Jump to content

Important SSO Login Changes Coming


Recommended Posts

We are currently working on a change that will slightly change the way that SSO works with Hornbill.  Currently, when SSO (SAML) is configured, going to your instance endpoint, you will be transparently logged into the system once your iDP authenticates you and authorises your access to Hornbill you are automatically logged into the system.  While this works fine, there are a number of cases where this behaviour is problematic. 

* If you have more than one SSO profile configured on your instance, getting back to be able to log in via a different SSO profile involves deleting a cookie on your browser.
* If your iDP is not working, for example your SSO certificate has expired, you cannot currently log into the admin console without knowing a special URL parameter that you add onto the URL. This was a work-around which is error-prone and relies on technical knowledge which is not. In the future, Hornbill's underlying direct login behaviour will be changing to also use an iDP, so this work-around is no longer viable. 
* When you provide Hornbill support staff access to your instance, this is done with an API key, which is a work-around and will not be supported in the future, instead there will be some form of password/passcode scheme implemented which will allow you to give a Hornbill support member temporary access to your instance, where the Hornbill support team member will be able to visit the new login page and access an option to login with a temporary passcode. 
* There are other security enhancements we will be making in the future, such as 2FA and other pre-login notices etc, that some more security-conscious organisations require.
* We are improving the way in which direct login works, especially around password reset, password expiry and password recovery.
* There is currently a problem with browser sessions timing out, leaving tabs needing a refresh once you have logged in, we are looking at improving the overall session management functions around logging in, session timeouts and so on.

The main change all Hornbill users will notice will be the appearance of a login screen, this will be shown, even if SSO is configured. If SSO is configured on your system a button labelled "LOGIN WITH SINGLE SIGN ON" will be shown (see screen shot below) and your users will need to press this in order to access Hornbill.  As this is a change to the way it previously worked, we will also show a nano-training notice, pointing to the button giving a clear instruction as to what they should do to log in (i.e. press the button).  you will also see this in the screen below, although the bubble is a moc-up, the real thing will be more classy that what is shown. 

Screenshot 2020-08-22 at 23.13.28.png

If there is any problem logging in, or you need to log into the admin console to fix login issue with your SSO profiles, you can simply press the "HORNBILL DIRECT LOGIN" button and you will be presented with this screen. 
Screenshot 2020-08-22 at 23.01.51.png

With this change in place, it paves the way for other security and login features will be added in the future.

We expect these changes to be rolled out in the next 2-3 weeks. 



Link to comment
Share on other sites

  • 4 weeks later...
  • Gerry unpinned this topic
  • Create New...