PSG Posted June 10, 2017 Posted June 10, 2017 From this morning we get an error (below) when trying to access our instance. We use adfs authentication however nothing has changed from 'our side'. Everything was okay yesterday. We updated to the current version of Service Manager (979) yesterday. The instance is available as i can login with the admin account. Please can someone look at this ASAP as we need the service live for Monday morning. I contacted the cloud support number who suggested raising it on here. Regards, Jamie
James Ainsworth Posted June 10, 2017 Posted June 10, 2017 There are some posts within the forums about expired certificates. Here is one. I will have a look what else I can find.
PSG Posted June 10, 2017 Author Posted June 10, 2017 Thanks @James Ainsworth, it looks like our signing and decrypting certs were renewed on the 4th June. It appears coincidental that after exactly 5 days it's stopped working. Do we have to update anything in Hornbill if either of those certs change?"
Gerry Posted June 10, 2017 Posted June 10, 2017 @PSG Jamie, I would hope that the actual error message we display was self-explanatory, if you can make any suggestion as to how we could improve this message further I would appreciate that. ADFS can (and often is because its the default option) be configured to auto renew certificates annually, it will re-generate them and the previous ones will expire, as a general rule there will be a grace period set where both the new and old certificates are valid, it sounds like in your case that is 5 days. From your above comments you knew about the certs being updated but I guess you were not aware that you would need to update Hornbill with your certs. All you need do it go into your SSO Profile (Admin Home -> System -> Security -> SSO Profiles) and update the affected SSO Profile with the refreshed certificate and your all set. Here are a couple of useful links. https://wiki.hornbill.com/index.php/Single_Sign_On_with_SAML_2.0https://wiki.hornbill.com/index.php/SSO_Example_Config_Microsoft_ADFS_2.0_for_User_Accounts You should also speak with your security/ADFS team, they can always set the certificates on your ADFS server not to expire, or to auto renew less frequently which is another option. Its hard to be specific because each company has different views and policies, and of course different systems, ADFS is one of many Identify providers we support for SAML 2.0. If your certs are going to renew I would strongly suggest changing your process so when you are notified of such changes you have a task set to update the SSO Profile in Hornbill during the grace window set on you ADFS deployment Gerry
PSG Posted June 10, 2017 Author Posted June 10, 2017 HI @Gerry, thanks for the update - the relevant team have applied the valid key and all is working again. Thanks again for your quick responses and help. Regards, Jamie 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now