This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland
- Enterprise Platforms
- OnBase
- OnBase Technical
- OnBase Technical Blog
- Authentication and OnBase - Everything You Need to...
AdamShaneHyland
Employee
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
02-03-2021
09:06 AM
Authentication can seem overwhelming. That is because there is a lot of know when having a conversation about how Authentication works with OnBase. The resources on this page will provide you all of the information you need to learn how Authentication works with OnBase.
The Journey of Authentication through the Ages...
To start the conversation about authentication, we need to take a trip down memory lane and look at authentication options from a historical perspective. When authentication for users to applications first started, users would login to the application with a username and password specific to that application. This in turn meant a (potential) different user account and password for every application.
To simplify authentication for the user, applications were tied to the logged in users credentials. This meant the user would log in to their workstation and then seamlessly use those credentials to log in to applications. This is known as direct authentication or SSO (single sign-on). Protocols like LDAP and Kerberos supported this authentication allowing the user to login without having to enter their credentials.
With the advent of hosted applications, we need a different way to authenticate users. This is due to the application's inability to natively trust who the user claims to be because the applications is not hosted by the organization. For example, think of a customer trying to access the Web Server hosted by Global Cloud Services (GCS). The customer's organization doesn't trust the Hyland Cloud OR vice versa. For this, we need new technologies to support federated authentication. Applications like Active Directory Federation Services and Shibboleth help to bridge these gaps.
The following table lists some of the protocols which will come up as you further discover the authentication options for OnBase.
Protocol | Full Name | Description | Introduced | Link |
|---|---|---|---|---|
LDAP | Lightweight Directory Access Protocol v3 | This is an open vendor protocol which creates standards for the storage of information. The LDAP query language is used to find information about a user. These queries can be used to authenticate the user against the directory service. | 1997 | link |
| KRB5 | Kerberos v5 | This is a protocol used for for user authentication. It works on granting tickets. | 2005 | |
| SAML2 | Security Access Markup Language v2 | This is an open standard for the exchange of authentication information. It works on sharing information via XML. | 2005 | link |
| WSFED | Web Services Federation | A protocol which enables a reusable security token service model and protocol to address the identity requirements of both web applications and web services in a variety of trust relationships. | 2007 | link | link | link |
| CAS | Central Authentication Service | A single sign on protocol used for web applications. | 2006 | link |
| OAuth2 | An open standard protocol used to grant web sites access to information. | 2012 | link | |
| OIDC | OpenID Connect | An authentication layer for OAuth2 | 2014 | link | link |
The following table lists authentication services which are often used with OnBase.
Service | Description | Link |
|---|---|---|
| Active Directory | Microsoft's implementation of a Directory Service. Widely used for user and resource management. It supports native APIs or can use LDAP style queries. | link |
| Active Directory Federation Services (AD FS) | Microsoft's implementation of a federation service which runs on Active Directory to support authentication of users to non-trusted applications. Supports WSFED and SAML. | |
| Shibboleth | An open source identity and access management solution to connects users and applications. | link |
Hyland Community - Authentication and Security
The first place to start your journey of authentication knowledge is the Hyland Community Authentication and Security Group (https://community.hyland.com/technical/authentication-and-security). Here you will find all of the available public resources for authentication related to OnBase. All of the Module References Guides (MRG) will be under the Resources section of this group.
Resources
Name | Content | Location | Description | Level | Link |
|---|---|---|---|---|---|
| Security Best Practices | White Paper | Community | Document describing the security best practices for OnBase | Intermediate | |
Securing Your OnBase System | Recording | Community | This session will cover the multitude of options that you have to design a truly secure OnBase system including authentication and privileges, database best practices, diskgroup security, server configuration, encryption and more! We will discuss software features and best practices for implementation and regulatory compliance. | Intermediate | |
| Securing Your OnBase System | PowerPoint | Community | This session will cover the multitude of options that you have to design a truly secure OnBase system including authentication and privileges, database best practices, diskgroup security, server configuration, encryption and more! We will discuss software features and best practices for implementation and regulatory compliance. | Intermediate |
Integrated Authentication
When we refer to integrated authentication, this means built into the software. Typically this refers to Active Directory or LDAP authentication whereas the software (OnBase Thick Client, OnBase Application Server, etc) is making a direct call out to the directory service server (i.e LDAP server or Active Directory Domain Controller). For Active Directory, there are two implementations; Active Directory - Basic and Active Directory - Enhanced. Active Directory - Basic was the original implementation of a native Active Directory authentication method (it was called Network Security until OnBase 14 - SCR: #168048). Authentication was based on the name mapping of users and user group. It has been sunset with OnBase Foundation EP1 (link). With the release of OnBase 12, a newer authentication method called Active Directory (updated to Active Directory - Enhanced in OnBase 14 - SCR: #168048) was created to provide a tighter integration with Active Directory. This tighter coupling is based on the storing of users and user groups security identified (SID) within the OnBase database.
Resources
Name | Content | Location | Description | Level | Link |
|---|---|---|---|---|---|
| Integrated Authentication | eLearning | Premium | This course will walk you through, step by step, the process of enabling OnBase, the database and all of your clients, to use your organization’s already existing network security scheme to protect your system. | Beginner | |
| Authentication Options for an OnBase Solution (CommunityLIVE) | PowerPoint | Community | This class provides an overview of user authentication options– including OnBase setup for Active Directory, LDAP authentication and our Single Sign-On integration. In the lab portion, we’ll help you get started implementing Active Directory authentication with the OnBase Client, Web Client and Unity Clients and also explore common troubleshooting techniques related to authentication. | Beginner | |
| Network Security and OnBase | eLearning | Premium | This class is designed to give the attendees a better understanding of the network security aspects of OnBase. A presentation and lab will provide an end to end walk through on how Windows NT and LDAP authentication work with the OnBase Client, Web Client and Application Server will be discussed. The class will also explore common troubleshooting utilities as well. | Intermediate | |
| Directory Service Authentication | White Paper | Community | This document is intended for OnBase and Network Administrators wanting to learn more about the Directory Service Authentication options in OnBase and best practices. | Advanced | |
| Changes to Non-Interactive Domain Authentication | Blog | Community | Changes made with the release of OnBase 18.0.1.67 (any build of OnBase 18.0.1.67 and higher including any build of OnBase Foundation) related to Kerberos authentication and the "Double Hop". | Intermediate | |
| Sun setting the Active Directory – Basic authentication method in OnBase Foundation | Blog | Community | A Blog post which discusses the sun setting of the Active Directory - Basic feature with the release of OnBase Foundation EP1. | Beginner | link |
Integration for Single Sign On (Legacy)
The term Single Sign On (SSO) is confusing because it means different things to different people. The basis of the term meant not having to enter credentials in order to authenticate into an application. With respect to OnBase, this meant using one of the integration available under the Integration for Single Sign On license (CAS, PeopleSoft, Active Directory Federation Servers - AD FS, Entrust, etc). Typically these integrations are used to allow a user to seamlessly authentication into OnBase from a line of business application without having to enter credentials. Meaning the line of business application and OnBase are configured to trust one another.
Resources
Name | Content | Location | Description | Level | Link |
|---|---|---|---|---|---|
| Active Directory Federation Services (AD FS) - OnBase 12 and 13 | White Paper | Community | A detailed document on how to configure Active Directory Federation Services (AD FS) with OnBase 12 and OnBase 13. | Intermediate | |
| Active Directory Federation Services (AD FS) - OnBase 14 and Higher | White Paper | Community | A detailed document on how to configure Active Directory Federation Services (AD FS) with OnBase 14 and OnBase 13. | Intermediate | |
| Entrust Single Sign On | eLearning | Premium | Entrust Single Sign-On provides authentication for custom line of business applications through the web server. Learn what Entrust SSO is and how it works. Then learn which troubleshooting tools will be helpful when something goes wrong with configuration, communication, or token validation. | Intermediate | |
| SSO and AD FS (TST) | eLearning | Premium | This Tech Support Training presentation discusses the Integrations for Single Sign-On and Active Directory Federation Services (AD FS). | Beginner | |
| Deprecation and End of Life Announcement: OnBase Identity Provider Service (IdP) for OnBase versions 17 and 18 and Integration for Single Sign-On related modules | Blog | Community | A Blog post documenting the end of life for the Integration for Single Sign-On and the OnBase Identity Provider for OnBase 17 and 18. | Beginner |
|
OnBase Identity Provider (OnBase 17/18)
With the release of OnBase 17 SP2, Hyland created the OnBase Identity Provider to allow for a unified authentication middleware. Clients (Web Client, Unity Client, Mobile, etc) would be configured to redirect the user to the OnBase Identity Provider for authentication. The OnBase Identity Provider will then manage the authentication of the user by redirecting the user to the respective provider (SAML, WSFED, CAS, etc).
This feature was enhanced through OnBase 18. It is the recommended tool in order to support authentication via SAML (link) and CAS (link) for those respective versions of OnBase.
Resources
Name | Content | Location | Description | Level | Link |
|---|---|---|---|---|---|
| OnBase Identity Provider Service IdP Troubleshooting | eLearning | Premium | Learn the benefits of using the OnBase Identify Provider Service with your OnBase system, how to configure a simple solution and provide ideas on where to start with troubleshooting if issues arise. | Intermediate | |
| Identity Provider Service (Idp) - The future of Authentication (CommunityLIVE 2017) | PowerPoint | Community | This session will help administrators understand the new approach, how it provides for a clearer and faster incorporation of authentication solutions, and allows organizations to easily support multiple sign-on options through a single service instance. | Beginner | |
| Identity Provider (Idp) - Authentication Services in OnBase (CommunityLIVE 2018) | PowerPoint | Community | Identity Provider (IdP) Services provides a new approach to single sign-on within OnBase. Regardless of whether you use Active Directory, LDAP, SAML or certificates for user authentication, the OnBase IdP can meet your needs. This session will help administrators understand the new approach, provide for a clearer and faster incorporation of authentication solutions, and allow organizations to easily support multiple sign-on options through a single service instance. | Beginner | |
| Deprecation and End of Life Announcement: OnBase Identity Provider Service (IdP) for OnBase versions 17 and 18 and Integration for Single Sign-On related modules | Blog | Community | A Blog post documenting the end of life for the Integration for Single Sign-On and the OnBase Identity Provider for OnBase 17 and 18. | Beginner |
|
Hyland Identity Provider (OnBase Foundation EP1 and Higher)
With the release of OnBase Foundation EP1, Hyland released an updated version of the Identity Provider called the Hyland Identity Provider. This was created in order to provide a single Identity Provider middleware service to unify authentication for ALL Hyland products, not just OnBase. The Hyland Identity Provider is a new product built on an industry standard (IdentityServer4) and supersedes the OnBase Identity Provider.
This also changes the versioning related to OnBase. No longer is the Hyland Identity Provider version explicitly related to the version of OnBase, but instead they now have different versions.
Resources
Name | Content | Location | Description | Level | Link |
|---|---|---|---|---|---|
| Identity Providers (IdP) Explained | Blog | Community | An explanation of what an Identity Provider is and how it is used. | Beginner | link |
| Hyland Identity Provider for OnBase Foundation EP3 | eLearning | Premium | By the end of this course, you'll be equipped to install and configure Hyland IdP in an OnBase Foundation EP1 environment. | Intermediate | |
| IAM Services Idp and Api Server Installation for OnBase - Hands On Lab | eLearning | Premium | This Hands-On lab will walk through the steps of installing and configuring all of the components that make up IAM Services including the Hyland IdP Server and the OnBase API Server. | Intermediate | |
| OnBase Unity Client Hands on Lab | eLearning | Premium | This Hands-On lab will walk through the steps of configuring the Unity Client to use IAM Services for authentication. | Intermediate | |
| OnBase Web Client Hands on Lab | eLearning | Premium | This Hands-On lab will walk through the steps of configuring the OnBase Web Client to use IAM Services for authentication. | Intermediate | |
| OnBase Client Hands On Lab | eLearning | Premium | This Hands-On lab will walk through the steps of configuring the OnBase Client and OnBase Configuration modules to use IAM Services for authentication. | Intermediate | |
IAM Services: Configuring a Third-Party (SAML) Provider: Hands-On-Lab | eLearning | Premium | Lab on setting up a third party SAML2 Provider using SimpleSAML. | Intermediate | |
| REST API and the Hyland Identity Provider | Articles | SDK | The REST API authentication information for the Hyland Identity Provider. | Advanced | link |
Labels:
Related Content
- OnBase Forms - what is the cause of pending status for attachment in OnBase Technical Forum
- Specs of a server if installing Hyland IdP and API server on the same box in OnBase Technical Forum
- How do you gather batches that have a certain status within custom scan processes with OnBase Unity API? in OnBase Technical Forum
- OnBase IdP Admin Portal - doesn't allow mods (all versions) in OnBase Technical Forum
- IdP/IAM Docpop question in OnBase Technical Forum
