single sign on to customer portal using SAML not working

[Guest Adrian Hodgson]

We have configured our customer portal single sign on correctly according to discussions with Bob Dickinson but when we attempt sign on using a test client user we get an ADFS related error message.

We have configured a guest realm ORC UK accesspoint customer self service with relevant entity ids and X509 certificates. 

It has been suggested by Bob that we post screen shots of our configuration on this forum Hornbill SSO config and ADFS config.  but this would contain sensitive ORC information that is visible to other client users, so I am not prepared to do that.

I can provide screenshots direct to Hornbill support team members that reach out to me but not to the wider forum that includes other clients.

We have carried out a logged session at ORC where IT viewed the logs, whilst a login was going on, but this generated no error messages in our ADFS log

We need IT expertise at ORC and Hornbill to get together in a meeting to help us resolve what is going on

We can log in correctly to the Hornbill customer portal using the test user when the single sign on is not enabled

When we configured our LDAP attributes we only set the h_email attribute.

This is the error message we were getting. I am stuck because I think we need some SAML and configuration expertise from both sides to get together to help us resolve this.

Regards

Adrian 

[Hornbill Staff DR]

Hi Adrian,

 thanks for your post.

Can I first ask you to confirm that you have set the Realm of the SSO profile to "guest" as shown in the image.

I'm unable to see the error message in your original post, please could you provide that again along with a screen shot of your ADFS claim rules for this particular trust.

Thanks
Dan

[Guest Adrian Hodgson]

Sorry for the delay. I have been on holiday for a coupe, of weeks.

The realm has been correctly set to Guest for the customer self service portal.

However I have established that the customer portal is trying to validate against the internal staff ADFS table rather than the customer ADFS table we hold - which it should not be doing so something is not correct with the configuration.  Please advise what checks you suggest for this as we believe the customer configuration has been set up so that it refers to the customer ADFS table

Adrian

 

 

 

[Guest Adrian Hodgson]

For access to our client guest self service portal we use an ADFS table like this adfs.orcsecure.co.uk, and we have configured the single sign on for the SAML access to use this. However when trying to connect as a test client (from outside our company network) we are getting an error message that refers to the staff ADFS table - This shouldn't be happening when we are trying to connect to the client ADFS table. The error message says hmm we cant reach this page https://adfs.orcinternational.com.

it should NOT be trying to reach this page when accessing the client self service portal as this is the link for the staff self service portal.  

[Victor]

@Adrian Hodgson just to confirm, what URL you (your guests/customers actually) are using to access the portal? Is it https://customer.hornbill.com/orcinternational or https://service.hornbill.com/orcinternational?

[Guest Adrian Hodgson]

Hi Victor

We are trying to test the customer portal so we can roll this out to external clients

We know the difference between the URLS for the two portals

The staff portal is service.hornbill.com - single sign on is working fine for that one 

the customer portal is  https://customer.hornbill.com/orcinternational/

We understand the difference between the two - we assume both can be used in parallel because the application allows you to configure both - the customer one appears to be trying to validate against the wrong ADFS database even though we think we have configured it correctly - the most effective way to deal with this is not via this forum but in a shared call - we are happy to use a paid session for this to quickly get to the bottom of what is going wrong.

Adrian

 

[Victor]

@Adrian Hodgson I am not entirely sure if is something that is not correctly configured (on your side or in Hornbill), so a shared call or paid session would not help... As you are subscribed to a support plan, I will log an incident on your behalf. I will then advise our colleagues from dev team who implemented SAML protocol of the issues you are facing to see if maybe Hornbill is not redirecting to the correct idp when using guest realm...

[Guest Adrian Hodgson]

Thanks Victor - this has been dragging on for months and I need Hornbill help to resolve why it is not working as it is supposed to