

    The full file path of the idpconfig.json configuration file. In load-balanced environments, each server should use the same idpconfig.json file. If a single, shared file cannot be used, the idpconfig.json files must be exactly the same between servers. By default, this is set to idpconfig.json which corresponds to the default installation location of C:\Program Files\Hyland\identityprovider\idpconfig.json.

    Note: This setting is required for each server in a load-balanced environment.

    Enter a valid UNC path to the location of the idpconfig.json configuration file if the file is located on a remote server.

    Note:

    The identity running the Hyland IdP server application pool must have Modify access to the idpconfig.json file.

    IdP Managed Signing Certificate

    Allows Hyland IdP to automatically generate and manage the signing certificate. Hyland IdP uses the auto-generated signing certificate to sign the newly-issued tokens.

    To complete the initialization process, you must perform either of the following actions:

    • Enable the IdP Managed Signing Certificate checkbox
      Note: Enabling IdP Managed Signing Certificate makes selecting a signing certificate from its drop-down menu non-mandatory.
    • Select a signing certificate from the Select Signing Certificate drop-down menu

    When you enable the IdP Managed Signing Certificate checkbox and select a signing certificate from the Select Signing Certificate drop-down menu, Hyland IdP signs the newly-issued tokens with a self-generated signing certificate.

    Signing Certificate

    The RSA certificate being used for encryption, which can be found in the IIS bindings or in the Windows Certificate Store. The certificate must include digital signatures key usage and be placed in the personal store of the local machine.

    When you only select a signing certificate from the drop-down menu, Hyland IdP uses the configured certificate to sign the tokens.

    The certificate selected from the Select Signing Certificate drop-down menu is set as a validation key and is used only to validate existing tokens that were previously signed using this specific certificate when IdP Managed Signing Certificate option was enabled. Thus, for existing deployments, we recommended to keep this value as is.

    Note:

    The IIS_IUSRS account must have Read access to the private key of the signing certificate. For details on configuring certificate permissions, see the documentation provided by Microsoft for the Certificate Manager tool.

    Key File Persistence Location

    The fully qualified UNC path of the common directory where the keyfile used for encrypting and decrypting cookies, tokens, and other values is stored. In load-balanced environments, each server must use the same keyfile location.

    Note: This setting is required for each server in a load-balanced environment.

    By default, the ASP.NET\DataProtection-Keys directory within the local application data directory is used, but that location is not accessible by other servers.

    Note:

    The identity running the Hyland IdP server application pool must have Modify access to the keyfile location in order to create and store keyfiles.

    Key Encryption Certificate Thumbprint

    The thumbprint of the RSA certificate being used for encryption, which can be found in the IIS bindings or in the Windows Certificate Store.

    The encryption certificate must include digital signatures key usage and be placed in the personal store of the local machine. The same certificate must be used for each Hyland IdP server in a load-balanced environment.

    Note: This setting is required for each server in a load-balanced environment.

    Select the certificate thumbprint from the drop-down list.

    Note:

    The identity running the Hyland IdP server application pool must have Read access to the private key of the encryption certificate. For details on configuring certificate permissions, see the documentation provided by Microsoft for the Certificate Manager tool.

    Note: The IdPConfig File Path, Key File Persistence Location, and Key Encryption Certificate Thumbprint settings are required to be configured to successfully create a load-balanced environment on the Hyland IdP server. The values of these settings for each Hyland IdP server in the load-balanced environment must match so that each load-balanced environment has the same exact values. See Configuring Load Balancing for the Hyland IdP Server for a list of general considerations to account for when creating a load-balanced environment.
  3. Under Default tenant Information, enter the following values in the fields provided.

    Field

    Value

    Tenant Name

    The name of the tenant used by the Hyland IdP server. The tenant name must not contain any special characters such as spaces, comma, dot, or slashes.

    Note:

    If your solution uses the Hyland SCIM server, the Tenant Name must match exactly the Name of the datasource configured for the connection string on the Hyland SCIM server. For example, if the SCIM datasource name is MyDBTenant then the tenant Name must also be MyDBTenant.

    SCIM Url

    If your solution uses the Hyland SCIM server, enter the URL of the SCIM server endpoint on the Hyland API Server.

    Note:

    The SCIM Url only needs to be configured for OnBase environments. It can be left empty for other environments.

    The SCIM endpoint is the API Server URL with /onbase/SCIM appended to it. For example, if the root URL of the Hyland API Server is https://server.domain.com and the default application name was used, then the Scim Url value is https://server.domain.com/ApiServer/onbase/SCIM

    Note:

    Make sure the use of HTTP or HTTPS matches the configuration of your domain in IIS. The Hyland IdP server must be configured for secure connections (HTTPS).

    SCIM Proxy Settings

    The proxy behavior the Hyland IdP server uses to communicate with the Hyland SCIM server.

    By default, the Hyland IdP server uses the proxy behavior defined by .NET Core. This behavior can be changed to always bypass the proxy, or to use the Microsoft Internet Explorer settings to define the URLs that bypass the proxy. Select one of the values from the drop-down list:

    • Default: The Hyland IdP server uses the proxy behavior defined by .NET Core.
    • NoProxy: The Hyland IdP server always bypasses the proxy.
    • System: The Hyland IdP server uses Microsoft Internet Explorer settings to define the URLs that bypass the proxy.

    Administrative Users

    The user names of those authorized to make configuration changes in the IdP Administration Client.

    Note:

    You must configure at least one user in the Administrative Users field or at least one user group in the Administrative Groups field for each tenant. See the description of the Administrative Groups field in this table for more information on configuring an administrative group.

    User names must be entered as a comma-separated list. For example, if you are entering the user names of manager, user1, and user2, this must be entered as manager, user1, user2

    Administrative Groups

    The user group names of those authorized to make configuration changes in the IdP Administration Client.

    Note:

    You must configure at least one user in the Administrative Users field or at least one user group in the Administrative Groups field for each tenant. See the description of the Administrative Users field in this table for more information on configuring an administrative user.

    User group names must be entered as a comma-separated list. For example, if you are entering the user group names of idpmanagers, ISmanagers, and DeptManagers, this must be entered as idpmanagers, ISmanagers, DeptManagers

  4. Click Initialize Configuration at the bottom of the page. The values entered are saved to the configuration files for the Hyland IdP server.
  5. Next, complete the instructions under Creating and Configuring the Operational Database.