chathway Posted November 2, 2021 Share Posted November 2, 2021 We have a single SSO profile configured for Azure AD. In Azure AD we have 3 Apps for Hornbill SSO (Admin, User, & service) all configured for https://*.hornbill.com/*?metadata=hornbill|ISV9.2|primary|z. We would like to enable "Auto Update Certificates" in the Hornbill SSO profile however, there is only one configuration for metadata URL. We would need 3 of these for 3 Azure app instances (each one contains the signing certs thumbprint for the instance). Could this be added? In the case of Azure AD the base URL for the metadata is always the same https://login.microsoftonline.com/TENANT_ID/federationmetadata/2007-06/federationmetadata.xml and a parameter on the end of the URL ?appid=APPID_GUID is used to select the correct metadata. @Gerry support mentioned you might be best to help on this Link to comment Share on other sites More sharing options...
TrevorHarris Posted November 2, 2021 Share Posted November 2, 2021 Hi Can you confirm if each of the apps metadata on Azure has a different signing certificate and the rest of the metadata is the same across each of the apps? How do you configure this currently in Hornbill? I presume you cannot be using the metadata URL and are importing the signing certificates from the 3 apps manually into the SSO profile in Hornbill. Thanks Trevor Link to comment Share on other sites More sharing options...
chathway Posted November 3, 2021 Author Share Posted November 3, 2021 Yes, it's the same Entity Id, HTTP-Redirect, HTTP-Post address just each apps metadata has a different signing cert. We can import from the metadata URL one of the apps (e.g. user) and that will bring in its signing cert however, the signing certs for the other apps needs to be uploaded manually. Thanks Chris Link to comment Share on other sites More sharing options...
John C Posted May 16, 2022 Share Posted May 16, 2022 @chathway hello, did you ever get this resolved? My 3 certs are expiring this week and I have imported new ones, but when I activate the certs in Azure, we cannot hit the necessary pages, see below: thank you for your time... Link to comment Share on other sites More sharing options...
Victor Posted May 16, 2022 Share Posted May 16, 2022 @John C this thread was specific to the scenario where are more than one Azure app configured for Hornbill SSO. Do you have the same in your environment? Mind you that with recent changes in admin tool, there is no more requirement to have multiple apps in Azure for the purpose of SSO authentication in Hornbill (one exception is authentication on customer portal - not employee portal - which requires a separate app given that it uses the Guest realm in Hornbill). Link to comment Share on other sites More sharing options...
John C Posted May 17, 2022 Share Posted May 17, 2022 @Victor morning, thank you for your response, I have 3 Apps in Azure, so I only need to configure a new Cert for one? Which one, ADMIN? Link to comment Share on other sites More sharing options...
Victor Posted May 17, 2022 Share Posted May 17, 2022 @John C the multiple apps were required due to different domains (we) used to access various areas in Hornbill. Because the azure app can only have one entity URL, we would have needed a separate app for each domain in Hornbill: live (live.hornbill.com), services (live.hornbill.com) and admin (live.hornbill.com). "Services" domain has been deprecated a while back with the introduction of the employee portal which is accessed via the live domain now. "Admin" domain has been deprecated recently (with the recent UI changes for admin) and is now accessed via live domain. Therefore we do not need separate apps for different Hornbill domains since now all functionality goes via live.hornbill.com domain. My suggestion is to remove/deprecate the "Hornbill" (*) and "Hornbill(Admin)" apps and keep the "Hornbill(Live)" one. For the Hornbill Live have the right certificates configured and such and use the SAML data from this app to update the SSO profile in Hornbill. (*) assuming the "Hornbill" app in the screenshot is the app configured for services.hornbill.com Link to comment Share on other sites More sharing options...
John C Posted May 17, 2022 Share Posted May 17, 2022 @Victor thank you for your help... I think I understand, I will copy the App Federation Metadata Url from Azure for Hornbill(Live) and paste it into the Metadata URL files in Hornbill SSO for Azure1 and hopefully it syncs tonight at 00:00. I created a new cert in Azure for Hornbill(live), do I need this and when should I set to active if so, is there a way to enable it prior to it expiring on the 22/05 and be done with it? Thanks again, much appreciated.. Link to comment Share on other sites More sharing options...
Victor Posted May 17, 2022 Share Posted May 17, 2022 7 hours ago, John C said: hopefully it syncs tonight at 00:00 @John C you don't need to wait for the or a sync. You can always use the SAML metadata URL and import the data manually. Use the "Import Metadata" button (screenshot), paste the URL in the field, click Process. This should populate the data in the profile. Then save changes. Based on what you have now, I do not expect any changes apart from certificate refresh (update) in the profile. Link to comment Share on other sites More sharing options...
John C Posted May 18, 2022 Share Posted May 18, 2022 @Victor morning and again thank you for your reply... I "hope" I have it, the import took last night at 00:01 as you can see, I set the new Cert in Azure to active and I logged in, you can see the date of import and one hit of login thus far. Thank you for your help with this, much appreciated.... 1 Link to comment Share on other sites More sharing options...
John C Posted May 20, 2022 Share Posted May 20, 2022 @Victor @Gerry morning guys, quick question if you don't mind please... If I set the below to Hornbill Direct Login, they are still prompted for single sign on on the login page. Where is the setting to enable direct login from login screen without being prompted for single sign on option too? Thanks Link to comment Share on other sites More sharing options...
Gerry Posted May 26, 2022 Share Posted May 26, 2022 @John C You simply disable the SSO profile(s) that you don't want to use, and the "LOGIN WITH SINGLE SIGN ON" button will not be shown... Gerry Link to comment Share on other sites More sharing options...
John C Posted May 31, 2022 Share Posted May 31, 2022 @Gerry thank you, yes, was on hols until today... Link to comment Share on other sites More sharing options...
Gerry Posted May 31, 2022 Share Posted May 31, 2022 No problem, glad its sorted out for you. Gerry Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now