Force remote authentication override

[Dan Munns]

Hi all, 

I have a few users who are logging on to Service Manager from within the group but dont have AD credentials (so SSO wont work) on our domain. 

They are looking at using Azure to authenticate (as we do) but they wont be ready for that for a number of months and I need a way to do this now. 

The setting 'Force remote authentication override' in the users account fails to set when used so I have two questions:

1. Does this work at all or has it been turned off somewhere (setting maybe I need to set)

2. Will this allow them to navigate to a logon page using the normal URL rather than have to use the admin.hornbill url as a backdoor (which I dont really want to do if I can help it)

Thanks,

Dan

[Victor]

@Dan Munns probably you already got the answer for this, but posting it here for visibility... You need to enable this basically: guest.anonymous.saml.guest.allowhornbilllogin which is a portal setting (Manage Portals in admin tool)

[Dan Munns]

@Victor yeah, the only issue is it then asks if the user wants to use the Hornbill Direct logon or SSO.

I was hoping for a transparent solution, and the force remote authentication override looked like it but it doesnt work as I expected.

 

[Victor]

Oh, wait...  Force remote authentication override ... that's the checkbox... oh... ok, right... No idea what that does  ...or should do... let me check ...

[Dan Munns]

Yeah, I was hoping the setting I was given, would just allow the URL to work in the first place (if used) and then I could force some accounts to only authenticate with credentials.
Everyone else uses or SSO.

Tried adding the SSO profile name to the url to force SSO for everyone else, but that didnt seem to work either. 

[Victor]

Ok, so don't use Force remote authentication override. Does not work and will be removed. The only option to sort of gracefully bypassing SSO is the guest.anonymous.saml.guest.allowhornbilllogin. IIrc there is an option to set a preference when used first time so it should not ask more than once. I'll update our documentation with the following:

It is possible to allow users and customers to choose whether to login via SSO or via the standard Hornbill login screen, this can be done with the following settings:

• guest.anonymous.saml.user.allowhornbilllogin this will allow users/co-workers/internal users to choose the authentication method
• guest.anonymous.saml.guest.allowhornbilllogin this will allow customers/contacts/external users to choose the authentication method
• If these settings are enabled the user will be presented with a screen allowing them to select their identity provider, either one of the configured SAML options or Hornbill. You can rename the Hornbill option with the guest.anonymous.saml.hornbilllogin.name setting

[Dan Munns]

Hi @Victor the issue I have is the we dont allow browser cookies and all browser history is cleared when the broswer is closed so it asks everytime. 

I will have a look more into adding the entiyid to the url and see if I can get that to work with direct links, then find all the Hornbill links on our sharepoint and add the correct urls I guess.

Either that or I will leave them with the bypass url for admin.hornbill and tell them to sort out Azure so they can use SSO and it wont be a pain....

Oh the joys I have no doubt got in store.....