derekgreen Posted December 9, 2019 Share Posted December 9, 2019 Hi all - just wondering if anyone else has had this problem. We have started having random errors when users try to log in to our Service Portal, they are getting a Federation error from ADFS. Surprises us as in every case they are well established users who haven't had any problems with SSO before. Any ideas/suggestions? Thanks. Link to comment Share on other sites More sharing options...
James Ainsworth Posted December 9, 2019 Share Posted December 9, 2019 Hi Derek, Are you able to post the error message, making sure you mask out anything like the user's name that you don't want public? Link to comment Share on other sites More sharing options...
derekgreen Posted December 10, 2019 Author Share Posted December 10, 2019 Hi James - thanks for the reply! Next time I hear from any user with the issue I'll ask them to send a screenshot and attach it to this call. Link to comment Share on other sites More sharing options...
derekgreen Posted November 3, 2020 Author Share Posted November 3, 2020 Been ages since I logged this but been so busy! The problem persists, see attached screenshot. Nothing on there I consider a risk. Not happening to everyone but enough to be a concern. Some of them are working from home over VPN, might be a factor. Others are in the office and were fine until I first posted. Link to comment Share on other sites More sharing options...
James Ainsworth Posted November 4, 2020 Share Posted November 4, 2020 Hi Derek, It looks to me like your internal SAML / ADFS login. That's not a Hornbill login screen. I'm afraid that I don't have much knowledge in this area but I believe that this will be an issue between your SSO and Active Directory Federated Services, prior to any attempt to pass through to Hornbill. Link to comment Share on other sites More sharing options...
Victor Posted November 5, 2020 Share Posted November 5, 2020 @derekgreen here is a useful image which describes SSO with SAML (https://wiki.hornbill.com/index.php?title=Single_Sign_On_with_SAML_2.0): The error experienced by your users happens between Steps 3 and 4. Specifically the "Identify the user" part. This is where the error occurs. As you can see this stage is completely outside Hornbill, it is something that happens between the user browser and your IdP. My suggestion would be to liaise with your IdP administrator and see if there is any sort of event logs on the IdP or something similar that would explain why the error. Link to comment Share on other sites More sharing options...
derekgreen Posted November 9, 2020 Author Share Posted November 9, 2020 Thanks Victor. I'm pretty sure the issue is with our conf.json file. Prior the the end of last year we only had one OU in Active Directory for all of our users, then one of our analysts had the bright idea of splitting users across dozens of separate OU's covering each department here. Do I need to amend the conf file to reflect each OU - which will take ages, or can I amend it to import from the highest level and hopefully it will pull them across from there? EG - top level is OU is ***Newusers (*** is our organisation) Next level is Property Department. Currently the conf file is set to pick up the Newusers only. Link to comment Share on other sites More sharing options...
Steve Giller Posted November 9, 2020 Share Posted November 9, 2020 Hi @derekgreen There seems to be a little confusion here: You Single Sign On profiles do not use a conf.json, that suggests you are asking about your User Import. However, the LDAP Import Tool has not used a conf.json file for quite some time, we now create the configuration within the Admin Tool of your Hornbill Instance. As a first step, we would recommend updating to the latest version of the Import Tool (available here) and setting up the configuration in Hornbill (you can import your existing conf.json as a starting point) If the issue is that Users are not being recognised because they are not importing into the system, I would suggest reviewing the LDAP Import Tool Documentation and paying particular attention to the Creating an Import Configuration section - the Scope value under Defining your LDAP query section would cover the issue with Users being in child OUs If the issue is with the Single Sign On itself, the links provided by Victor above should cover the issue. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now