Adam Knee Posted October 22, 2021 Share Posted October 22, 2021 We are trying to update our SAML cert, via the guides online however it seems we might have missed something here as we are now getting an error logging in (see attached). Can anyone advise what might be causing this? Link to comment Share on other sites More sharing options...
Victor Posted October 22, 2021 Share Posted October 22, 2021 @Adam Knee do you have a Hornbill Azure app for the admin endpoint? (each HB endpoint needs it's own app in Azure) Note: This thread was posted in a subsection of About the Forum section. Please note this section is specific to our community forum functionality. For any issues or queries about the Hornbill product please use the relevant sub-section from Hornbill Platform and Applications section. This thread has now been moved. Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 We have the Hornbill Enterprise App from when we setup it up originally? Apologies if this sounds vague, it was all configured my and ex-employee and this is my first dealings with this system. Link to comment Share on other sites More sharing options...
Victor Posted October 22, 2021 Share Posted October 22, 2021 @Adam Knee can you login if you navigate to live.hornbill.com/... instead of admin.hornbill.com/... ? Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 Similar error Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 I'm not sure if we need to re-upload the metadata .xml files to the Enterprise App under SSO? Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 When we paste the App Federation Metadata URL into the "import IDP Meta Data" section, then Entity ID changes to https://sts.windows.net/xxxxxxxx which doesn't feel right to me... Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 ideally we want auto update certificates enabled as well which it doesn't seem to let me set to prevent this pain in the future. Link to comment Share on other sites More sharing options...
Victor Posted October 22, 2021 Share Posted October 22, 2021 7 minutes ago, Adam Knee said: then Entity ID changes to https://sts.windows.net/xxxxxxxx which doesn't feel right to me... Looks all right to me, this looks like an Azure entity ID URL... Have you updated the Azure SSO app with the metadata from Hornbill? It almost looks like you updated the SSO profile but only part of the action was performed ... the full update needs action in both Hornbill and Azure (or the IdP of choice) As for the auto update for certificates, should be straight forward, turn on the option in the SSO profile and input the URL to the metadata... Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 So I just need to upload all the XML files that I downloaded USER, SERVICE, ADMIN, GUEST etc. to the Hornbill Enterprise App Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 Just imported user.xml and we seem to be back in now that the identifier (Entity ID) shows as https://sso.hornbill.com/INSTANCENAME/live. Link to comment Share on other sites More sharing options...
Victor Posted October 22, 2021 Share Posted October 22, 2021 @Adam Knee do you have only one app for Hornbill in Azure (named Hornbill Enterprise app)? If yes, then you can only used one of the XML files (which represents a Hornbill endpoint). If you need SSO on all other endpoints (admin, service, etc) you need a separate app in Azure for each... EDIT (as I typed while you replied): By importing the user.xml your Hornbill Azure app is associated with the "live" endpoint, so it will work when accessing that (as you confirmed). Once you authenticate in HB via "live" you can navigate to other endpoints (e.g. "admin"), you don't need to authenticate there when you have an active session in HB. However, if you are not authenticated in HB (yet) and you navigate to "admin" endpoint for login, you would need that "admin" endpoint Azure app otherwise you will not be able to authenticate via this endpoint. So the "admin" app is only required if you intend to authenticate via "admin" (or other endpoint) at any given time... hope this makes sense. Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 We have one SSO profile within Hornbill. We have now successfully updated the SAML cert for the users SSO, for live.hornbill thank you! We have a Self Service Azure App that goes to service.hornbill.com, we've uploaded the metadata (service.xml) but the SAML cert if different. Do we need to download a cert from the service APP to the SSO profile, or what are the steps to complete the service SAML cert update? Link to comment Share on other sites More sharing options...
Adam Knee Posted October 22, 2021 Author Share Posted October 22, 2021 We seem to have this common error when configuring the service The public certificate used for signing the assertion is not known to the service provider...." Is it because of this: Also this error may occur if you attempt to use multiple SSO profiles with the Customer Portal at one time. Although not currently possible this feature should be configurable from the admin tool in a future release. Link to comment Share on other sites More sharing options...
Victor Posted October 22, 2021 Share Posted October 22, 2021 25 minutes ago, Adam Knee said: We have one SSO profile within Hornbill. Yes, in Hornbill you will have only one, but in Azure, you need a different one for each endpoint... as I understand you have there (in Azure) an "Enterprise" app for when you authenticate to "live.hornbill.com" and a "Self-Service" app for when you authenticate to "service.hornbill.com"... so different apps in Azure for each HB endpoint.... but as for a SSO profile in HB itself, only one(*)... 22 minutes ago, Adam Knee said: We seem to have this common error when configuring the service This is because, as you noticed, the "Self-Service" app in Azure has different certificates than the "Enterprise" app... but since we only have one Hornbill SSO profile it means that the (different) certificates of the "Self-Service" app need to be added to the existing SSO profile in HB. I believe the Azure authentication endpoints (entity ID, binding URLs) are the same in both apps, so the HB SSO profile (in Hornbill) just needs the (other) certificates... 26 minutes ago, Adam Knee said: Is it because of this: Also this error may occur if you attempt to use multiple SSO profiles with the Customer Portal at one time. Although not currently possible this feature should be configurable from the admin tool in a future release. No. That advice is for when using the "customer.hornbill.com" endpoint, something that you don't use currently (based on service params I can see for your instance).(*)Note: There are scenarios when one can have multiple SSO profiles configured in Hornbill, for example having a (guest) customer portal or multiple IdP. These scenarios do not apply in the issue discussed specifically in this thread for the affected instance. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now