This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Specifying an IdP Provider to avoid the prompt upon login

Go to answer
Steven_Zeltner3
Confirmed Champ
Confirmed Champ

‎06-02-2022 10:06 AM

Hello!  In Hyland IdP Server 2.11, is it possible to configure a client/consumer to point to a specific Auth Provider that is configured in the IdP?  The use case would be something like:

 

I have two Auth Providers wired into the IdP via SAML2 (both using Auth0 but in different Auth0 Tenants), I want one of them to use Auth Provider A and the other to use Auth Provider B.  I want to avoid having them click the provider button when they attempt to login.  The more specific use case would be for docpop links exposed via different Web Portals:

 

User A that belongs to Auth Provider A came in through Web Portal A to access Doc A

User B is authenticated via Auth Provider B and came in through a different Web App in the organization (Web Portal B).  They want to access Doc A through the same Docpop link/Web Server that is wired to the Hyland IdP

 

To put it another way:

To date, we've been successful passing the Auth Provider A context (from Web Portal A) through the IdP to the Docpop link and having it successfully authenticate and authorize access as the appropriate OnBase User as long as they're accessing the link from a browser that already logged in to Web Portal A.  The new wrinkle is adding a second provider (even if it is "Allow users to logon locally") prompts the user to choose a path.  Is there a way to avoid this?

 

We've prototyped a few workarounds (using token auth for Unity API to do the retrieval and presentation of the page data) but we are on EP4 and I feel like there were issues doing that with EP4 but I can't remember the specifics.  In any case, the docpop links are the preferred route.

 

Thanks!

0 Kudos
1 ACCEPTED ANSWER

Go to answer
AdamShaneHyland
Employee
Employee

‎06-02-2022 03:04 PM

Hi @Ryan Wakefield

 

I stand corrected.  Good find.  You can use the Identity Provider Restrictions to accomplish this.  The field requires the Id of provider(s) which the Client should be restricted to.

 

4905e55db2f7430f8db67dea9de7e231

  • Client configuration from the Admin UI

 

ac4812c853114a20864a3103ade16fcf

  • Provider Id from the idpconfig.json

This would alleviate the need to configure multiple instances of the Hyland IDP as different Clients could be configured and limited to specific Providers.  The respective unique Client Id's generated within the Admin UI would then be used during configuration of the client applications in order to direct users to the respective Provider.

 

Best wishes.  

View answer in original post

7 REPLIES 7

Go to answer
Ryan_Wakefield
World-Class Innovator
World-Class Innovator

‎06-02-2022 10:53 AM

I would very much so like to know this answer as well as it would really help me out too.

0 Kudos

Go to answer
AdamShaneHyland
Employee
Employee

‎06-02-2022 11:42 AM

Hi @Steven Zeltner ,

 

UPDATE: see my other answer as @Ryan Wakefield made a good find and the following is not accurate.

 

No, this is not currently possible.  There is no way to specify a particular provider for a client.  An enhancement request has been documented with Software Change CI-2957, but is specific to SAML providers.  Currently as of the writing of this post is it in the backlog.

 

While this is not possible, you could workaround the lack of functionality by creating a Hyland IDP instance for each of the respective providers.  When there is only a single provider available within the Hyland IDP and the client is configured with the "Allow user to log in locally" option disabled (unchecked), when the client attempts to authenticate it will automatically redirect the user to the single provider.

 

I recommend an Idea's post for the feature and referencing Software Change CI-2957.

 

Best wishes.

0 Kudos

Go to answer
Ryan_Wakefield
World-Class Innovator
World-Class Innovator
In response to AdamShaneHyland

‎06-02-2022 02:24 PM

@Adam Shane ,

 

Are you sure it hasn't been added? According to the 2.11.0 MRG, there is a spot for configuration of a Client that is labeled "Identity Provider Restrictions" and the description for it is "The external IdPs that can be used with this client. Leave this value empty to allow all IdPs."

 

So theoretically, if you put in the specific provider you are wanting to use here, you could specify a provider per client configuration, correct? Or am I misunderstanding what this configuration value is actually for?

 

Thanks.

0 Kudos

Go to answer
AdamShaneHyland
Employee
Employee

‎06-02-2022 03:04 PM

Hi @Ryan Wakefield

 

I stand corrected.  Good find.  You can use the Identity Provider Restrictions to accomplish this.  The field requires the Id of provider(s) which the Client should be restricted to.

 

4905e55db2f7430f8db67dea9de7e231

  • Client configuration from the Admin UI

 

ac4812c853114a20864a3103ade16fcf

  • Provider Id from the idpconfig.json

This would alleviate the need to configure multiple instances of the Hyland IDP as different Clients could be configured and limited to specific Providers.  The respective unique Client Id's generated within the Admin UI would then be used during configuration of the client applications in order to direct users to the respective Provider.

 

Best wishes.  

Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC