02-01-2018 07:21 AM
I'm intentionally cross-posting this in both "Authentication and Security" and "E-Form" groups-
We at Dartmouth College are on OnBase 15, and have some interestingly complex setup- Unity Client AD Auth, Web Client SSO integration, custom .NET apps that use the Unity API that use SSO integration, and E-Forms (loaded in the Unity Client and the Web Client) that talk to .NET web services to load MIKG data and other complex information.
We're upgrading to 17, making changes in our SSO infrastructure, and hoping to start using the new Hyland Identity Provider ot enable SSO integration for the Unity Client.
Does anyone have experience with the Hyland Identity Provider and E-Forms that communicate with web services?
If so, I would love to chat!
We're getting close in our Dev/Test environments to where I can hands-on try things, but *any* experience that combines those two situations might be helpful.
Update:
With existing AD Auth (the "basic" option in OnBase right now), we take advantage of user group syncing with Active Directory. We haven't yet sorted out whether the Identity Provider will allow that same simple option, or if we'll have to do more programmatic user group syncing. We would love to hear about anyone's experience with that too.
Thanks,
Alex
02-12-2018 07:26 AM
Hi Alex,
Thank you for using Community. I can answer your question about the AD integration(s) with the Hyland IDP. The Hyland IDP does both of the AD based options, along with LDAP, under the Autologin provider. There is no additional configuration needed on the IDP side to use this option. Just the normal configuration in the Configuration Client.
The Unity Client can be configured for IDP using five providers: OnBase Auth, Autologin, CAS, SAML2 and CAC.
Regarding the IDP + E-Forms + Web Services, I don't see why this wouldn't work. But depending on your exact setup and other variables there could be unforeseen roadblocks. Would you mind calling into your First Line Of Support and opening a Support Issue? This will get the proper eyes on the request and if needed escalated to the appropriate resources internally to assist.
Also, if you haven't already I would recommend taking a look at the OnBase 17 Authentication MRG, which has a section dedicated to the Hyland IDP.
The 17 Authentication MRG can be found at: www.onbase.com/.../21205
Please let me know if you have any questions!
02-13-2018 09:27 AM
02-13-2018 10:38 AM
Hi Alex,
1) It will create new users, but it will only add them to the defined "Default User Group", which is setup in Configuration | Utils | System Generated User Settings.
In OnBase 18, we added the ability to sync foreign roles. Which just means that we (OnBase) don't read AD or need to have AD (basic or enhanced) setup. The foreign party (Shibboleth, OKTA, etc) would send in group membership claims and we would just match those to OnBase User Groups.
I hope that answered your questions. If not, please let me know.
Edit: I updated various statements above to reflect that the SAML Provider in the version 17 IDP does NOT work in conjunction with AD/LDAP for group syncing.
02-13-2018 11:47 AM
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.