Azure AD account can't sign on to Service portal

[AgentVinh]

Hi,

I'm trying to get the service.hornbill.com up and running with Azure AD account but keep getting the following message when attempting to sign in: 

 Sorry, but we’re having trouble signing you in.

AADSTS700016: Application with identifier 'https://service.hornbill.com/<instancename>/lib/saml/auth/simplesaml/module.php/saml/sp/metadata.php/saml' was not found in the directory 'a2e3ffd3-d47e-4243-9fc7-14393f565845'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

 

It does work on the live.hornbill.com but can't wrap my head around what is missing to make it work for service portal. All the basic users have the following roles: Basic User Role, MyLibrary Portal & Self Service User.

 

Thanks,

Vinh

 

[James Ainsworth]

Hi @AgentVinh

I wasn't sure if you purposely removed the name of your instance just for this post or if this might be the actual issue where the <instancename> has not been specified within your config.

[Victor]

@AgentVinh looks like James found the issue

Did you get the Hornbill app from here?
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.hornbill?tab=Overview

[AgentVinh]

Hi @James Ainsworth and @Victor

Thanks, I removed it on purpose haha  Please see below for confirmation:

It's installed on Azure as well:

I noticed when I log on to live.hornbill.com, it's fine and I can navigate to the service portal just fine after. But when I log directly on to the Service Portal, it throws up the above error. I used the following link to configure it on both Azure and Hornbill Admin portal: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hornbill-tutorial

 

[AgentVinh]

I was wondering if anyone has the following set up like this in the Hornbill app on Azure?

Trying out a few things to see if it works (removed instance name in the pic)

[Victor]

@AgentVinh have you managed to make this work in the end or you still need some assistance with this?

[AgentVinh]

@Victor All sorted thanks!

Had to just create separate applications on Azure for each portal

[Victor]

@AgentVinh ah... I see, so that was it, good to know

I had a look on our wiki (https://wiki.hornbill.com/index.php/Single_Sign_On_with_SAML_2.0) and while we do suggest that each portal needs it's own IdP entry (or app for Azure), I think we can make this more visible and possible have a better description. I look into having this done.

[AgentVinh]

Ah thanks!

Sorry, missed that bit!

[grahambird80]

Hello AgentVinh and Victor,

I had been trying to transition for ADFS over to Azure AD for SSO, I had created 3 instance in Azure AD Enterprise Apps and imported the Metadata in to three different SSO profiles in Hornbill Admin however this didn't work, i was getting and Cert trust error.

To fix this I just setup one SSO Profile in both Azure AD and Hornbill Admin and added all three Identifier (Entity ID) URLs to the SSO profile in Azure AD, once that was done all was working.  

Now that I think about this it makes sense as when I had 3 profiles in both Hornbill would pass the auth to Azure AD which completed the auth and then send back a SSL Cert that hornbill received and as there was three profiles setup in Hornbill it didn't know which one to match it to.

I did try having just the one SSO Profile in Hornbill and three in Azure AD but that didn't work ether, again because each Azure Profile had its own Cert and Hornbill only trusted the one.

Hope that this helps someone else.

Cheers,

Graham

 

[Victor]

On 11/29/2019 at 12:12 AM, grahambird80 said:

each Azure Profile had its own Cert and Hornbill only trusted the one

You can add multiple certificates on one Hornbill SSO profile... it does not have to be only one certificate per SSO profile...