Paul Welby Posted October 2, 2020 Share Posted October 2, 2020 Hi, Is it correct that we see the SSO screen every time that we log on to Hornbill? I expected this to be a one off task and then the system would recognise that you have already signed on previously? I am presuming that this is the same for everyone? Thanks 1 Link to comment Share on other sites More sharing options...
Martijn Posted October 2, 2020 Share Posted October 2, 2020 We have that also, SSO should work without us haveing to click on the button. 1 Link to comment Share on other sites More sharing options...
Alberto M Posted October 2, 2020 Share Posted October 2, 2020 We have that as well and yep... I thought the same when this new sign on method was announced. Link to comment Share on other sites More sharing options...
Gerry Posted October 5, 2020 Share Posted October 5, 2020 @Paul Welby Quote Is it correct that we see the SSO screen every time that we log on to Hornbill? When there is no session, you are required to login. If you are using SSO the current scheme requires you to take a positive step to authenticate with your SSO by pressing the "LOGIN WITH SINGLE SIGN ON" button. Your iDP will either authorise you, or require you to identify yourself. Normally, when using SSO you will already be known to your iDP so you will be authorised without any further interaction required, you will be taken to Hornbill as usual. After that, you will have direct access to Hornbill without the need to do this again for as long as your security session remains valid, this for most typical setups will require you to press the SSO button once, in the morning, each day. Gerry 1 Link to comment Share on other sites More sharing options...
Paul Welby Posted October 6, 2020 Author Share Posted October 6, 2020 Thanks for the clarification @Gerry Link to comment Share on other sites More sharing options...
Gerry Posted October 6, 2020 Share Posted October 6, 2020 @Paul Welby No problem, thanks for asking the question. We fully acknowledge that the login process is slightly different to how it was before. We have had to make a compromise in the way in which it works. Previously, if you were configured for SSO, and there was only one iDP we would redirect, authenticate and redirect you back so as long as you were already logged into your iDP you would not be presented with any login screen at all. There were problems with this approach though.. - If there was an error, handling the conditions was a little hit and miss, depending on the nature of the problem - If there was an issue with authenticating against your iDP for some reason, we had a "pass some extra stuff on the URL" hack to bypass SSO redirection, this was a little ugly for your typical user to deal with - If you needed to provide Hornbill's support team with temporary access to your instance, we were using an API hack which was also a but ugly and not exactly secure given the API could get cached in your browsers URL cache. - Some of our more security-conscious enterprise customers require a positive action to be taken in order to log into any system. In addition to these problems, there are a number of future enhancements around login security that we wanted to pave the way for - Ability to present am information security access statement to a user prior to them gaining access to the information system (Hornbill in this case). - The ability to provide a "Support Access Passcode" function that will allow you to issue a temporary support access passcode for those times you need Hornbill's support/services team to access your instance - Ability to add other access prompts for things like 2FA Solving these problems, we compromised on adding a break gap in the login process, the compromise being the users accessing hornbill would need to positively press the SSO Login button in order to establish a session first thing, and our judgement was that seemed like a reasonable compromise. However, some customers have objected to the presentation of this extra button, and I understand why in some organisations its just not required, and they would rather not see the screen at all. Many of the enhancements are being driven by more enterprise requirements which is a natural course as we continue to make headway in the market, so there may well be a justification in recognising some of these changes are more aligned with our enterprise offering, so we possibly could look to exclude some of this future thinking. We have not yet closed the door to enabling the auto-redirect once again, and we may well do that in the context of a simpler setup for non-enterprise use, but we did want to stabilise the changes, as under the hood the changes were/are quite a lot more substantial than just the new screen with the SSO Login button on it We will continue to look at this, we are not done yet, and as I said we do recognise this is a change, what we were hoping is that a more "enterprise-like" security model for access to the system would be welcomed, but at the moment, not everyone is entirely onboard with this. As ever, we do listen, all feedback is always welcome, we do listen and we do care, but we also do our best to bring our customers along with us as our learnings and experiences out in the field matures and evolves. Gerry Link to comment Share on other sites More sharing options...
Shamaila.Yousaf Posted October 27, 2020 Share Posted October 27, 2020 Hi, This is an extra click which is inconvenient to us also. Sxx Link to comment Share on other sites More sharing options...
Michael Sharp Posted January 19, 2021 Share Posted January 19, 2021 @Gerry I think we would welcome the customisation of the SSO and manual login buttons so they can be labelled in a format more recognisable to end users. “Login with single sign on” may be easy to understand for people of reasonable technical competence, but might not necessarily be as intuitive when faced with the choice of that and “Hornbill direct login” to those lesser competent. In our instance, I’d prefer to label them “Enter Helpdesk Portal” and something like “Maintenance access” for the other which would be clearer for our users. Mike. Link to comment Share on other sites More sharing options...
Michael Sharp Posted January 19, 2021 Share Posted January 19, 2021 Or even making the SSO more central and the direct access button floating on the bottom or a spanner or something in the corner maybe? @Gerry Link to comment Share on other sites More sharing options...
Gerry Posted January 20, 2021 Share Posted January 20, 2021 @Michael Sharp I could be wrong here, but I am sure the login pages are fully translatable so really, you can customise the buttons to anything you like. Gerry Link to comment Share on other sites More sharing options...
Michael Sharp Posted January 25, 2021 Share Posted January 25, 2021 @Gerry absolutely wonderful thanks I still think the placement of the second button should be less obvious due to the admin access nature (if I'm being incredibly picky) but the colours of the buttons service that requirement fine. Link to comment Share on other sites More sharing options...
Gerry Posted January 25, 2021 Share Posted January 25, 2021 @Michael Sharp Its always worth mentioning that we have some customers that actively use two different login schemes, where they have some users logging in using SSO and others that log into Hornbill directly as a Hornbill user, so to them, the second option is not just a maintenance-only button. So while in your case it makes sense, for others it would not. Glad you got it sorted for your users Gerry Link to comment Share on other sites More sharing options...
Michael Sharp Posted February 24, 2021 Share Posted February 24, 2021 @Gerry funny how wisdom shines through. I actually really need the new login screen layout at the moment and couldn't have done it with the auto-login one we had before! Mike. Link to comment Share on other sites More sharing options...
Gerry Posted February 24, 2021 Share Posted February 24, 2021 @Michael Sharp Lol :: thanks for posting. Yes, it seems everyone is ok with it now, as I think I said originally, the change was going to facilitate other things in the future, but also allows many login options that were previously... errr... difficult... I assume you have rolled out a combination of direct and SSO logins Gerry Link to comment Share on other sites More sharing options...
Michael Sharp Posted February 24, 2021 Share Posted February 24, 2021 1 hour ago, Gerry said: @Michael Sharp Lol :: thanks for posting. Yes, it seems everyone is ok with it now, as I think I said originally, the change was going to facilitate other things in the future, but also allows many login options that were previously... errr... difficult... I assume you have rolled out a combination of direct and SSO logins Gerry Actually migrating SSO from ADFS to Azure so can test both services non-disruptively and also log in as system admin with the direct login to manage....! 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now