Content Management and Capture

 View Only
  • 1.  Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Wed October 06, 2021 08:43 AM
    Hello, we have configuration questions when using an on-premises FileNet API client application to connect with CP4BAS.

    If SAML is enabled to provide SSO with CP4BAS web based apps, how should a CEWS based FileNet API client application connect to CP4BAS?

    - Can the CEWS URI be excluded for SSO in CP4BAS and then use a CP4BAS service account for basic authentication as noted here?

    Content Platform Engine Java and .NET APIs

    - What role is required for the CP4BAS service account to access/use the CEWS endpoint?  Should we assume the Content Platform Engine Administrator role?

     User roles

    Are there other CP4BAS connect options for an on-premises CEWS FileNet Client App?  We see OAuth2 but assume that is only for REST API based apps.

    Thank You,

    Brian







    ------------------------------
    Brian D
    ------------------------------


  • 2.  RE: Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Thu October 07, 2021 09:00 AM
    Hi Brian -

    For on-prem custom app to connect to the CPE WSI endpoint in CP4BAaaS, you are correct that the SaaS service credential needs to be used via Basic Auth.   The CP4BAaaS KC link you reference is the right section containing the info.   Re: what role to be assigned to the service credential, it would depend on what your custom app does - if it needs ability to access all docs, then CPE Administrator role should be used.   Otherwise, you do not need to assign any role.

    Basic Auth via SaaS service credential is the only supported way for on-prem custom app to talk to the CPE WSI endpoint in SaaS.   OAuth is not supported.

    ------------------------------
    Jialei Jin
    ------------------------------



  • 3.  RE: Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Thu October 07, 2021 12:54 PM
    Jialei - Thank you for the information.  One remaining question - If customer is using SAML to provide SSO with their CP4BAS web based apps (ICN), how should a CEWS based FileNet API client application connect to CP4BAS using basic authentication?

    Thanks,

    Brian


    ------------------------------
    Brian D
    ------------------------------



  • 4.  RE: Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Fri October 08, 2021 12:21 AM
    Hi Brian - It's not exclusive.   You would always use Basic Auth for custom on-prem app to connect to CPE in SaaS - regardless whether SAML SSO is configured for web based ACCE or ICN.

    ------------------------------
    Charlie Jin
    ------------------------------



  • 5.  RE: Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Fri October 08, 2021 10:52 AM
    Charlie - Ok, then when using a service account with CP4BAS SaaS there is no SAML authentication flow?  Confirming because the custom on-prem app will connect using the CEWS endpoint HTTPS URL.  Yes, we see HTTPS URL's using SAML authentication flow for ICN and ACCE.

    Thank You,

    Brian

    ------------------------------
    Brian D
    ------------------------------



  • 6.  RE: Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Fri October 08, 2021 02:16 PM
    I'm not really familiar with the CP4BAS SaaS configuration, but in general the CPE CEWS endpoint does support OAuth/OIDC authentication as described in https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=security-v554-later-using-sso-token-propagation.  Perhaps the CPE deployed in CP4BAS is not configured for OAuth/OIDC support by default.  But the capability is there.

    SAML is not supported with CEWS.  So if you are using a service account with basic auth credentials, it is not using the SAML authentication flow.

    ------------------------------
    ROGER Bacalzo
    ------------------------------



  • 7.  RE: Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Fri October 08, 2021 04:49 PM
    Thanks Roger

    ------------------------------
    Brian D
    ------------------------------



  • 8.  RE: Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Fri October 08, 2021 05:21 PM
    Brian - We do not support OAuth for the CPE WSI endpoint in CP4BAaaS.   You can have SAML SSO configured for web apps in CP4BAaaS - and at the same time, you can also use the service credential to connect to WSI in CP4BAaaS via Baisc Auth.   They can co-exist without any problems.

    ------------------------------
    Charlie Jin
    ------------------------------



  • 9.  RE: Authenticating with CP4BAS from on-premises FileNet API client applications

    Posted Mon October 11, 2021 01:51 PM
    Charlie - Thank you for the confirmation.

    ------------------------------
    Brian D
    ------------------------------