Auto Update Certificates

[chathway]

We have a single SSO profile configured for Azure AD.  In Azure AD we have 3 Apps for Hornbill SSO (Admin, User, & service) all configured for https://*.hornbill.com/*?metadata=hornbill|ISV9.2|primary|z.

We would like to enable "Auto Update Certificates" in the Hornbill SSO profile however,  there is only one configuration for metadata URL.  We would need 3 of these for 3 Azure app instances (each one contains the signing certs thumbprint for the instance).

Could this be added?

In the case of Azure AD the base URL for the metadata is always the same https://login.microsoftonline.com/TENANT_ID/federationmetadata/2007-06/federationmetadata.xml and a parameter on the end of the URL ?appid=APPID_GUID is used to select the correct metadata.  

@Gerry  support mentioned you might be best to help on this 

[TrevorHarris]

Hi

Can you confirm if each of the apps metadata on Azure has a different signing certificate and the rest of the metadata is the same across each of the apps?  How do you configure this currently in Hornbill?  I presume you cannot be using the metadata URL and are importing the signing certificates from the 3 apps manually into the SSO profile in Hornbill.

Thanks

Trevor 

[chathway]

Yes, it's the same Entity Id, HTTP-Redirect, HTTP-Post address just each apps metadata has a different signing cert.

We can import from the metadata URL one of the apps (e.g. user) and that will bring in its signing cert however, the signing certs for the other apps needs to be uploaded manually.

Thanks

Chris

[John C]

@chathway hello, did you ever get this resolved? My 3 certs are expiring this week and I have imported new ones, but when I activate the certs in Azure, we cannot hit the necessary pages, see below: thank you for your time...

 

 

[Victor]

@John C this thread was specific to the scenario where are more than one Azure app configured for Hornbill SSO. Do you have the same in your environment? Mind you that with recent changes in admin tool, there is no more requirement to have multiple apps in Azure for the purpose of SSO authentication in Hornbill (one exception is authentication on customer portal - not employee portal -  which requires a separate app given that it uses the Guest realm in Hornbill).

[John C]

@Victor morning, thank you for your response, I have 3 Apps in Azure, so I only need to configure a new Cert for one? Which one, ADMIN?

 

[Victor]

@John C the multiple apps were required due to different domains (we) used to access various areas in Hornbill. Because the azure app can only have one entity URL, we would have needed a separate app for each domain in Hornbill: live (live.hornbill.com), services (live.hornbill.com) and admin (live.hornbill.com).

"Services" domain has been deprecated a while back with the introduction of the employee portal which is accessed via the live domain now. "Admin" domain has been deprecated recently (with the recent UI changes for admin) and is now accessed via live domain. Therefore we do not need separate apps for different Hornbill domains since now all functionality goes via live.hornbill.com domain.

My suggestion is to remove/deprecate the "Hornbill" (*) and "Hornbill(Admin)" apps and keep the "Hornbill(Live)" one. For the Hornbill Live have the right certificates configured and such and use the SAML data from this app to update the SSO profile in Hornbill.

(*) assuming the "Hornbill" app in the screenshot is the app configured for services.hornbill.com

[John C]

@Victor thank you for your help...

I think I understand, I will copy the App Federation Metadata Url from Azure for Hornbill(Live) and paste it into the Metadata URL files in Hornbill SSO for Azure1 and hopefully it syncs tonight at 00:00.

I created a new cert in Azure for Hornbill(live), do I need this and when should I set to active if so, is there a way to enable it prior to it expiring on the 22/05 and be done with it?

Thanks again, much appreciated..

 

[Victor]

7 hours ago, John C said:

hopefully it syncs tonight at 00:00

@John C you don't need to wait for the or a sync. You can always use the SAML metadata URL and import the data manually. Use the "Import Metadata" button (screenshot), paste the URL in the field, click Process. This should populate the data in the profile. Then save changes. Based on what you have now, I do not expect any changes apart from certificate refresh (update) in the profile.

 

[John C]

@Victor morning and again thank you for your reply...

I "hope" I have it, the import took last night at 00:01 as you can see, I set the new Cert in Azure to active and I logged in, you can see the date of import and one hit of login thus far.

Thank you for your help with this, much appreciated....

[John C]

@Victor @Gerry morning guys, quick question if you don't mind please...

If I set the below to Hornbill Direct Login, they are still prompted for single sign on on the login page.

Where is the setting to enable direct login from login screen without being prompted for single sign on option too?

Thanks

[Gerry]

@John C

You simply disable the SSO profile(s) that you don't want to use, and the "LOGIN WITH SINGLE SIGN ON" button will not be shown...

 

Gerry

[John C]

@Gerry thank you, yes, was on hols until today...

[Gerry]

No problem, glad its sorted out for you. 

Gerry