This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Utilizing Idp and IAM to set up APIServer

Go to answer
Nathaniel_Call1
Confirmed Champ
Confirmed Champ

‎07-20-2020 01:04 PM

Hi Everyone!

Tagging a few who may know these answers: @Adam Shane 

I am trying to figure out if I am interpreting the Hyland Identity and Access Management piece correctly to move forward with potentially partially upgrading an environment to utilize the Hyland REST API.

Here are some questions that I have:

  1. Is the Hyland Identity and Access management a replacement for other authentication types to OnBase? What I mean by this is:
    1. Do we move to utilizing IdP as a big bang or can we gradually move things over to using IdP?

  2. We have the Unity Integration Toolkit so I'm trying to make sure we don't have to purchase an additional function to utilize anything. It states in the Identity and Access Management Services MRG that, "The Hyland IdP server is configured using the Hyland IdP Administration client. If the Hyland IdP server is being used to authenticate users in OnBase, the Hyland SCIM server is also required. An IdP environment can also be configured to use a third-party authentication provider, allowing for federated sign-ons." 
    1. Does this mean we can use integrated OnBase Authentication today like we do with the AD Enhanced option without using a federated service? In other words, are we required to utilize a third party provider?
  3. Does moving to Idp hinder functionality with using Distributed Disk Services?
1 ACCEPTED ANSWER

Go to answer
AdamShaneHyland
Employee
Employee

‎07-20-2020 01:42 PM

Hi Nate.

To answer your questions ...

Is the Hyland Identity and Access management a replacement for other authentication types to OnBase? What I mean by this is: Do we move to utilizing IdP as a big bang or can we gradually move things over to using IdP? Hyland IAM is tools used for authentication built into our modernized products. 

While almost all of the existing clients can utilize the Hyland Identity Provider, not all of them require it.  Going forward any of the new products will require it (Quick Access Viewer, WorkView Client, etc).  To further answer your question, the use of the Hyland Idp depends on the clients and the authentication provider you are using.  For OnBase Authentication (an OnBase username and password), you can roll it out gradually if you are not using one of the modernize clients which require it.  If you are using a federated provider (SAML), then it might be required to roll it out sooner.

We have the Unity Integration Toolkit so I'm trying to make sure we don't have to purchase an additional function to utilize anything. It states in the Identity and Access Management Services MRG that, "The Hyland IdP server is configured using the Hyland IdP Administration client. If the Hyland IdP server is being used to authenticate users in OnBase, the Hyland SCIM server is also required. An IdP environment can also be configured to use a third-party authentication provider, allowing for federated sign-ons." 

Does this mean we can use integrated OnBase Authentication today like we do with the AD Enhanced option without using a federated service? In other words, are we required to utilize a third party provider?

First off, the Unity Integration Toolkit doesn't require the Hyland Idp, however the REST API does.  For the Unity API, you would continue to utilize the authentication methods you are using and pointing your API to the Application Server.  For the REST API, you would utilize the Hyland Idp for authentication and point the API at the ApiServer.

The Hyland SCIM service is a feature built into the ApiServer (OnBase Foundation EP2 and higher.  In Foundation EP1 it was a separate installer).  There are no other licenses or installers required for this feature.  The SCIM service allows OnBase to utilize the Hyland Identity Provider since the Hyland Identity Provider is product agnostic.  For standard OnBase Authentication (OnBase username and password) you are not required to use federated authentication OR a third party provider (SAML).  However, authentication like the Active Directory - Enhanced feature is ONLY supported through federated authentication through the Hyland Identity Provider.  Here is a link to a Blog post which discusses this (https://community.hyland.com/blog/posts/69720-the-hyland-identity-provider-idp-is-release-for-onbase...).

Does moving to Idp hinder functionality with using Distributed Disk Services?

The Hyland Identity Provider doesn't currently have any cross functionality with Distributed Disk Services (DDS).

Best wishes.

View answer in original post

4 REPLIES 4

Go to answer
AdamShaneHyland
Employee
Employee

‎07-20-2020 01:42 PM

Hi Nate.

To answer your questions ...

Is the Hyland Identity and Access management a replacement for other authentication types to OnBase? What I mean by this is: Do we move to utilizing IdP as a big bang or can we gradually move things over to using IdP? Hyland IAM is tools used for authentication built into our modernized products. 

While almost all of the existing clients can utilize the Hyland Identity Provider, not all of them require it.  Going forward any of the new products will require it (Quick Access Viewer, WorkView Client, etc).  To further answer your question, the use of the Hyland Idp depends on the clients and the authentication provider you are using.  For OnBase Authentication (an OnBase username and password), you can roll it out gradually if you are not using one of the modernize clients which require it.  If you are using a federated provider (SAML), then it might be required to roll it out sooner.

We have the Unity Integration Toolkit so I'm trying to make sure we don't have to purchase an additional function to utilize anything. It states in the Identity and Access Management Services MRG that, "The Hyland IdP server is configured using the Hyland IdP Administration client. If the Hyland IdP server is being used to authenticate users in OnBase, the Hyland SCIM server is also required. An IdP environment can also be configured to use a third-party authentication provider, allowing for federated sign-ons." 

Does this mean we can use integrated OnBase Authentication today like we do with the AD Enhanced option without using a federated service? In other words, are we required to utilize a third party provider?

First off, the Unity Integration Toolkit doesn't require the Hyland Idp, however the REST API does.  For the Unity API, you would continue to utilize the authentication methods you are using and pointing your API to the Application Server.  For the REST API, you would utilize the Hyland Idp for authentication and point the API at the ApiServer.

The Hyland SCIM service is a feature built into the ApiServer (OnBase Foundation EP2 and higher.  In Foundation EP1 it was a separate installer).  There are no other licenses or installers required for this feature.  The SCIM service allows OnBase to utilize the Hyland Identity Provider since the Hyland Identity Provider is product agnostic.  For standard OnBase Authentication (OnBase username and password) you are not required to use federated authentication OR a third party provider (SAML).  However, authentication like the Active Directory - Enhanced feature is ONLY supported through federated authentication through the Hyland Identity Provider.  Here is a link to a Blog post which discusses this (https://community.hyland.com/blog/posts/69720-the-hyland-identity-provider-idp-is-release-for-onbase...).

Does moving to Idp hinder functionality with using Distributed Disk Services?

The Hyland Identity Provider doesn't currently have any cross functionality with Distributed Disk Services (DDS).

Best wishes.

Go to answer
Nathaniel_Call1
Confirmed Champ
Confirmed Champ

‎07-20-2020 06:34 PM

However, authentication like the Active Directory - Enhanced feature is ONLY supported through federated authentication through the Hyland Identity Provider.

So, AD Enhanced is only supported if utilizing ADFS, SAML2, or CAD? Is this what that is technically saying?

 

So the quote below is from the https://community.hyland.com/blog/posts/69720-the-hyland-identity-provider-idp-is-release-for-onbase... link, but it says we're not required to migrate to IdP in EP1. Can you confirm that's the same for EP3, at least for those parts that aren't new 

Meaning there is not need to migrate to the Hyland IdP for authentication support with OnBase Foundation EP1.  Future releases may require the use of the Hyland IdP, but as of the initial release it is not required.  The one change with the OnBase Foundation release specific to the native Active Directory integration is that the Active Directory – Basic security method has been deprecated and customers will have to migrated to Active Directory – Enhanced (Blog Post on Community).

I think what I'm most confused about is how this is all working. I am looking to make sure that if we try to start incorporating the Hyland REST API within an EP3 environment that older applications will continue to authenticate the way they are configured to today(at least in this moment).

It's a little confusing on if that is the case or not. What we don't want to have to do at this moment in time is while utilizing AD Enhanced currently we don't want to have to forcefully switch to IdP(for like unity client, etc..) We want to make sure that will all continue to work at least for now.

0 Kudos

Go to answer
AdamShaneHyland
Employee
Employee

‎07-23-2020 08:38 AM

Hi Nate.

So, AD Enhanced is only supported if utilizing ADFS, SAML2, or CAD? Is this what that is technically saying?

Active Directory - Enhanced a different feature/technology.  The Active Directory - Enhanced is a feature of the software which can be used when performing direct authentication against Active Directory.  This feature is supported with the OnBase Identity Provider (OnBase 17/18), however is not supported with the Hyland Identity Provider (as noted in the Blog post I referenced - link). 

AD FS, SAML2 and CAS are technologies where OnBase is used to authenticate against a third party authentication provider.  These authentication providers require the OnBase (17/18) or Hyland Identity Provider (EP1 or higher) in order to authenticate users. [NOTE: The caveat here is the use of the Legacy Single Sign On integration which did support AD FS, SAML2 and CAS, but in general was limited in client support. ]

What we don't want to have to do at this moment in time is while utilizing AD Enhanced currently we don't want to have to forcefully switch to IdP(for like unity client, etc..) We want to make sure that will all continue to work at least for now.

Active Directory - Enhanced is a feature which supports direct authentication against Active Directory.   Meaning OnBase doesn't direct authentication through the Identity Provider.  If you are using Active Directory - Enhanced, either the OnBase Thick Client is communicating directly against Active Directory OR the Application Server is communicating directly against Active Directory.  This feature has no sunset date as of the writing of this post.  This means that you can continue to use is going forward.

With the Identity Provider, when implement the configured clients (OnBase Thick Client, Unity Client, Web Client, REST API, etc), are directed to the Identity Provider for authentication against a third party identity provider (AD FS, SAML, CAS, etc.).  This is the go forward authentication solution which will be used going forward for all existing and new clients.

It is possible to have both Active Directory - Enhanced and the Hyland (or OnBase) Identity Providers configured within the same environments.  The major part of this decision is whether the client you are using supports direct authentication (i.e. Active Directory - Enhanced).  The REST API doesn't support direct authentication and therefore MUST use the Hyland Identity Provider.  This is the same with the other modernized clients (Quick Access Viewer, WorkView Client, etc.).  However, the existing clients currently (as of EP4 and without any set date) support both (OnBase Thick Client, Unity Client, Web Client, etc.) Active Directory - Enhanced and the Hyland (or OnBase) Identity Providers.

Hope this clarifies your questions.

Go to answer
Nathaniel_Call1
Confirmed Champ
Confirmed Champ

‎07-24-2020 07:38 AM

Thanks @Adam Shane ! This does help a little bit. One other thing that isn't immediately clear for us is  ifwe have to purchase the ADFS license from Hyland to utilize ADFS in IdP or if it allowed an onbase username/password authentication.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC