This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How do you setup an external facing URL for all clients to access with IdP authentication?

Ryan_Wakefield
World-Class Innovator
World-Class Innovator

‎04-04-2021 10:41 AM

Hello,

 

We are looking to expose our OnBase system externally so that our clients can use the new Hyland IdP and access the system as well as add on 2FA. However, with any sort of system facing externally to your intranet you don't want to allow direct access to the servers for many reasons and more. So we are looking to setup the external facing URL to reverse proxy to our IdP servers, but either I am with blind or can't seem to find documentation on how to setup the reverse proxy.

 

Is there any documentation or specifics on how to configure an externally facing URL so that clients can login with the Hyland IdP? Things (recommendations, requirements, suggestions, etc.) I am looking for are:

 

  1. Where do you place the IdP servers?
  2. What security configurations are to be setup on the F5 load balancer URL?
  3. Any special configurations on the application servers beyond the basic IdP stuff?
  4. Do you use the same application servers you use for other non-IdP clients or do you separate them out?
  5. Is reverse proxy the right way to approach this or are there better methods?

 

Now, the biggest question I have is does Hyland have a network diagram on how the communications happen between the different clients and when they are configured for IdP authentication? I know there are the videos out there on the training site, but I don't believe they are 100% accurate as they don't include how the client secrets work and some other things that differ based on personal experiences. So I am hoping the is a good diagram (or diagrams) or something that Hyland can provide so that when I go to present this to our Cyber Security team, then it could help in reducing any questions and hopefully make the process easier and quicker.

 

Thanks.

0 Kudos
8 REPLIES 8

AdamShaneHyland
Employee
Employee

‎04-05-2021 10:16 AM

Hi Ryan.

 

In general, you will need to allow users access to the Hyland IDP external to your organization in order to allow them to authenticate.  There are many different ways to do this securely and a lot of the details would relay on more information about your existing architecture and goals of your organization.   This will not be answered in full detail in a Community post.

 

However, the reverse proxy could be implement through hardware or software, but would be setup outside of Hyland.  This means there is likely limited or no documentation from Hyland on how to set it up.  While not directly related, there is a section in the Application Server MRG called "Reverse Proxy Configuration" which discusses how to implement this for the Application Server.  While I haven't tried it and don't have any recommendations, these same steps might be applicable for the Hyland IDP.

 

To answer your questions ...

  1. Where do you place the IdP servers?  This is a deeper question.  You could put it in the DMZ or you could put it behind other network devices.  This depends on currently network implementation, segmentation, networking devices, security requirements, etc.  There is no recommendation here, but suffice it to say that users need to be able to communicate with the Hyland IDP from a browser for it to work.
  2. What security configurations are to be setup on the F5 load balancer URL?  The Hyland IDP is stateless, so there is no need for sticky sessions.  However, the Hyland IDP does use cookies.
  3. Any special configurations on the application servers beyond the basic IdP stuff?  The Hyland IDP does not require the OnBase Application Server.  If you are referring to the generic term of an application server meaning a machine running applications, then it will need IIS.  The Hyland IDP (not the ApiServer) doesn't require much in the form of resources, but if you are going to be authenticating a lot of users, then it might need more resources.  
  4. Do you use the same application servers you use for other non-IdP clients or do you separate them out?  The Hyland IDP does not use the OnBase Application Server.
  5. Is reverse proxy the right way to approach this or are there better methods?  I refer back to #1.

For clarification, the Hyland IDP connects to the OnBase Database via the ApiServer, not the Application Server.  Depending on the client in question, requests/processing might be performed via the OnBase Application Server.  For instance, the Unity Client using the Hyland IDP would authenticate through the Hyland IDP and ApiServer, but all requests are performed through the OnBase Application Server.  The OnBase Web Client/Server works the same as the Unity Client.  Clients like the Quick Access Viewer, Combined Viewer, Hyland Clinician Window, WorkView Client, etc. (i.e. the modernized single page clients) will authenticate through the Hyland IDP and ApiServer, but further all requests will be performed through the ApiServer based on the modernized REST APIs.

 

Hope this helps.

George_Sialmas
Elite Collaborator
Elite Collaborator
In response to AdamShaneHyland

‎09-06-2021 11:46 PM

Hey @Ryan Wakefield, did you end up exposing your OnBase system externally so that your clients can use the new Hyland IdP and access the system as well as add on 2FA?

0 Kudos

Ryan_Wakefield
World-Class Innovator
World-Class Innovator
In response to George_Sialmas

‎09-07-2021 02:44 PM

We are working on it. The problem is that when I tried to authenticate through the Hyland IdP through externally it would fail, but I can't figure out where it is failing at exactly. My gut says that it is because currently we only have our IdP exposed externally and we are going to have to be doing some content switching through our external facing URL/Load Balancer. I am still working on it, but I haven't been able to play much with it as we are struggling to get our NT Authentication to work with a load balanced production environment.

 

Do you have any suggestions on different things to try and work with? Or were you hoping to talk to someone who has done so?

 

Thanks.

0 Kudos

George_Sialmas
Elite Collaborator
Elite Collaborator
In response to George_Sialmas

‎09-10-2021 08:28 PM

@Ryan Wakefield Thanks for letting me know. Yeah I wanted to talk to someone who has done so to find out how they did it, because if you were successful in setting this up, this might have helped a customer of ours that is potentially needing to go down the same path in order to be able to use the iOS OnBase Mobile v18 app, however, they want to be able to authenticate via IdP and the 3rd party provider being Okta on the mobile app. I have a feeling that we would need to install/configure IdP on the Mobile Applications Broker Server (which is in the DMZ) but I'm not sure. Thanks Ryan.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC