Jump to content

SSO new landing page customization

Giuseppe Iannacone

Recommended Posts

SSO passthrough wont bypass the Hornbill splash screen from what I know. We use Azure for SSO and when the user is in an office SSO used to be completely transparent. If they are logging in from home, the first time they will get the Azure splash screen to complete 2FA, they can then set Azure to remember this location and wont get it again. 

It seems that now they get the Hornbill splash screen which sometimes triggers the Azure splash screen even if they have set 'remember me' previously, although they dont have to complete the 2FA again.


Link to comment
Share on other sites


I do agree with previous comments. We (I work with @Giuseppe Iannacone )have passthrough enabled in our ADFS instance.

Namely the flag IntranetUseLocalClaimsProvider is set up to true, so ADFS is instructed to automatically leverage ActiveDirectory as identity provider for logins whnenever the user is connected in intanet network)

In this topic https://community.hornbill.com/topic/19082-important-sso-login-changes-coming/ there's explicit indication of the fact all users will see the 'splash' screen.

Your landing webpage is set up to trigger the SAML challenge to the configured IDP only after explicit choice from the user. This is NOT something configurable in ADFS or in other IDP, this is how you implemented the SSO flow .

Do you have any feedback on this?

Link to comment
Share on other sites


I have to say that I am also getting a lot of negative feedback from the users about the new button.

I looked at customising the home page to at least make it fit our branding, but when I changed the image the button disappeared and then an ID and password box appeared and you have to then log in, which is definitely worse.

So glad I did it on our test instance and not the live one as even having used the "reset to default" it doesn't give me the button back and only leaves the login boxes.


Link to comment
Share on other sites


I know that having IWA configured for certain relying party trusts allows users to login without having to input any credentials given they are already authenticated in the network. However the new HB login screen will be displayed even if you have IWA configured as such. It won't require any credentials to be typed in by the user but it will require the user to choose one of the login options which would be usually "Login with SSO".

Why it implemented like this?

As mentioned in @Gerry announcement there are several functions that did not work quite well with the previous login mechanism (the list is detailed in the post). Also, the new login system allows the implementation of future functionality around login which was not possible with the previous login system. However, I am no expert in this functionality and the underlying code so I cannot say in detail why we implemented it as such. If you have any further queries, questions or suggestions these will have to be answered by product managers and developers.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...