04-04-2021 10:41 AM
Hello,
We are looking to expose our OnBase system externally so that our clients can use the new Hyland IdP and access the system as well as add on 2FA. However, with any sort of system facing externally to your intranet you don't want to allow direct access to the servers for many reasons and more. So we are looking to setup the external facing URL to reverse proxy to our IdP servers, but either I am with blind or can't seem to find documentation on how to setup the reverse proxy.
Is there any documentation or specifics on how to configure an externally facing URL so that clients can login with the Hyland IdP? Things (recommendations, requirements, suggestions, etc.) I am looking for are:
Now, the biggest question I have is does Hyland have a network diagram on how the communications happen between the different clients and when they are configured for IdP authentication? I know there are the videos out there on the training site, but I don't believe they are 100% accurate as they don't include how the client secrets work and some other things that differ based on personal experiences. So I am hoping the is a good diagram (or diagrams) or something that Hyland can provide so that when I go to present this to our Cyber Security team, then it could help in reducing any questions and hopefully make the process easier and quicker.
Thanks.
04-05-2021 10:16 AM
Hi Ryan.
In general, you will need to allow users access to the Hyland IDP external to your organization in order to allow them to authenticate. There are many different ways to do this securely and a lot of the details would relay on more information about your existing architecture and goals of your organization. This will not be answered in full detail in a Community post.
However, the reverse proxy could be implement through hardware or software, but would be setup outside of Hyland. This means there is likely limited or no documentation from Hyland on how to set it up. While not directly related, there is a section in the Application Server MRG called "Reverse Proxy Configuration" which discusses how to implement this for the Application Server. While I haven't tried it and don't have any recommendations, these same steps might be applicable for the Hyland IDP.
To answer your questions ...
For clarification, the Hyland IDP connects to the OnBase Database via the ApiServer, not the Application Server. Depending on the client in question, requests/processing might be performed via the OnBase Application Server. For instance, the Unity Client using the Hyland IDP would authenticate through the Hyland IDP and ApiServer, but all requests are performed through the OnBase Application Server. The OnBase Web Client/Server works the same as the Unity Client. Clients like the Quick Access Viewer, Combined Viewer, Hyland Clinician Window, WorkView Client, etc. (i.e. the modernized single page clients) will authenticate through the Hyland IDP and ApiServer, but further all requests will be performed through the ApiServer based on the modernized REST APIs.
Hope this helps.
09-06-2021 11:46 PM
09-07-2021 02:44 PM
We are working on it. The problem is that when I tried to authenticate through the Hyland IdP through externally it would fail, but I can't figure out where it is failing at exactly. My gut says that it is because currently we only have our IdP exposed externally and we are going to have to be doing some content switching through our external facing URL/Load Balancer. I am still working on it, but I haven't been able to play much with it as we are struggling to get our NT Authentication to work with a load balanced production environment.
Do you have any suggestions on different things to try and work with? Or were you hoping to talk to someone who has done so?
Thanks.
09-10-2021 08:28 PM
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.