Help on login error

[Alberto M]

Hi.

I need some help on this situation.One of our users is having this error when trying to open Hornbill. We already checked the browser - Chrome - and updated it with the latest patches, cleared cache and data. The same user gets the same error in his old computer (the user was renovating his computer).

Some help needed, please.

 

Thanks

Alberto

[Victor]

@Alberto M is this only for one user, everyone else login fine? Looks to me that you are using SSO (this is an SSO specific error message) and for some reason there is a problem during SSO authentication. It needs some investigation by support and exchange of information that is not suited for forums. May I ask you to raise a support request in this regard please?

[Gerry]

@Alberto M

Just had a quick look at what this error means.  The user you mention is using SSO, and this error is reporting that the signed digital signature hash computed against the digital assertion provided by your identity provider does not match the expected has result.  So that leads to a number of questions. 

* Do you have more than one SSO profile in use on your instance?
* Are other users using the same profile? and if so, are they also having problems?

The error message suggests that the assertion your IDP (ADFS?) is issuing is corrupt or somehow invalid, you would need to talk to the admins of your identity provider/ADFS system 

Gerry

[Alberto M]

Thanks for this info, @Gerry

I'll talk to the staff related to the identity /ADFS system.

 

[Gerry]

@Alberto M

Thats great, please post back if you do find a resolution, would be helpful to other members in the future I am sure.  For searchability, the exact error message is:

The signed object's hash did not match that in the signature

Thanks,

Gerry

[Alberto M]

@Gerry, still regarding your answer:

* Do you have more than one SSO profile in use on your instance?

We have three profiles, but only one is enabled.

[Gerry]

@Alberto M

Ok, and other users are not impacted? If not then that is a very strong indicator that there is a problem with the digital signature being generated by ADFS. 

Gerry

[Alberto M]

@Gerry, this is the only user having such error.

[Gerry]

@Alberto M

In which case its very likely to be an issue with the ADFS server.  If its user specific, does that user have any strange Unicode characters in their login id, name, email or other such login related information, this can also sometimes lead to checksum errors as systems don't always deal with Unicode properly. 

Gerry

[Alberto M]

@Gerry

in fact he has some characters with accents (check image), but the AD user ID doesn't have; only the name.

[Victor]

@Alberto M if any of those details gets included in the SAML response then there is a possibility it will generate the error

[Gerry]

@Alberto M

Has this user ever worked? If not, you could try setting up the user account and not use the Unicode characters, especially in the login ID, there could be some unicode issue here. 

Gerry

[Alberto M]

@Gerry

Yes, it's a new user. I'll try to get rid of all those characters in his account and test it.
Thanks

[Gerry]

@Alberto M

Ok please post back I am curious now to see if this is something we are not handling correctly, it could be if its down to the unicode characters and the codepages the XML is working in.  We assume utf-8 for the XML message (assertion) coming out of ADFS, which is pretty much the standard, but I would not be at all surprised if ADFS put out a different code-page or encoding (or could be configured to do so) which may not be valid, or which is valid but we are not handling correctly. will be interesting to know. 

Thanks

Gerry

[Alberto M]

@Gerry

Yes, I'll update here any news I have. Meanwhile, we have our team that handle ADFS involved in it.

[Alberto M]

@Gerry

From our ADFS team:
"We have done certain changes to AD account that was created. The account included certain unicode values and we force replicated to Azure AD as well."

So, it seems that the account had unicode characters that have been replaced by non-unicode and now the user can login into Hornbill.

 

[Gerry]

@Alberto M

Thank you for the update, I am glad it is working for you now. I will instigate our on internal tests to verify that we are correctly supporting Unicode our end, thanks for the report and the updates. 

 

Gerry