SSO Certificate expired

[derekgreen]

Hi. Our SSO certificate has expired and the steps that we followed last year (Victor *** was really helpful) haven't worked. I have identified the xml file on our adfs server but when I download it the results are nothing like the data I expect to import to the SSO. Please see attached. Hope someone can advise, the natives are restless!

FederationMetadata.xml

[Victor]

@derekgreen perhaps you can only refresh the certificate info in the HOrnbill SSO profile and see how this goes? Extract the certificate from the XML file and place it into Hornbill SSO profile...

[derekgreen]

hi Victor! Problem is that I don't know which part of that massive xml file to copy into the SSO!

[Victor]

@derekgreen ok, no worries then...(I can advise on this afterwards as well)

We can try something else. Create a new profile and import the XML file content into it (it should work fine, no worries about its content). Save the changes and activate this one and deactivate the existing one.

[derekgreen]

MIIC5DCCAcygAwIBAgIQEfFTHEQxMK5Khgsqa9iQ/jANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIEVuY3J5cHRpb24gLSBhZGZzLmNvcmJ5Lmdvdi51azAeFw0xODA1MjEwMTA4MjhaFw0xOTA1MjEwMTA4MjhaMC4xLDAqBgNVBAMTI0FERlMgRW5jcnlwdGlvbiAtIGFkZnMuY29yYnkuZ292LnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuxl2bf2UptsK2o1XyTsQE6DEuJ55eViCBt33327jabqUrMTw

This looks like it - but when I apply it I get an error!

[Victor]

@derekgreen try the other suggestion I made, for now, we'll come back to the certificate afterward... I'll explain it below

59 minutes ago, derekgreen said:

This looks like it - but when I apply it I get an error!

First, you need to delete the existing certificate entry, save changes then create a new entry for the certificate with the new one, save changes...

The certificate is this one:

<X509Certificate>
...

...

</X509Certificate>

[derekgreen]

tried it but get this error when I apply the metadata.

[Victor]

@derekgreen you're not applying the full content. I have PM you the full content.

[Victor]

To wrap this up, the issue was sorted by recreating the SSO profile using the XML metadata file content. For future reference and anyone else looking at it is not really necessary to create a new profile, we only did this on this occasion as the XML file content looked a bit odd so we make sure we have the original profile in case the new one did not work. So usually is ok to process the XML file content into the existing SSO profile  

[dwalby]

@Victor I'm having the same issue this morning - I've tried importing the SAML metadata via both URL and XML but still doesn't appear to be working. Any other suggestions? Any assistance would be greatly appreciated.

What I also don't quite understand is why our other services that rely on the ADFS certificate haven't stopped working yet... 

[dwalby]

Update on this... re-creating the profile fixed this for us also. Not sure why importing the XML into the existing profile didn't work though 

[Victor]

1 hour ago, dwalby said:

What I also don't quite understand is why our other services that rely on the ADFS certificate haven't stopped working yet... 

@dwalby could be that your other services are configured to read and use the renewed certificates automatically... which is something Hornbill doesn't do yet...

 

1 hour ago, dwalby said:

Not sure why importing the XML into the existing profile didn't work though

I can't tell... did you get new data into the profile when you reimported it? Did you save the changes?

[dwalby]

2 minutes ago, Victor said:

I can't tell... did you get new data into the profile when you reimported it? Did you save the changes?

Yes, an additional 2 certificate keys appeared and saved changed.

I also tried deleting all certificate keys, reimporting the SAML XML and saving, didn't seem to do anything.

[Victor]

@dwalby - sorry .. no idea  

[derekgreen]

Victor - I'm having a massive issue with our certificate again! It has expired and usual issues have ensued. I have tried accessing the xml file in the usual way without success and also tried using the url to the certificate, again no joy. Can you advise? Service desk has been down for users since yesterday.

Thanks.

[Victor]

@derekgreen unless you can access the XML file containing the matadata there is nothing we can do I'm afraid... Would you be able to check with your system admins if they can provide you access to that file or provide the file to you...

Meanwhile, you can disable certificate validation in SSO configuration to allow users to log in but be advised of the security risk involved in this...

[derekgreen]

Hi Victor - I've read it and tried the actions suggested. Problem seems to be trying to open the xml with Notepad ++,  I can't seem to access the file as it is in it's own directory in Services on the server rather than on a specific drive.

[Victor]

@derekgreen - yeah, we need access to that file... there is no way around this... unless you disable certificate validation

P.S. I edited my above reply after reading your post again...  

[derekgreen]

I'd thought of deactivating the validation, I know that there are risks but it may be ok for a short time. 

I've asked our admins for assistance - still awaiting the results of their undivided attention!

Probably have to take the nuclear option as I'm semi retired now and finish for the week at half twelve on Wednesday!

[Victor]

The true nuclear option is to finish the week at 09:02 on Monday  

[derekgreen]

Seriously - a colleague here has solved the problem after some research. The answer is to log on to the server holding the FederationMetadata xml file, open the browser and replace the server name with 'localhost'. So in our case the URL to access the file was https:.//localhost/FederationMetadata/2007-06/FederationMetadata.xml

This may be a help to anyone else in this position.