Martyn Houghton Posted November 8, 2017 Share Posted November 8, 2017 The Single Sign On (SSO) validate certificate appears to be using the wrong date when checking if the imported certificate is still valid. We have had issues logging in hornbill this morning due to system triggering that the trust certificate is expired. However, exporting the certificate from Hornbill and viewing it in certificate viewing it has not yet expired; In our case 23rd November 2017 @ 07:36. By temporarily disabling the validation users where then able to get in, so therefore it seems the platform is expiring the certificate 15 days ahead of time. Is there a reason for this? Cheers Martyn Link to comment Share on other sites More sharing options...
TrevorHarris Posted November 8, 2017 Share Posted November 8, 2017 If you have AutoCertificateRollover set to true on your ADFS it will generate a new certificate before the old one has expired and start using the new certificate a set period of time before the old certificate expires.https://social.technet.microsoft.com/wiki/contents/articles/16156.ad-fs-2-0-understanding-autocertificaterollover-threshold-properties.aspx I think this is why your old certificate became invalid before the expiry date as the ADFS server has automatically generated a new one and is using that instead. Please see the article below for more detailshttps://wiki.hornbill.com/index.php/Single_Sign_On_Profiles#Common_Issues Thanks Trevor 1 Link to comment Share on other sites More sharing options...
Gerry Posted November 8, 2017 Share Posted November 8, 2017 @Martyn Houghton What do you have this system setting set to? security.saml.timeSkewCompensation Gerry Link to comment Share on other sites More sharing options...
Martyn Houghton Posted November 8, 2017 Author Share Posted November 8, 2017 @Gerry, @trevorharris We have the Skew setting set as below Trevor I will check with our IT on the auto roll over settings. Is there any method to trigger the update of the certificate held in Hornbill to line with these automatic updates? Cheers Martyn Link to comment Share on other sites More sharing options...
Gerry Posted November 8, 2017 Share Posted November 8, 2017 @Martyn Houghton Ok thanks, 70 seconds is not going to have any effect in relation to the problem you are reporting, I found a slight issue around the skew setting being incorrectly applied but this is not related to your reported issue. As @trevorharris suggests, this would appear to be a ADFS rollover window. Gerry Link to comment Share on other sites More sharing options...
Martyn Houghton Posted November 8, 2017 Author Share Posted November 8, 2017 @Gerry, @trevorharris Thanks for the advice. It would be good to have a date field in the certificate section of the SSO screen to show when the certificate was loaded. Even better if we could also have one populated with the date fo the certificate expiry derived from the certificate. I have refreshed my certificate now. Cheers Martyn Link to comment Share on other sites More sharing options...
Gerry Posted November 8, 2017 Share Posted November 8, 2017 @Martyn Houghton Yeah thats on the list of things to do, we can show the certificate information easy enough. Gerry Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now