Cannot download the Hornbill Meta data for user, admin or service....

[John C]

Morning ALL,

While trying to download the necessary files re the meta data I receive the below error for each.

Can someone assist please?

@Victor

 

 

 

[TrevorHarris]

Hi @John C

This is the SSO metadata being displayed in the browser, you can download it by right clicking on it and clicking save as... or pressing ctrl+S

Thanks

Trevor

[John C]

@TrevorHarris thank you for your update, however if I do that is saves it as a mcatalog.xml file, is that correct?

[TrevorHarris]

Yes, the mobile Catalog metadata will save as mcatalog.xml, the others will be live.xml, admin.xml, service.xml, and customer.xml.  This is just the default name it can be changed when you save.

[John C]

Thanks again Trevor.

Once downloaded, is it the "SAML Signing Certificate" in Azure I edit for each application as below?

[John C]

@TrevorHarris sorry, i think I had the wrong option, is this correct?

This is the basic Hornbill app, so I should upload user here?

[TrevorHarris]

More info on configuring the Identity Provider can be found here:
https://wiki.hornbill.com/index.php?title=Single_Sign_On_with_SAML_2.0#Configure_your_Identity_Provider

I'm not really able to advise here as all the identity providers work differently and I don't have experience with them

[John C]

@TrevorHarris yes I know were the instructions are however I am finding them quite confusing...

 

When I initially configured SSO for Hornbill, (over two years ago) it was a totally different setup, not like now re downloading the files from Hornbill it was actually the other way round, import to Hornbill from Azure....

When does this change have to be made for?

Perhaps @Victor or @Bob Dickinson can advise?

Thanks

[Victor]

The change mentioned by the HB notification is a change of Hornbill endpoints. Because we cannot automate an update here, given that this is configured on the identity provider, it requires a manual action. The SSO integration is done in both places, Hornbill and identity provider. Both requires metadata and usually that comes in form of an XML file (for SAML 2.0 anyway). So downloading the metadata file(s) was always there in Hornbill as this is how the SSO was designed to be configured, it is not something new that we introduced recently. In summary there are two sets of metadata that requires to be configured:

• the Hornbill SSO metadata obtainable via the options available when setting up the profile in admin tool - this metadata will then be configured on the identity provider
• the Identity Provider metadata which will then be configured in Hornbill

We can't really advise on any actions that need to be preformed on the identity provider as we don't have expertise with specific providers.

[John C]

@Victor thank you for your prompt reply as always...

Seeing that this change was implemented by Hornbill without prior warning I am just asking if indeed after downloading the XML's they are then uploaded to the existing SAML connections we have in Azure for Hornbill (Service), Hornbill (Live) and Hornbill (Admin), see screenshots below.

Also, when does this change have to be implemented for before it stops working?

 

 

 

Thanks

[yelyah.nodrog]

We are also having issues with this since the banner appeared yesterday saying it would not cause any issues it has been endless issues with SSO.
We have moved over to Azure today from ADFS in the hope that we can do two birds with one stone, I was advised that our SSO issues were nothing to do with Hornbill but my engineers do not agree and have advised there has been a change in metadata (which we also had a issue with downloading) is what has caused the problems.

I cannot get access to my tickets on the support portal this morning as nothing is showing and there are clearly issues with it, I have emailed hornbill support and my account manager with no response as we need to get this resolved.

A bit fed up over here.

[Victor]

2 minutes ago, John C said:

if indeed after downloading the XML's they are then uploaded to the existing SAML connections we have in Azure for Hornbill (Service), Hornbill (Live) and Hornbill (Admin), see screenshots below

I would say most likely yes, based on what I see in the screenshot, but again I really don't know how metadata is configured in Azure...

11 minutes ago, John C said:

when does this change have to be implemented for before it stops working?

There is no deadline to this at the time.

[John C]

@yelyah.nodrog yes I am very surprised more people are not reporting this issue or having similar issues.

At least I still have  access to what we need and has put me off updating.

@Victor judging by Yelyah actions and issue I think I will hold off on updating for now until we see a more reliable approach...

Thanks

[Victor]

@yelyah.nodrog

13 minutes ago, yelyah.nodrog said:

We have moved over to Azure today from ADFS in the hope that we can do two birds with one stone, I was advised that our SSO issues were nothing to do with Hornbill but my engineers do not agree and have advised there has been a change in metadata (which we also had a issue with downloading) is what has caused the problems.

Can you confirm if you and the infrastructure team follow the steps detailed here: https://wiki.hornbill.com/index.php?title=Updating_SSO_SAML_Metadata_Configuration_Action_Required? Specifically the "How to update the configuration" section?

There was indeed a change in metadata, this is the very reason why the update is needed... there are 2 specific steps that need to be performed:

1. Re-import the Hornbill SAML metadata to your identity provider. You will need to do this for each service you use SAML for in hornbill (e.g. live, admin, service, and mCatalog). This metadata can be imported alongside your current configuration on your identity provider. The metadata required can be accessed by clicking the appropriate button on the SSO Profile list page in the admin tool (if your identity provider doesn't support importing metadata automatically you can view the Entity Id and Reply URL you will need by clicking on the metadata button) - I presume Azure has the option to import this metadata, based on the above screenshot provided by @John C who also uses Azure - again I am no expert in Azure so this needs to be confirmed internally with your teams.

2. Once the above step is complete then update your SSO profile within Hornbill, you can do this by clicking on the "Update SAML Profile" button against the SSO Profiles that need updating (these are marked with an orange exclamation in the SSO Profile list), and clicking "Yes" on the warning message, after you confirm your SAML profile will be updated and will now use the updated Hornbill metadata to authenticate with your identity provider.

[John C]

@Victor This is what I was trying to explain earlier...

 

When I initially configured this SAML for Hornbill I did "not" have to upload the medadata file, it was just a matter of copying the URL from Hornbill Azure config into SAML in Azure....

[Victor]

Just now, John C said:

When I initially configured this SAML for Hornbill I did "not" have to upload the medadata file, it was just a matter of copying the URL from Hornbill Azure config into SAML in Azure....

If this all in Azure, unless I am missing something, then this looks like something that Microsoft introduced as an option for configuring SSO in Azure...

[John C]

@Victor fair enough, I configured this initially in June 2019....

I Just had to copy the URL from Hornbill and paste here..

 

[John C]

@yelyah.nodrog did you get sorted?

[Deen]

@John C I believe she did.  Although I am not yet sure of the root cause.

[yelyah.nodrog]

@John C We did thankyou .although we had to remove everything off of our ADFS server and start again, adding the new metadata URLS didn't work for us.
H