Jump to content

Updating SAML Cert Issues


Recommended Posts

We are trying to update our SAML cert, via the guides online however it seems we might have missed something here as we are now getting an error logging in (see attached). Can anyone advise what might be causing this?

 

hornbill.JPG

Link to comment
Share on other sites

@Adam Knee do you have a Hornbill Azure app for the admin endpoint? (each HB endpoint needs it's own app in Azure)

Note: This thread was posted in a subsection of About the Forum section. Please note this section is specific to our community forum functionality. For any issues or queries about the Hornbill product please use the relevant sub-section from Hornbill Platform and Applications section. This thread has now been moved.

Link to comment
Share on other sites

7 minutes ago, Adam Knee said:

then Entity ID changes to https://sts.windows.net/xxxxxxxx  which doesn't feel right to me...

Looks all right to me, this looks like an Azure entity ID URL...

Have you updated the Azure SSO app with the metadata from Hornbill?

It almost looks like you updated the SSO profile but only part of the action was performed ... the full update needs action in both Hornbill and Azure (or the IdP of choice)

As for the auto update for certificates, should be straight forward, turn on the option in the SSO profile and input the URL to the metadata...

Link to comment
Share on other sites

@Adam Knee do you have only one app for Hornbill in Azure (named Hornbill Enterprise app)? If yes, then you can only used one of the XML files (which represents a Hornbill endpoint). If you need SSO on all other endpoints (admin, service, etc) you need a separate app in Azure for each...

EDIT (as I typed while you replied): By importing the user.xml your Hornbill Azure app is associated with the "live" endpoint, so it will work when accessing that (as you confirmed).

Once you authenticate in HB via "live" you can navigate to other endpoints (e.g. "admin"), you don't need to authenticate there when you have an active session in HB.

However, if you are not authenticated in HB (yet) and you navigate to "admin" endpoint for login, you would need that "admin" endpoint Azure app otherwise you will not be able to authenticate via this endpoint. So the "admin" app is only required if you intend to authenticate via "admin" (or other endpoint) at any given time... hope this makes sense. 

 

Link to comment
Share on other sites

We have one SSO profile within Hornbill.

We have now successfully updated the SAML cert for the users SSO, for live.hornbill thank you!

We have a Self Service Azure App that goes to service.hornbill.com, we've uploaded the metadata (service.xml) but the SAML cert if different. 

Do we need to download a cert from the service APP to the SSO profile, or what are the steps to complete the service SAML cert update?

 

Link to comment
Share on other sites

We seem to have this common error when configuring the service 

The public certificate used for signing the assertion is not known to the service provider...."

Is it because of this:

Also this error may occur if you attempt to use multiple SSO profiles with the Customer Portal at one time. Although not currently possible this feature should be configurable from the admin tool in a future release.

 

 

Link to comment
Share on other sites

25 minutes ago, Adam Knee said:

We have one SSO profile within Hornbill.

Yes, in Hornbill you will have only one, but in Azure, you need a different one for each endpoint... as I understand you have there (in Azure) an "Enterprise" app for when you authenticate to "live.hornbill.com" and a "Self-Service" app for when you authenticate to "service.hornbill.com"... so different apps in Azure for each HB endpoint.... but as for a SSO profile in HB itself, only one(*)...

22 minutes ago, Adam Knee said:

We seem to have this common error when configuring the service

This is because, as you noticed, the "Self-Service" app in Azure has different certificates than the "Enterprise" app... but since we only have one Hornbill SSO profile it means that the (different) certificates of the "Self-Service" app need to be added to the existing SSO profile in HB. I believe the Azure authentication endpoints (entity ID, binding URLs) are the same in both apps, so the HB SSO profile (in Hornbill) just needs the (other) certificates...

26 minutes ago, Adam Knee said:

Is it because of this:

Also this error may occur if you attempt to use multiple SSO profiles with the Customer Portal at one time. Although not currently possible this feature should be configurable from the admin tool in a future release.

No. That advice is for when using the "customer.hornbill.com" endpoint, something that you don't use currently (based on service params I can see for your instance).

(*)Note: There are scenarios when one can have multiple SSO profiles configured in Hornbill, for example having a (guest) customer portal or multiple IdP. These scenarios do not apply in the issue discussed specifically in this thread for the affected instance.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...