04-19-2019 10:52 AM
Hi, everyone. We are implementing OnBase and are exploring using Identity Provider w/ Shibboleth. We are at version 18.0.0.32 and I have reviewed the Identity Provider section of the Authentication MRG. We are attempting installation of IdentP on load-balanced app servers.
Q1: I read that Identity Provider requires SSL to be enabled but we are using SSL offloading. Will this work without use of an SSL certificate installed on the server?
Q2: We are working on Shibboleth setup on the web server. In the MRG there it outlines how you can configure the location of the signing and encryption certificates in the registry of the servers where IdentP is installed. Is this required? Do we need to install the Shibboleth certificates on the app servers for this to work?
Thanks for any tips or advice you can provide.
kellyg
04-19-2019 11:07 AM
We're just finishing up our migration to 16, but a move to 18 with a look towards Shibboleth integration is in our plans as well, so any information would be great.
PS - sorry for the duplicate replies. Apparently a bug with Community and Edge.
05-28-2019 01:25 PM
Hi, all,
I'm far enough along in my configuration of Identity Provider with SAML that I can now answer the questions I posted above.
Q1: I read that Identity Provider requires SSL to be enabled but we are using SSL offloading. Will this work without use of an SSL certificate installed on the server?
- Yes, this works, as long as you keep that in mind when adding URLs to the Web.configs. For instance, if you use SSL offloading, you may need to use "http" instead of "https" in some cases. It just depends on your environment.
Q2: We are working on Shibboleth setup on the web server. In the MRG there it outlines how you can configure the location of the signing and encryption certificates in the registry of the servers where IdentP is installed. Is this required? Do we need to install the Shibboleth certificates on the app servers for this to work?
- It turns out that Identity Provider takes the place of Service Provider installation that we originally attempted. No SSL certificate needs to be installed in IIS (since we are using SSL offloading), but the IdentityProvider Web.config should reference a certificate with KeyUsage requirements of Digital Signature and Key Encipherment. This certificate is used to decrypt assertions received from the 3rd party Identity Provider.
Other gotchas:
- I was having trouble generating Metadata, and I found I wasn't using the correct url. It should be in the format of https://[server location or vip]/tenant/population/provider/metadata. The part I was missing was provider. Please see the Authentication MRG for details on how this url is formatted. The tenant, population, and provider are named in the IdentityProvider Web.config file.
Let me know if you have any questions!
Thanks,
kellyg
Edit: Fixed a couple of typing errors.
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.