Alberto M Posted October 16, 2019 Posted October 16, 2019 Hi. I need some help on this situation.One of our users is having this error when trying to open Hornbill. We already checked the browser - Chrome - and updated it with the latest patches, cleared cache and data. The same user gets the same error in his old computer (the user was renovating his computer). Some help needed, please. Thanks Alberto
Victor Posted October 16, 2019 Posted October 16, 2019 @Alberto M is this only for one user, everyone else login fine? Looks to me that you are using SSO (this is an SSO specific error message) and for some reason there is a problem during SSO authentication. It needs some investigation by support and exchange of information that is not suited for forums. May I ask you to raise a support request in this regard please?
Gerry Posted October 16, 2019 Posted October 16, 2019 @Alberto M Just had a quick look at what this error means. The user you mention is using SSO, and this error is reporting that the signed digital signature hash computed against the digital assertion provided by your identity provider does not match the expected has result. So that leads to a number of questions. * Do you have more than one SSO profile in use on your instance? * Are other users using the same profile? and if so, are they also having problems? The error message suggests that the assertion your IDP (ADFS?) is issuing is corrupt or somehow invalid, you would need to talk to the admins of your identity provider/ADFS system Gerry 1
Alberto M Posted October 16, 2019 Author Posted October 16, 2019 Thanks for this info, @Gerry I'll talk to the staff related to the identity /ADFS system. 1
Gerry Posted October 16, 2019 Posted October 16, 2019 @Alberto M Thats great, please post back if you do find a resolution, would be helpful to other members in the future I am sure. For searchability, the exact error message is:The signed object's hash did not match that in the signature Thanks, Gerry
Alberto M Posted October 16, 2019 Author Posted October 16, 2019 @Gerry, still regarding your answer:* Do you have more than one SSO profile in use on your instance? We have three profiles, but only one is enabled.
Gerry Posted October 16, 2019 Posted October 16, 2019 @Alberto M Ok, and other users are not impacted? If not then that is a very strong indicator that there is a problem with the digital signature being generated by ADFS. Gerry
Alberto M Posted October 16, 2019 Author Posted October 16, 2019 @Gerry, this is the only user having such error.
Gerry Posted October 16, 2019 Posted October 16, 2019 @Alberto M In which case its very likely to be an issue with the ADFS server. If its user specific, does that user have any strange Unicode characters in their login id, name, email or other such login related information, this can also sometimes lead to checksum errors as systems don't always deal with Unicode properly. Gerry
Alberto M Posted October 16, 2019 Author Posted October 16, 2019 @Gerry in fact he has some characters with accents (check image), but the AD user ID doesn't have; only the name.
Victor Posted October 16, 2019 Posted October 16, 2019 @Alberto M if any of those details gets included in the SAML response then there is a possibility it will generate the error 1
Gerry Posted October 16, 2019 Posted October 16, 2019 @Alberto M Has this user ever worked? If not, you could try setting up the user account and not use the Unicode characters, especially in the login ID, there could be some unicode issue here. Gerry 1
Alberto M Posted October 16, 2019 Author Posted October 16, 2019 @Gerry Yes, it's a new user. I'll try to get rid of all those characters in his account and test it. Thanks
Gerry Posted October 16, 2019 Posted October 16, 2019 @Alberto M Ok please post back I am curious now to see if this is something we are not handling correctly, it could be if its down to the unicode characters and the codepages the XML is working in. We assume utf-8 for the XML message (assertion) coming out of ADFS, which is pretty much the standard, but I would not be at all surprised if ADFS put out a different code-page or encoding (or could be configured to do so) which may not be valid, or which is valid but we are not handling correctly. will be interesting to know. Thanks Gerry
Alberto M Posted October 16, 2019 Author Posted October 16, 2019 @Gerry Yes, I'll update here any news I have. Meanwhile, we have our team that handle ADFS involved in it. 1
Alberto M Posted October 17, 2019 Author Posted October 17, 2019 @Gerry From our ADFS team: "We have done certain changes to AD account that was created. The account included certain unicode values and we force replicated to Azure AD as well." So, it seems that the account had unicode characters that have been replaced by non-unicode and now the user can login into Hornbill.
Gerry Posted October 17, 2019 Posted October 17, 2019 @Alberto M Thank you for the update, I am glad it is working for you now. I will instigate our on internal tests to verify that we are correctly supporting Unicode our end, thanks for the report and the updates. Gerry 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now