derekgreen Posted May 30, 2018 Share Posted May 30, 2018 Hi. Our SSO certificate has expired and the steps that we followed last year (Victor *** was really helpful) haven't worked. I have identified the xml file on our adfs server but when I download it the results are nothing like the data I expect to import to the SSO. Please see attached. Hope someone can advise, the natives are restless! FederationMetadata.xml Link to comment Share on other sites More sharing options...
Victor Posted May 30, 2018 Share Posted May 30, 2018 @derekgreen perhaps you can only refresh the certificate info in the HOrnbill SSO profile and see how this goes? Extract the certificate from the XML file and place it into Hornbill SSO profile... Link to comment Share on other sites More sharing options...
derekgreen Posted May 30, 2018 Author Share Posted May 30, 2018 hi Victor! Problem is that I don't know which part of that massive xml file to copy into the SSO! Link to comment Share on other sites More sharing options...
Victor Posted May 30, 2018 Share Posted May 30, 2018 @derekgreen ok, no worries then...(I can advise on this afterwards as well) We can try something else. Create a new profile and import the XML file content into it (it should work fine, no worries about its content). Save the changes and activate this one and deactivate the existing one. Link to comment Share on other sites More sharing options...
derekgreen Posted May 30, 2018 Author Share Posted May 30, 2018 MIIC5DCCAcygAwIBAgIQEfFTHEQxMK5Khgsqa9iQ/jANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIEVuY3J5cHRpb24gLSBhZGZzLmNvcmJ5Lmdvdi51azAeFw0xODA1MjEwMTA4MjhaFw0xOTA1MjEwMTA4MjhaMC4xLDAqBgNVBAMTI0FERlMgRW5jcnlwdGlvbiAtIGFkZnMuY29yYnkuZ292LnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuxl2bf2UptsK2o1XyTsQE6DEuJ55eViCBt33327jabqUrMTw This looks like it - but when I apply it I get an error! Link to comment Share on other sites More sharing options...
Victor Posted May 30, 2018 Share Posted May 30, 2018 @derekgreen try the other suggestion I made, for now, we'll come back to the certificate afterward... I'll explain it below 59 minutes ago, derekgreen said: This looks like it - but when I apply it I get an error! First, you need to delete the existing certificate entry, save changes then create a new entry for the certificate with the new one, save changes... The certificate is this one:<X509Certificate> ... ... </X509Certificate> Link to comment Share on other sites More sharing options...
derekgreen Posted May 30, 2018 Author Share Posted May 30, 2018 tried it but get this error when I apply the metadata. Link to comment Share on other sites More sharing options...
Victor Posted May 30, 2018 Share Posted May 30, 2018 @derekgreen you're not applying the full content. I have PM you the full content. Link to comment Share on other sites More sharing options...
Victor Posted May 30, 2018 Share Posted May 30, 2018 To wrap this up, the issue was sorted by recreating the SSO profile using the XML metadata file content. For future reference and anyone else looking at it is not really necessary to create a new profile, we only did this on this occasion as the XML file content looked a bit odd so we make sure we have the original profile in case the new one did not work. So usually is ok to process the XML file content into the existing SSO profile Link to comment Share on other sites More sharing options...
dwalby Posted August 3, 2018 Share Posted August 3, 2018 @Victor I'm having the same issue this morning - I've tried importing the SAML metadata via both URL and XML but still doesn't appear to be working. Any other suggestions? Any assistance would be greatly appreciated. What I also don't quite understand is why our other services that rely on the ADFS certificate haven't stopped working yet... Link to comment Share on other sites More sharing options...
dwalby Posted August 3, 2018 Share Posted August 3, 2018 Update on this... re-creating the profile fixed this for us also. Not sure why importing the XML into the existing profile didn't work though Link to comment Share on other sites More sharing options...
Victor Posted August 3, 2018 Share Posted August 3, 2018 1 hour ago, dwalby said: What I also don't quite understand is why our other services that rely on the ADFS certificate haven't stopped working yet... @dwalby could be that your other services are configured to read and use the renewed certificates automatically... which is something Hornbill doesn't do yet... 1 hour ago, dwalby said: Not sure why importing the XML into the existing profile didn't work though I can't tell... did you get new data into the profile when you reimported it? Did you save the changes? Link to comment Share on other sites More sharing options...
dwalby Posted August 3, 2018 Share Posted August 3, 2018 2 minutes ago, Victor said: I can't tell... did you get new data into the profile when you reimported it? Did you save the changes? Yes, an additional 2 certificate keys appeared and saved changed. I also tried deleting all certificate keys, reimporting the SAML XML and saving, didn't seem to do anything. Link to comment Share on other sites More sharing options...
Victor Posted August 3, 2018 Share Posted August 3, 2018 @dwalby - sorry .. no idea Link to comment Share on other sites More sharing options...
derekgreen Posted May 8, 2019 Author Share Posted May 8, 2019 Victor - I'm having a massive issue with our certificate again! It has expired and usual issues have ensued. I have tried accessing the xml file in the usual way without success and also tried using the url to the certificate, again no joy. Can you advise? Service desk has been down for users since yesterday. Thanks. Link to comment Share on other sites More sharing options...
Victor Posted May 8, 2019 Share Posted May 8, 2019 @derekgreen unless you can access the XML file containing the matadata there is nothing we can do I'm afraid... Would you be able to check with your system admins if they can provide you access to that file or provide the file to you... Meanwhile, you can disable certificate validation in SSO configuration to allow users to log in but be advised of the security risk involved in this... Link to comment Share on other sites More sharing options...
derekgreen Posted May 8, 2019 Author Share Posted May 8, 2019 Hi Victor - I've read it and tried the actions suggested. Problem seems to be trying to open the xml with Notepad ++, I can't seem to access the file as it is in it's own directory in Services on the server rather than on a specific drive. Link to comment Share on other sites More sharing options...
Victor Posted May 8, 2019 Share Posted May 8, 2019 @derekgreen - yeah, we need access to that file... there is no way around this... unless you disable certificate validation P.S. I edited my above reply after reading your post again... Link to comment Share on other sites More sharing options...
derekgreen Posted May 8, 2019 Author Share Posted May 8, 2019 I'd thought of deactivating the validation, I know that there are risks but it may be ok for a short time. I've asked our admins for assistance - still awaiting the results of their undivided attention! Probably have to take the nuclear option as I'm semi retired now and finish for the week at half twelve on Wednesday! Link to comment Share on other sites More sharing options...
Victor Posted May 8, 2019 Share Posted May 8, 2019 The true nuclear option is to finish the week at 09:02 on Monday Link to comment Share on other sites More sharing options...
derekgreen Posted May 13, 2019 Author Share Posted May 13, 2019 Seriously - a colleague here has solved the problem after some research. The answer is to log on to the server holding the FederationMetadata xml file, open the browser and replace the server name with 'localhost'. So in our case the URL to access the file was https:.//localhost/FederationMetadata/2007-06/FederationMetadata.xml This may be a help to anyone else in this position. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now