User log in errors

[derekgreen]

Hi all - just wondering if anyone else has had this problem. We have started having random errors when users try to log in to our Service Portal, they are getting a Federation error from ADFS. Surprises us as in every case they are well established users who haven't had any problems with SSO before. Any ideas/suggestions? Thanks.

[James Ainsworth]

Hi Derek,

Are you able to post the error message, making sure you mask out anything like the user's name that you don't want public?

[derekgreen]

Hi James - thanks for the reply! Next time I hear from any user with the issue I'll ask them to send a screenshot and attach it to this call.

[derekgreen]

Been ages since I logged this but been so busy! The problem persists, see attached screenshot. Nothing on there I consider a risk. Not happening to everyone but enough to be a concern. Some of them are working from home over VPN, might be a factor. Others are in the office and were fine until I first posted.

[James Ainsworth]

Hi Derek,

It looks to me like your internal SAML / ADFS login.  That's not a Hornbill login screen.  I'm afraid that I don't have much knowledge in this area but I believe that this will be an issue between your SSO and Active Directory Federated Services, prior to any attempt to pass through to Hornbill.  

[Victor]

@derekgreen here is a useful image which describes SSO with SAML (https://wiki.hornbill.com/index.php?title=Single_Sign_On_with_SAML_2.0):

 

 

 

The error experienced by your users happens between Steps 3 and 4. Specifically the "Identify the user" part. This is where the error occurs. As you can see this stage is completely outside Hornbill, it is something that happens between the user browser and your IdP. My suggestion would be to liaise with your IdP administrator and see if there is any sort of event logs on the IdP or something similar that would explain why the error.

[derekgreen]

Thanks Victor. I'm pretty sure the issue is with our conf.json file. Prior the the end of last year we only had one OU in Active Directory for all of our users, then one of our analysts had the bright idea of splitting users across dozens of separate OU's covering each department here. Do I need to amend the conf file to reflect each OU - which will take ages, or can I amend it to import from the highest level and hopefully it will pull them across from there?

EG - top level is OU is ***Newusers (*** is our organisation)

Next level is Property Department.

Currently the conf file is set to pick up the Newusers only.

[Steve Giller]

Hi @derekgreen

There seems to be a little confusion here: You Single Sign On profiles do not use a conf.json, that suggests you are asking about your User Import.

However, the LDAP Import Tool has not used a conf.json file for quite some time, we now create the configuration within the Admin Tool of your Hornbill Instance.

As a first step, we would recommend updating to the latest version of the Import Tool (available here) and setting up the configuration in Hornbill (you can import your existing conf.json as a starting point)
If the issue is that Users are not being recognised because they are not importing into the system, I would suggest reviewing the LDAP Import Tool Documentation and paying particular attention to the Creating an Import Configuration section - the Scope value under Defining your LDAP query section would cover the issue with Users being in child OUs

If the issue is with the Single Sign On itself, the links provided by Victor above should cover the issue.