This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Token based authentication using the Hyland IdP

Go to answer
Ryan_Wakefield
World-Class Innovator
World-Class Innovator

‎11-14-2022 07:00 PM

I don't know if this is a stupid question or not, but is there a way that a random token can be generated that we can configure to have an expiration date after X hours to then be used for authentication when an end user clicks a link to access say a FormPop link? What I am hoping to do is to not rely on the hard coded credentials in the web.config file for the FormPop link, but to leverage token based authentication (without the need for a username/password to be input). This way when the end user clicks the link for the FormPop, it will authenticate the user with a token that was randomly generated with a specific expiration time and that token is used to authenticate and allow the user to access the Form. The end users I am intending on using this authentication method will be non-AD, not even employees, but they are patients to the hospital.

 

Can the above be performed? If so, could I get some guidance on maybe how to configure and set this up? This will be utilizing the Hyland IdP 3.0.0+ and EP3 back end (soon to be EP5 in a month or so). I do apologize my ignorance is showing in how all of this works.

 

Thanks.

1 ACCEPTED ANSWER

Go to answer
AdamShaneHyland
Employee
Employee

‎11-15-2022 05:48 AM

Hi @Ryan Wakefield ,

 

The Hyland IDP works on a technology called OAuth2.  Part of OAuth2 is generating a token called the Access Token which is used as part of a process where the Access Token is exchanged with a server (in OAuth2 terms the Resource Server) for access to resources.  The Access Token is a randomly generated token and is already in use as part of the process.  

 

The Access Token is only generated upon the user successfully authenticating against Authorization Server (in OAuth2 terms) or in your case AD.  The authentication must take place, but can happen against other authentication services.

 

The question you must answer is, how is the user getting authenticated?  If you can figure that out, then you are set.  All you would need to do is configure a Provider in the Hyland IDP for the user to authenticate.

 

Best wishes.

View answer in original post

0 Kudos
7 REPLIES 7

Go to answer
AdamShaneHyland
Employee
Employee

‎11-15-2022 05:48 AM

Hi @Ryan Wakefield ,

 

The Hyland IDP works on a technology called OAuth2.  Part of OAuth2 is generating a token called the Access Token which is used as part of a process where the Access Token is exchanged with a server (in OAuth2 terms the Resource Server) for access to resources.  The Access Token is a randomly generated token and is already in use as part of the process.  

 

The Access Token is only generated upon the user successfully authenticating against Authorization Server (in OAuth2 terms) or in your case AD.  The authentication must take place, but can happen against other authentication services.

 

The question you must answer is, how is the user getting authenticated?  If you can figure that out, then you are set.  All you would need to do is configure a Provider in the Hyland IDP for the user to authenticate.

 

Best wishes.

0 Kudos

Go to answer
Ryan_Wakefield
World-Class Innovator
World-Class Innovator
In response to AdamShaneHyland

‎11-15-2022 07:27 AM

Hello @Adam Shane ,

 

Thank you for that explanation. I knew about the piece how a token is exchanged with the proper authentication.

 

The problem I am running in to is I need to find a way to automatically authenticate a user with a default user account. In other words, I need to see if there is a way to pass the Internal OnBase username/password through the URL to the Hyland IdP for automatic authentication and sign in. My hope is to find a way to not have the end user have to manually type in a username/password into the IdP login/authentication page. Do you know if this can be done in any way?

 

Thanks.

0 Kudos

Go to answer
AdamShaneHyland
Employee
Employee
In response to Ryan_Wakefield

‎11-15-2022 07:47 AM

Hi @Ryan Wakefield ,

 

What you are looking to accomplish is to use the Password Grant Type with the OnBase Web Client.  Typically, the Password Grant Type is only used with backend services.  The OnBase Web Client uses the Authorization Code Grant Type and does not support the use of the Password Grant Type.  Therefore what you are looking to accomplish is not supported with the OnBase Web Client configured with the Hyland IDP.   

 

You can pass the username and password as a parameter in a DocPop URL.  Not sure if this is possible with FormPop.

 

https://support.hyland.com/r/OnBase/DocPop/English/Foundation-22.1/DocPop/Configuration/Security-Con...

 

Best wishes.

 

 

0 Kudos

Go to answer
Ryan_Wakefield
World-Class Innovator
World-Class Innovator
In response to Ryan_Wakefield

‎11-15-2022 10:08 AM

Thank you @Adam Shane , this is all very good to know. I was aware that you could pass the Username/Password, but obviously you have to be careful doing so. I think the only thing I have left to figure out how to tackle is the encryption of that information in the URL. I know that with the Epic Integration that you can do something like login.aspx?arg={Encrypted String}, but I don't know if this is able to be done with a DocPop URL or not. Is there any good documentation, support.hyland.com pages, University Learning courses, or anything that could help me on working through this and configuring it?

 

Thanks again Adam. This has been a very very helpful post with the responses you have given to allow me to understand all of this better and the current limitations of the Web Server and using the Hyland IdP for authenticating using a username/password being passed in the URL.

 

For those of you that would like, I have created a brand new Idea here for the Web Server to support the Grant Type of "Password". This way we can start to put things like any of the Pop URL's, Unity Form URL's, etc. behind the Hyland IdP and thus making things all that much more secure and controlled.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC