This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How do you setup an external facing URL for all clients to access with IdP authentication?

Ryan_Wakefield
World-Class Innovator
World-Class Innovator

‎04-04-2021 10:41 AM

Hello,

 

We are looking to expose our OnBase system externally so that our clients can use the new Hyland IdP and access the system as well as add on 2FA. However, with any sort of system facing externally to your intranet you don't want to allow direct access to the servers for many reasons and more. So we are looking to setup the external facing URL to reverse proxy to our IdP servers, but either I am with blind or can't seem to find documentation on how to setup the reverse proxy.

 

Is there any documentation or specifics on how to configure an externally facing URL so that clients can login with the Hyland IdP? Things (recommendations, requirements, suggestions, etc.) I am looking for are:

 

  1. Where do you place the IdP servers?
  2. What security configurations are to be setup on the F5 load balancer URL?
  3. Any special configurations on the application servers beyond the basic IdP stuff?
  4. Do you use the same application servers you use for other non-IdP clients or do you separate them out?
  5. Is reverse proxy the right way to approach this or are there better methods?

 

Now, the biggest question I have is does Hyland have a network diagram on how the communications happen between the different clients and when they are configured for IdP authentication? I know there are the videos out there on the training site, but I don't believe they are 100% accurate as they don't include how the client secrets work and some other things that differ based on personal experiences. So I am hoping the is a good diagram (or diagrams) or something that Hyland can provide so that when I go to present this to our Cyber Security team, then it could help in reducing any questions and hopefully make the process easier and quicker.

 

Thanks.

0 Kudos
8 REPLIES 8

Eric_Lohr
Confirmed Champ
Confirmed Champ
In response to AdamShaneHyland

‎11-10-2021 10:19 AM

@Adam or @Ryan ... For external facing docpop urls using IdP, can I have the Web Server in the DMZ (public facing) with IdP and API Server installed on that same Web Server? I would imagine i need firewall rules from the Web Server in the DMZ to allow port 1433 (mssql) to access my API Server db. My OnBase Application Server is not in the DMZ and not public facing, but i do have firewall rules for opening port 443(tls, https). Will this configuration work to allow docpop urls to display documents in the onbase web client externally?

0 Kudos

AdamShaneHyland
Employee
Employee
In response to Eric_Lohr

‎11-10-2021 11:35 AM

Hi @Eric Lohr , if your ApiServer is in the DMZ, you would also have to open the port for Disk Group access, if applicable (i.e. you are using the REST API to retrieve documents).  Or you could use a Reverse Proxy for your ApiServer and put it in your internal network which would alleviate the need to have SQL ports open.

 

To your question, yes the OnBase Web Server, Hyland IDP and ApiServer can all reside on the same server.  Assuming you are using the Hyland IDP for authentication, the DocPop request would redirect to the Hyland IDP for authentication and then back to the Web Server to load the documents.

 

Take care.

0 Kudos

Eric_Lohr
Confirmed Champ
Confirmed Champ
In response to Eric_Lohr

‎11-10-2021 01:23 PM

Thanks @Adam Shane Adam for the clarification. We are using Hyland IDP for authentication. We are only using the API Server for the SCIM for IdP integration, no REST API calls to bring the documents back. The documents are only docPop URL links. Does the Onbase web server need direct access to storage or do i need to put the appserver in the dmz and cut a hole in the firewall for SMB traffic to flow? My hope is the OnBase AppServer streams the image back to the web server for display and the web server does not need direct access to the disk.

Thank you,

Eric

0 Kudos

AdamShaneHyland
Employee
Employee
In response to Eric_Lohr

‎11-10-2021 01:38 PM

Hi @Eric Lohr ,

 

The OnBase Web  Server never directly accesses the database or file shares.  These requests are always made through the Application Server.

 

Take care.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC