This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to specify NameIDPolicy-Format in SAML2 using Hyland IdP

Go to answer
Kiri_Yoshidaya
Confirmed Champ
Confirmed Champ

‎10-19-2021 04:44 AM

Hello all,

We're configuring SSO in Azure AD (SAML2) using Hyland IdP.
Configuration seems to complete properly, and the login was successful, but not in the desired state.
We're planning to log in to OnBase using email address, but now using persistent ID to log in to OnBase instead.
I believe that this is because Azure AD returns NameID in the SAML Response as persistent format, as shown below:
:
<NameID Format = "urn: oasis: names: tc: SAML: 2.0: nameid-format: persistent"> xxxxx </ NameID>
:
I contacted the Azure AD administrator and they told me that the NameID is set to user.mail, so if including the
<NameIDPolicy Format = "urn: oasis: names: tc: SAML: 2.0: nameid-format: emailAddress" /> tag in SAML Request,
AD should return email address.
Is it possible to specify NameIDPolicy in OnBase IdP settings?
If possible, how do I set it up?

Thanks in advance.

Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
AdamShaneHyland
Employee
Employee

‎10-19-2021 06:45 AM

Hi Kiri.

 

You can send back the claims via SAML in any format.  From there, the OnBase IDP (OnBase 17/18) or Hyland IDP (OnBase Foundation EP1 and higher) can be configured to read the Name attribute from the Attribute Claim(s) in the SAML Response. 

 

For Azure AD, I found this article which might be helpful ...

 

     https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

 

For instance, the following is a portion of a SAML Response ... 

 

<AttributeStatement>    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">        <AttributeValue>John Doe</AttributeValue>    </Attribute>    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">        <AttributeValue>jdoe@domain.com</AttributeValue>    </Attribute>    <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">        <AttributeValue>Scanning Users</AttributeValue>    </Attribute></AttributeStatement>

 

Here you can see the reference to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name which is the reference to the users full name in the SAML Response. 

 

The following would be the corresponding UserAttributeMappings in the idpconfig.json for the Hyland IDP ...

 

"UserAttributeMapping": {  "username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",  "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",  "realName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",  "group": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"},

 

As long at the value is send in the SAML Response and is an Attribute, it can be mapped to OnBase.

 

Best wishes.

View answer in original post

0 Kudos
5 REPLIES 5

Go to answer
AdamShaneHyland
Employee
Employee
In response to Kiri_Yoshidaya

‎10-22-2021 06:55 AM

Hi @Kiri Yoshidaya ,  thanks for the update.  Glad that you were able to get it working.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC