Jump to content

Single Sign on Login Screen


Paul Welby

Recommended Posts

Hi,

Is it correct that we see the SSO screen every time that we log on to Hornbill? I expected this to be a one off task and then the system would recognise that you have already signed on previously?

I am presuming that this is the same for everyone?

Thanks

Hornbill SSO.PNG

  • Like 1
Link to comment
Share on other sites

@Paul Welby

 

Quote

Is it correct that we see the SSO screen every time that we log on to Hornbill? 

When there is no session, you are required to login.  If you are using SSO the current scheme requires you to take a positive step to authenticate with your SSO by pressing the "LOGIN WITH SINGLE SIGN ON" button. Your iDP will either authorise you, or require you to identify yourself. Normally, when using SSO you will already be known to your iDP so you will be authorised without any further interaction required, you will be taken to Hornbill as usual.   After that, you will have direct access to Hornbill without the need to do this again for as long as your security session remains valid, this for most typical setups will require you to press the SSO button once, in the morning, each day. 

Gerry

  • Like 1
Link to comment
Share on other sites

  • Guest changed the title to Single Sign on Login Screen
  • Louise pinned this topic

@Paul Welby

No problem, thanks for asking the question.  We fully acknowledge that the login process is slightly different to how it was before. We have had to make a compromise in the way in which it works. Previously, if you were configured for SSO, and there was only one iDP we would redirect, authenticate and redirect you back so as long as you were already logged into your iDP you would not be presented with any login screen at all.   There were problems with this approach though..

- If there was an error, handling the conditions was a little hit and miss, depending on the nature of the problem
- If there was an issue with authenticating against your iDP for some reason, we had a "pass some extra stuff on the URL" hack to bypass SSO redirection, this was a little ugly for your typical user to deal with
- If you needed to provide Hornbill's support team with temporary access to your instance, we were using an API hack which was also a but ugly and not exactly secure given the API could get cached in your browsers URL cache. 
- Some of our more security-conscious enterprise customers require a positive action to be taken in order to log into any system. 

In addition to these problems, there are a number of future enhancements around login security that we wanted to pave the way for

- Ability to present am information security access statement to a user prior to them gaining access to the information system (Hornbill in this case).
- The ability to provide a "Support Access Passcode" function that will allow you to issue a temporary support access passcode for those times you need Hornbill's support/services team to access your instance
- Ability to add other access prompts for things like 2FA

Solving these problems, we compromised on adding a break gap in the login process, the compromise being the users accessing hornbill would need to positively press the SSO Login button in order to establish a session first thing, and our judgement was that seemed like a reasonable compromise.  However, some customers have objected to the presentation of this extra button, and I understand why in some organisations its just not required, and they would rather not see the screen at all.  Many of the enhancements are being driven by more enterprise requirements which is a natural course as we continue to make headway in the market, so there may well be a justification in recognising some of these changes are more aligned with our enterprise offering, so we possibly could look to exclude some of this future thinking.  We have not yet closed the door to enabling the auto-redirect once again, and we may well do that in the context of a simpler setup for non-enterprise use, but we did want to stabilise the changes, as under the hood the changes were/are quite a lot more substantial than just the new screen with the SSO Login button on it :)

We will continue to look at this, we are not done yet, and as I said we do recognise this is a change, what we were hoping is that a more "enterprise-like" security model for access to the system would be welcomed, but at the moment, not everyone is entirely onboard with this. 

As ever, we do listen, all feedback is always welcome, we do listen and we do care, but we also do our best to bring our customers along with us as our learnings and experiences out in the field matures and evolves. 

Gerry

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 months later...

@Gerry I think we would welcome the customisation of the SSO and manual login buttons so they can be labelled in a format more recognisable to end users. “Login with single sign on” may be easy to understand for people of reasonable technical competence, but might not necessarily be as intuitive when faced with the choice of that and “Hornbill direct login” to those lesser competent.

In our instance, I’d prefer to label them “Enter Helpdesk Portal” and something like “Maintenance access” for the other which would be clearer for our users. 
 

Mike. 

Link to comment
Share on other sites

@Michael Sharp

Its always worth mentioning that we have some customers that actively use two different login schemes, where they have some users logging in using SSO and others  that log into Hornbill directly as a Hornbill user, so to them, the second option is not just a maintenance-only button.  So while in your case it makes sense, for others it would not. 

Glad you got it sorted for your users :)

Gerry

Link to comment
Share on other sites

  • 5 weeks later...

@Michael Sharp

Lol :: thanks for posting.  Yes, it seems everyone is ok with it now, as I think I said originally, the change was going to facilitate other things in the future, but also allows many login options that were previously... errr... difficult...

I assume you have rolled out a combination of direct and SSO logins :)

Gerry

Link to comment
Share on other sites

1 hour ago, Gerry said:

@Michael Sharp

Lol :: thanks for posting.  Yes, it seems everyone is ok with it now, as I think I said originally, the change was going to facilitate other things in the future, but also allows many login options that were previously... errr... difficult...

I assume you have rolled out a combination of direct and SSO logins :)

Gerry

Actually migrating SSO from ADFS to Azure so can test both services non-disruptively and also log in as system admin with the direct login to manage....!

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...