Unable to access instance

[PSG]

From this morning we get an error (below) when trying to access our instance.

We use adfs authentication however nothing has changed from 'our side'.

Everything was okay yesterday.

We updated to the current version of Service Manager (979) yesterday.

The instance is available as i can login with the admin account.

Please can someone look at this ASAP as we need the service live for Monday morning.

I contacted the cloud support number who suggested raising it on here.

Regards,

Jamie

[James Ainsworth]

There are some posts within the forums about expired certificates.  Here is one.  I will have a look what else I can find.  

[PSG]

Thanks @James Ainsworth, it looks like our signing and decrypting certs were renewed on the 4th June. It appears coincidental that after exactly 5 days it's stopped working. Do we have to update anything in Hornbill if either of those certs change?"

[Gerry]

@PSG

Jamie,

I would hope that the actual error message we display was self-explanatory, if you can make any suggestion as to how we could improve this message further I would appreciate that. 

ADFS can (and often is because its the default option) be configured to auto renew certificates annually, it will re-generate them and the previous ones will expire, as a general rule there will be a grace period set where both the new and old certificates are valid, it sounds like in your case that is 5 days. From your above comments you knew about the certs being updated but I guess you were not aware that you would need to update Hornbill with your certs.

All you need do it go into your SSO Profile  (Admin Home -> System -> Security -> SSO Profiles) and update the affected SSO Profile with the refreshed certificate and your all set.  Here are a couple of useful links. 

https://wiki.hornbill.com/index.php/Single_Sign_On_with_SAML_2.0
https://wiki.hornbill.com/index.php/SSO_Example_Config_Microsoft_ADFS_2.0_for_User_Accounts

You should also speak with your security/ADFS team, they can always set the certificates on your ADFS server not to expire, or to auto renew less frequently which is another option.  Its hard to be specific because each company has different views and policies, and of course different systems, ADFS is one of many Identify providers we support for SAML 2.0.

If your certs are going to renew I would strongly suggest changing your process so when you are notified of such changes you have a task set to update the SSO Profile in Hornbill during the grace window set on you ADFS deployment

Gerry

[PSG]

HI @Gerry, thanks for the update - the relevant team have applied the valid key and all is working again.

Thanks again for your quick responses and help.

 

Regards,

Jamie