Hyland Connect

Nghia_Phan1 · ‎07-11-2022

Hi:

We are in EP3. During upgrading from V6 to EP3, Hyland consultants ran or did some import at that time, all users were set to Integrated Security Login Only authentication by auto-mapping between AD and IdP.

But, in recently, any new user login via IdP, will be set as Standard Login by auto-mapping. Some new users cannot even login, but we can see they are OnBase members in User Settings as Standard Login authentication.

It is confused? I thought these new users once login via IdP must be 'Integrated Security Login Only' authentication.

Any one has any idea what we did wrong? or that is the way IdP behavior?

Thank you.

AdamShaneHyland · ‎07-11-2022

Hi @Nghia Phan ,

Software Change CI-2985 has been created in order to flag new users created via the provisioning process from the Hyland IDP to be configured with the "Integrated Security Logon Only" option enabled. Currently this feature is not available and has not been scheduled as of OnBase 22.1.

That being said, users created via the Hyland IDP can still login even if their user account is configured with the Standard Logon option enabled. If they can't login, then this is likely a configuration issue where the users do not belong to User Groups with the necessary permissions to access the software.

Assuming you are using a SAML provider to federate authentication via the Hyland IDP, you can confirm that the SAML Response from the third party SAML provider includes User Groups which are correctly mapped with the User Attribute Mapping configuration of the Provider. If they are, then you should see the User Claims listed in the Hyland Diagnostics logs under the Hyland.Identity.Provider profile.

If you don't see the claims, then it could be;

The third party is not configured to send over the User Groups
The User Group attribute is not properly configured to the Group within the User Attribute Mapping

If you need further assistance, please reach out to your first line of support.

Nghia_Phan1 · ‎07-11-2022

Hi Adam:

Thank you for your response.

We are using Shibboleth provider.

Regardless of the User Settings of standard login or integrated security login authentication, according to the CI you mentioned above, new users have no problem of login for first time in our test environment, even they are configured as standard login authentication by auto-mapping between AD and IdP. But these new users CANNOT login in our PRODUCTION environment, even after login, I see the user accounts are created in production OnBase as standard login authentication.

The User Group attributes of these new users are configured identical for both environments.

I did check and see the same settings of both test and production in the identity-provider admin sites.

The only differences between of the two environments are the test has NO load balancer, (web/app servers are in the same physical server), while the production has two load balancers. one between clients and web servers, and second one is between web servers and app servers.

The next thing as you mentioned, I will troubleshoot in production using Diagnostic Console .

If you have any suggestions, please let me know.

Again, thank you very much.

Nghia

Hyland Connect

For any New User Login Login via IdP at a First Time, Why this User is configured as a Standard Login Authentication, But NOT Integrated Security Login Only?