10-19-2021 04:44 AM
Hello all,
We're configuring SSO in Azure AD (SAML2) using Hyland IdP.
Configuration seems to complete properly, and the login was successful, but not in the desired state.
We're planning to log in to OnBase using email address, but now using persistent ID to log in to OnBase instead.
I believe that this is because Azure AD returns NameID in the SAML Response as persistent format, as shown below:
:
<NameID Format = "urn: oasis: names: tc: SAML: 2.0: nameid-format: persistent"> xxxxx </ NameID>
:
I contacted the Azure AD administrator and they told me that the NameID is set to user.mail, so if including the
<NameIDPolicy Format = "urn: oasis: names: tc: SAML: 2.0: nameid-format: emailAddress" /> tag in SAML Request,
AD should return email address.
Is it possible to specify NameIDPolicy in OnBase IdP settings?
If possible, how do I set it up?
Thanks in advance.
10-19-2021 06:45 AM
Hi Kiri.
You can send back the claims via SAML in any format. From there, the OnBase IDP (OnBase 17/18) or Hyland IDP (OnBase Foundation EP1 and higher) can be configured to read the Name attribute from the Attribute Claim(s) in the SAML Response.
For Azure AD, I found this article which might be helpful ...
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization
For instance, the following is a portion of a SAML Response ...
<AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> <AttributeValue>John Doe</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>jdoe@domain.com</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"> <AttributeValue>Scanning Users</AttributeValue> </Attribute></AttributeStatement>
Here you can see the reference to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name which is the reference to the users full name in the SAML Response.
The following would be the corresponding UserAttributeMappings in the idpconfig.json for the Hyland IDP ...
"UserAttributeMapping": { "username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "realName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "group": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"},
As long at the value is send in the SAML Response and is an Attribute, it can be mapped to OnBase.
Best wishes.
10-22-2021 06:55 AM
Hi
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.