Jump to content

Switching from ADFS to Azure authentication for SSO


DFarran
 Share

Recommended Posts

Good Afternoon,

 

I know SSO might be a hot topic at the moment with the changes made in the last update, we were actually waiting for this change in order to make a smoother transition to using a Azure SSO profile. Unfortunately it doesn't seem to be working and I was hoping for some advice on where to look for possible causes. We have checked on Azure and the login request shows as a success so it appears that its failing when passing the request back to Hornbill. All I get is a message on the Hornbill login page saying 'unable to validate user credentials'...

 

Any advice or guidance would be appreciated.

 

Thanks,

 

Daniel.

Link to comment
Share on other sites

@DFarran

There are only two causes for that specific error message...

1. The user was not found.  You need to check that the nameID which the SSO server will reply with in its SAML response, and the userId (user ID in account) in Hornbill match, if they do not match then Hornbill server has no idea who is trying to authenticate.  The nameID is also customisable, so if you want these to be different on the two systems, you can if you want map a customer attribute in your AD server to the nameID. You need to have a good understanding of the ADFS configuration and system in Azure to understand why this is going wrong

2. The user was found but is marked in Hornbill as "inactive".  This is probably not your issue, but this is the only other reason you would see that specific error, so I think that leaves the point above being the issue you would need to investigate

Just FYO: We do have many customers using Azure AD without issue, so we know for certain its not a compatibility issues

Gerry

Link to comment
Share on other sites

@Gerry

Thanks Gerry, I was just working through it with a colleague and we just came to the conclusion that we're currently using a User ID for ADFS which doesn't exist on Azure hence why it doesn't work and is confirmed by your advice. It seems like changing the 'Logon ID' field in Hornbill to match the username coming from Azure allowed it to work, is that a way around it without changing User ID?

I believe changing the User ID field via our User import would mean it would create all users as new users as they wouldn't match the existing user records? 

 

Regards,

 

Daniel.

Link to comment
Share on other sites

@DFarran

Yes you will need to make quite a lot of database changes because the user account Id on Hornbill be used as a primary key reference in a lot of placed.  The recommended approach would be to either use the same UserId in ADFS or, create a custom attribute in AD and then map that into the nameID field in the Hornbill SSO profile, either will work fine. 

Gerry

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...