Has anyone used Okta with Hyland OnBase? Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0uciak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Andy AdminAndy Admin 

Has anyone used Okta with Hyland OnBase?

Hyland OnBase is, according to its doc, capable of IDP-initiated SAML2 authentication. But that's pretty much the only clear bit of the documentation.

Has anyone set up Okta for IDP-initiated SAML2 authentication to OnBase?

James FloresJames Flores (Okta, Inc.)
Hi Andy,

If Hyland OnBase supports SAML 2.0 creating your own SAML applicaiton in Okta should be a breeze. Take a look at the Application Integration Wizard for more information. https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard
Andy AdminAndy Admin

I'm not at all worried about the Okta side, I've set up other apps in my dev environment, including WebEx Messenger (Jabber).

But, based on how OnBase is documented (starting at page 32 of the OnBase 15 SSO configuration guide: https://drive.google.com/a/sjsu.edu/file/d/0B--WfedZUNdAWHZuZ0lvUmV5Um9qU3hLSm5PLVBIYWhuTjV3/view?usp=sharing (https://drive.google.com/a/sjsu.edu/file/d/0B--WfedZUNdAWHZuZ0lvUmV5Um9qU3hLSm5PLVBYWhuTjV3/view?usp=sharing) ) I'm really wondering if they're speaking a totally different language, or if they're just asking for information that's not inlcuded in the Okta SAML2 documentation.

I would love it if you could take a peek at their doc and tell me if I'm an idiot or if it actually is totally unhelpful.

Ryan Tapp (Admin)Ryan Tapp (Admin)
Andy, any progress on your end?  I'm working with Hyland now for OnBase IDP-initiated auth and I'm running into the same issues of seeming to speak two different languages.  A dev from Hyland and I are actively trying to implement and I've asked for them to provide me an example of a working SAML response to compare with what I'm sending on my end.  Have you had any luck?
Ryan Tapp (Admin)Ryan Tapp (Admin)
So to anyone else who may be trying to integrate OnBase, here is what we did to make this work as an Okta SAML app.  Hyland should be aware of this as well, and you may need a bit more trial and error, but this worked for us:

1. OnBase's SAML utility defauts SAMLTokenName to a value of "SAMLToken".  This value should be "SAMLResponse".
2. UsernameClaimType value is defaulted to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name".  We left this default and created an attribute statement of that name, with a name format of unspecified and a value that mapped to our uid used for Okta login (for us this was user.employeeNumber).  I think if I do it again, I would want this attribute statement name to be something more like an urn:oid or perhaps just an aggreed upon name between Hyland and us, as Hyland can change the name to match with their utility/config file also.  I'm just not used to the terminology/definitions used Hyland but it probabably doesn't matter much.
3. We filled in Audience Restriction but found that by default the Hyland SP was set to ignore ("ValidationMode" value "Never") so the value wasn't doing anything.  We did have them turn it on, and both used an agreed upon value for it.  I even purposly changed this value during testing to see what would happen and it did fail if the values didn't agree, so the Hyland SP is honoring it.
4. We also had to change the value on the Hyland SP side to "True" for the key "Base64Encoded" since it defaults to "False".

Once we did this, Hyland OnBase started logging in correctly via SSO.  We were sucessful with logging in both new OnBase users and users already created previously.
Nicholas RodriguesNicholas Rodrigues
I am having trouble getting our OnBase SSO connection to work.  Could you let me know general URLs yuou used for "Single Sign-On URL" and "Entity ID".  

I was also a bit confused by step 2 above.  Are you saying you set "Attribute Statements" -> Name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", and then had Value = user.employeeNumber ?