Hyland Connect

Alex_French · ‎02-01-2018

I'm intentionally cross-posting this in both "Authentication and Security" and "E-Form" groups-

We at Dartmouth College are on OnBase 15, and have some interestingly complex setup- Unity Client AD Auth, Web Client SSO integration, custom .NET apps that use the Unity API that use SSO integration, and E-Forms (loaded in the Unity Client and the Web Client) that talk to .NET web services to load MIKG data and other complex information.

We're upgrading to 17, making changes in our SSO infrastructure, and hoping to start using the new Hyland Identity Provider ot enable SSO integration for the Unity Client.

Does anyone have experience with the Hyland Identity Provider and E-Forms that communicate with web services?

If so, I would love to chat!

We're getting close in our Dev/Test environments to where I can hands-on try things, but *any* experience that combines those two situations might be helpful.

Update:

With existing AD Auth (the "basic" option in OnBase right now), we take advantage of user group syncing with Active Directory. We haven't yet sorted out whether the Identity Provider will allow that same simple option, or if we'll have to do more programmatic user group syncing. We would love to hear about anyone's experience with that too.

Thanks,
Alex

Chad_Yarmock · ‎02-12-2018

Hi Alex,

Thank you for using Community. I can answer your question about the AD integration(s) with the Hyland IDP. The Hyland IDP does both of the AD based options, along with LDAP, under the Autologin provider. There is no additional configuration needed on the IDP side to use this option. Just the normal configuration in the Configuration Client.

The Unity Client can be configured for IDP using five providers: OnBase Auth, Autologin, CAS, SAML2 and CAC.

Regarding the IDP + E-Forms + Web Services, I don't see why this wouldn't work. But depending on your exact setup and other variables there could be unforeseen roadblocks. Would you mind calling into your First Line Of Support and opening a Support Issue? This will get the proper eyes on the request and if needed escalated to the appropriate resources internally to assist.

Also, if you haven't already I would recommend taking a look at the OnBase 17 Authentication MRG, which has a section dedicated to the Hyland IDP.

The 17 Authentication MRG can be found at: www.onbase.com/.../21205

Please let me know if you have any questions!

Alex_French · ‎02-13-2018

Hi Chad,

Are you saying that authentication via SAML to the Identity Provier *would* provide:
1) Automatic creation of a user who has never logged into OnBase
2) Syncing of new or changed group membership?

I can't find anything in the 17 Authentication MRG that says it *won't* do those things, but the MRG includes extensive discussion of how they work in some sections (the Standard Authentication section and "Syncing User Group and User Attribute Information for CAC Providers") in a way that makes me assume they are not implemented when authenticating to the IdP via SAML.

Chad_Yarmock · ‎02-13-2018

Hi Alex,

1) It will create new users, but it will only add them to the defined "Default User Group", which is setup in Configuration | Utils | System Generated User Settings.

In OnBase 18, we added the ability to sync foreign roles. Which just means that we (OnBase) don't read AD or need to have AD (basic or enhanced) setup. The foreign party (Shibboleth, OKTA, etc) would send in group membership claims and we would just match those to OnBase User Groups.

I hope that answered your questions. If not, please let me know.

Edit: I updated various statements above to reflect that the SAML Provider in the version 17 IDP does NOT work in conjunction with AD/LDAP for group syncing.

Alex_French · ‎02-13-2018

Thanks Chad.

Having it just work with our existing AD-Basic setup is great for our immediate future, and its nice to hear that implementing group membership claims is on the roadmap.

Alex

Hyland Connect

Hyland Identity Provider + E-Forms talking to web services?