Jump to content

Multiple Domains for SSO

Dan Munns

By Dan Munns
in System Administration

 Share

Recommended Posts

Dan Munns Grand Master

Dan Munns

Posted
Posted

Hi all, 

Does anyone have any experience using multiple domains and SSO with Service Manager? 

We currently have 3 domains in our business, 1 group domain and 2 child company domains. Obviously as our AD structures are separate I will have to set up the LDAP import across all three domains.

However we are a little unsure as to how to configure our ADFS server to deal with the three domains.

As we are moving towards our Hornbill portal being the one stop shop for all things and I am currently in the process of adding HR, Finance, Procurement and in the future, Facilities on to the portal, users from multiple business units will need access to the portal to raise requests. I don't really want to go down the Citrix route (which is what I have had to do as a stop gap for the time being) as it is quite messy / slow / labour intensive.

We share a common intranet so the link to the portal is available to all but as we have not configured ADFS the SSO will not authenticate users from outside our group domain. 

Any help / guidance anyone can provide will be greatly appreciated.

Thanks

Dan  

Link to comment
Share on other sites
Gerry Grand Master

Gerry

Posted
Posted

Dan,

You can set up any number of SSO profiles on the Hornbill platform, so you could have one SSO profile per domain.  When a user browses the portal they would need to select which profile to use when logging in.  Thats quite messy though for your situation.  

What would be better would be for your AD admins to pick one domain to work with and then set up trust relationships to the other two domains, it should then be possible to use a single SSO profile for all users regardless of what domain/AD server they are on.  I have seen this done many times. 

Perhaps a more general question, but why do you have three separate domains/AD deployments? Is there any plan to unify them in the future?

Gerry

Link to comment
Share on other sites
Dan Munns Grand Master

Dan Munns

Posted
  • Author
Posted

@Gerry basically our group domain was set up way back when. We have since aquired businesses and although they are part of the group they also act as their own seperate businesses.

I doubt that we will look to totally unify them to be honest as the work involved would take every minute of every day for months.

I will have a look into the trust relationship setup and see what we can do.

Thanks

Dan

Link to comment
Share on other sites
  • 4 months later...
Stephen.whittle Community Regular

Stephen.whittle

Posted
Posted

This is a really interesting scenario and is much like my own. I manage the support teams across three hospitals that are working as a group with an eventual outcome being a merge to one legal entity in a year or so time. However much like you described the investment to move to on AD will be huge and investment may not be provided as we look towards other ways of working such as cloud authentication with O365. 

My query is though, we are looking to implement Service Manager across the group as one instance, one of the three hopsitals already use Service Manager and are using ADFS. Moving forward, when we move to a single new instance we would be using separate LDAP imports and using the organisation as a filter for staff on the portal for services etc. However using ADFS at present means that for all non-domain devices users cannot login to the portal because naturally ADFS fails. Is there a way of having a hybrid setup using some logic of "if the device authenticates on this IP range then use ADFS" or even a scenario where ADFS fails you are taken to the login screen instead of a HTTP Error 401 page. 

The ADFS feature works great for domain devices so I would be reluctant to disable it and force users to login on these device groups as it saves the clinicians time. However as a result we are restricting BYOD devices from logging calls on the portal "on the go" which is the model I want to be able to move to. 

Link to comment
Share on other sites
Dan Munns Grand Master

Dan Munns

Posted
  • Author
Posted

In what way would you see ADFS failing (strangely we had ADFS auto renew its cert over night which meant no one could log in this morning, oops) 

IIRC you can set an auto redirect on ADFS failure, so you could set it to the HBD (Hornbill back door) if it fails (this would required all users have set a password though) 

BYOD phones / tablets can be added per account, so mobile phones / tablets can be added via the Hornbill app which then uses a QR code to authenticate one time and can log on freely after that. Devices can be set with an expiry as well. 

If it was me I would leave ADFS authentication as is and give the HBD to a limited number of users (Team Leaders / VIPs) and advertise the Hornbill app to everyone else. VPN connectivity for mobile laptop users should be all they need. 

Link to comment
Share on other sites
Gerry Grand Master

Gerry

Posted
Posted

@Stephen.whittle

I just wanted to make sure you are aware that you can fully integrate multiple instances via iBridge.  In my experience individual groups that need to work as one often like some autonomy too, and our platform is quite good in supporting that kind of model.  I don't want to go into too much details here, but if you are coming along to our next Insights event one of the things I will be talking about is some awesome functionality that in essence will allow you to support a group of companies in a unique and very powerful way.   Really the point I am making is you should consider both options, single instance and multi-instance, both possible, both have their pro's and con's, the choice would be more based on the strategic direction of the hospitals.  Happy to talk through it with you

Gerry

  • Like 1
Link to comment
Share on other sites
Gerry Grand Master

Gerry

Posted
Posted

@Dan Munns

That certificate expiry is a real nuisance, we looks at some auto-renew functionality but oddly, most people that use exchange behind the firewall do not expose the meta data so while we could  notionally build an auto cert renew function by checking for new public certs at the trusted location, most customers could not use it because the ADFS meta data is not exposed. 

Customer don't seem to suffer this problem with O365 - not that I have seen anyway.

Gerry

Link to comment
Share on other sites
  • 2 years later...
Alberto M Proficient

Alberto M

Posted
Posted
On 11/7/2017 at 8:22 PM, Gerry said:

You can set up any number of SSO profiles on the Hornbill platform, so you could have one SSO profile per domain.  When a user browses the portal they would need to select which profile to use when logging in.  Thats quite messy though for your situation.  

What would be better would be for your AD admins to pick one domain to work with and then set up trust relationships to the other two domains, it should then be possible to use a single SSO profile for all users regardless of what domain/AD server they are on.  I have seen this done many times. 

Hi @Gerry,

We need to have users from a different domain and, while searching the forums, I found this. As with this solution we avoid the need to choose the SSO Profile when browsing, I believe it will be the better solution, but I need to check it with our infrastructure team if it's somethin we are willing to do.

I have, however, a couple of questions regarding our approach to this:
1 . will this solution works for both browsing live.hornbill.com/instance and service.hornbill.com/instance ?

2. having the SSO Profile created and running, is there a way - an URL - that we can provide to an external user so that person will login into hronbill with a input of user + password as defined in the accounts table?

Thanks and regards,

Alberto

Link to comment
Share on other sites
Martyn Houghton Grand Master

Martyn Houghton

Posted
Posted

@Alberto M

We operate two different SSO configurations, albeit to the same underlying source but using two different 2FA methods. So when logging in you get a prompt and the end user has the option to remember their choice, which will cause the initial screen not to appear.

image.png.6fcf29c501df3b9506b339245cac4764.png

Though their is a 'realm ' setting on the SSO and you can determine what meta data to import into the identity provider, i.e. admin, user, service and customer, the for mentioned realm only allows you to select user or guest. Therefore I not sure you could still authenticate to the service portal with Hornbill local authentication when SSO is enabled, as unlike the Admin tool there is no bypass URL option.

Cheers

Martyn

 

Notes,

You are not currently able to modify the Hornbill logo.

 

If you want to remove the 'Remember' option there is a cookie you need to remove.

 

  • Like 2
Link to comment
Share on other sites
Steve Giller Grand Master

Steve Giller

Posted
Posted
On 3/27/2020 at 2:57 PM, Alberto M said:

2. having the SSO Profile created and running, is there a way - an URL - that we can provide to an external user so that person will login into hronbill with a input of user + password as defined in the accounts table?

Unfortunately the simple answer is no, you can't have one group of Users on SSO and another on Hornbill Usernname/Password.

  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...