Jump to content

Adding new certificate in SSO Profile

John C

By John C
in System Administration

 Share

Recommended Posts

John C Community Regular

John C

Posted
Posted

@Victor @Steve Giller hi guys,

 

I need to update my certificates in Hornbill as they will shortly expire but I am not sure how to add the new certs in Hornbill itself.

I have created 3 new certs in Azure, (Hornbill, Admin & Live) and I have downloaded these, but how to I upload to Hornbill below before I enable the new ones on Azure?

When I click add cert re shot below is prompts for Key Data, how do I input this?

Thank you.

 

image.thumb.png.9eb822d349b533e15417d55fb4e6500a.png

 

image.png.526b2afddf07b1286e7f82bfa74acad0.png

 

image.png.178ae0752ce396e60e86f81d37c773cd.png

Link to comment
Share on other sites
John C Community Regular

John C

Posted
  • Author
Posted

@James Ainsworththank you for your response.

Yes, I seen this, but still was not sure, does the new cert in Azure have to be activated so Hornbill automates and updates it or?

@Victor can you provide some info please re the best way to update these certs and is it all three or just one? Snips are attached to this original post...

Thanks guys

Link to comment
Share on other sites
Gerry Grand Master

Gerry

Posted
Posted

@John C

Quote

Would ye like me to document this for Hornbill going forward!??

I think our SAML implementation is pretty well documented already to be honest, but the key to configuring this is to understand YOUR idp and the basics of how SAML works., both of these are really out of our control.  Even internally at Hornbill we sometimes have to bring in outside experts to help us with some aspects of our own network like AD and so on, its generally not possible (or desirable) that our technical folks at Hornbill try to be a Microsoft (assuming you are using AD) support house as we are not really Microsoft AD experts, do not have people trained or geared up to support Microsoft products.  Our system implements SSO using an industry-standard open-standard known as SAML 2.0, this is industry standard and vendor agnostic, we 100% support SAML 2.0 ( https://en.wikipedia.org/wiki/SAML_2.0 ) and this is how we implement full and transparent SSO across multiple platforms and enterprise systems seamlessly. 

In our documentation on the Wiki we have provided some examples of how one might configure AD to work with SAML 2.0 and Hornbill SSO, but thats really provided on a best endeavour bases, if there is an oppertunity to improve that documentation we would be happy to take on board any suggestions. 

In answer to your question "now I wonder why there are 6 as oppose to just 3!?"  You will see that you can remove the ones you don't need.  Our platform does not randomly make up keys so if they are in there as a result of an import that can only mean those certs were in the metadata that you imported from.   You will see on the list that there is a "Used Count" this is telling you how many times each certificate has been used to authenticate a user, the counter is there to help you determine what certs are being used, you also have an expiry date so you also know when those used certs are going to assign.  If you have more than one cert in your metadata, this may mean that your particular AD setup has a cluster of either multiple domains and/or redundancy, and it may well mean that your IDP is publishing the fact that SAML assertions could be signed with any one of those 6 certificates, in this case, when validating a user authentication request we will select the correct certificate.  Again, this is VERY SPECIFIC to your network/AD configuration and not something anyone at Hornbill would really have any meaningful input on, without  that is becoming a proxy support function for your own AD infrastructure. 

Certificates will sit on our system for 90  days *after* they expire, at which point they will be automatically purged from our system. 

Its also worth noting, that if you configure the SSO correctly, and, your AD is configured in such a way that our service can reach your SAML metadata endpoint, you can configure this so certificate renewal is entirely automated, you only need to turn that option.  This is a feature we added 18 months ago because so many customers seem to be "left to it" by their own internal network teams to manage and deal with this themselves. 

I would finally point out that the forum is a community resource and not an official support channel.  We do our best to frequent the forums and answer as much as we can, but we very specifically state that the forum is not an SLA'ed support channel.  Moreover, for requests like this that would generally veer into supporting your own AD environment, or educating you on SAML and how it works, you are likely to get less takers because these things can become very time consuming and difficult to help with.   For anything important  that is going to interrupt your use of our service, I would strongly recommend you use our official support channel:  https://hornbill.com/support/

It seems from the screen above  your new certs are not yet being used, so before you remove any of the ones that are not being used I would wait to make sure your AD system starts to send authentication requests using those new certs (you will see the use counter increasing), once that starts happening you will be safe to remove the old certs that are no longer being used (again you will see that by seeing that the old certs counters are no longer incrementing). 

Thanks,
Gerry

 

  • Like 4
Link to comment
Share on other sites
John C Community Regular

John C

Posted
  • Author
Posted

@Gerry thank you for your response.

Firstly, re" if you configure SSO correctly" I configured this initially and it has been working without fault since July 2019...the only issue being the cert itself expires next month after 3 years and needs renewing.

After reading your current documentation I still thought it was very unclear on how to "manually" add the updated Cert via Hornbill, not Azure, this is obviously seperate where you create a new cert and set it to active, screenshot below,  this then can be downloaded and with the + option in certificates in Hornbill I simply asked how to add to which no staff member could assist, James did try which I thanked him for.

You refer to AD re the whole equation around SSO and SAML when in fact in my case it all is configured in Azure.

Finally, regard to support, I logged this on Friday morning and wasn't expecting a fix or resolution that day or days even, however a point in the right direction would of sufficed.

Oh, and the automated function only works once you insert the Meta Data URL, which you get from Azure, simply turning it on will not work.

Thanks again Gerry.

 

image.png.cab89bb850bf3e6dc62ec0070b176cb1.png

image.thumb.png.f1a2777b19efce1a277f2e878677ed69.png

Link to comment
Share on other sites
John C Community Regular

John C

Posted
  • Author
Posted

@Gerry seeing I have your attention just now, can I ask one more question please, different topic/issue.

Please point my question to another engineer if you don't have the time to respond...

I am about to kick off a migration to another tenant, so all our @e-i-eng.com addresses will change to lets say @google.com

I am worried about access for my users 1200+ to Hornbill, not just SSO, as the user id which I already changed in my profile will not work with the new google.com address.

Note I changed both the user id and email in my Hornbill profile but could still not log into service manager, this will obvious affect all end users too.

Is there a way to import a csv file into Hornbill to start using the new user id and email as oppose to the current @e-i-eng.com which we will no longer be?

Hope this makes sense...

Thanks again!

 

 

 

Link to comment
Share on other sites
Gerry Grand Master

Gerry

Posted
Posted

@John C

We will post some more information regarding the service outage, we had a global, we will publish an RCA in the coming hours. 

In terms of your question, I am not sure I understand what you are asking.  "I am about to kick off a migration to another tenant" another tenant of what? 

"Note I changed both the user id and email in my Hornbill profile but could still not log into service manager, this will obvious affect all end users too."  if you are using SAML (as you seem to be) changing your login ID in the Hornbill profile may or may not be relevant, this comes back to the way AD is configured, when AD generates an SAML assertion, it will provide a NameID, this is what we match to in relation to the account, its easy to change all the login ID's in the Hornbill instance, but you also need to understand how our AD is configured if you want SSO to keep working.  

"Is there a way to import a csv file into Hornbill" yes there are many ways to import data, depends on the type of user (basic, user or contact) and what you want to do, its possible to bulk upload.  

I am not really in a position to provide specific support on what you need to do, I am not really an expert either.  If you have a success plan in place with out support team they can definitely help with this sort of thing. 

Thanks,

Gerry

 

Link to comment
Share on other sites
Gerry Grand Master

Gerry

Posted
Posted
Quote

yes about an hour now, people say it's global yet status shows s ok!?

Fair point on status.hornbill.com, this is not as automated as we would like it to be.  In the heat of trying to solve an issue it tends not to make the top of the priority list to get status.hornbill.com updated. We will try to do better next time. 

Gerry

  • Like 1
Link to comment
Share on other sites
John C Community Regular

John C

Posted
  • Author
Posted (edited)

@Gerry morning...

 

Another tenant as in office 365, see below snip, which id does Hornbill actually use to logon the actual user, I thought it was the logon ID as oppose to the User ID?

All users email address's will change from @a.com to lets say @b.com, so I need to update their profile in Hornbill to allow them logon.

So for example, Maurice below will now be redacted@b.com, so I need to manually need to change this in his Hornbill profile from current redacted@a.com

 

My question is seeing i cannot edit the "User ID" in Hornbill, will this matter?

Thanks

 

image.png

Edited by Victor
Personal data
Link to comment
Share on other sites
Victor Grand Master

Victor

Posted
Posted
On 5/2/2022 at 9:17 AM, John C said:

My question is seeing i cannot edit the "User ID" in Hornbill, will this matter?

@John C No. Make sure you update the logon ID, which is what Hornbill uses to match the Name ID attribute value from the SAML response. Also:

 

Link to comment
Share on other sites
John C Community Regular

John C

Posted
  • Author
Posted

@Victor hello

Do you know if there is a way to force a replication between the Hornbill App and Azure to pick a change instantly without having to wait until 00:00 every night?

Just for testing purposes to set the new SAML cert to active to test if hornbill.live (above is hornbill admin) can still be accessed by the end users?

Link to comment
Share on other sites
John C Community Regular

John C

Posted
  • Author
Posted

@Gerry @Victor

 

Morning Gerry,

The import of the new certificate via Hornbill did not occur over the weekend, what is Hornbill's schedule for importing Certs as I am hoping it's only Mon-Fri and this is why it didn't import over the weekend, see below:

All certs are created and ready for import: I'd appreciate a response on this so I know when to activate the new certs again for import.

Thanks

image.thumb.png.9a6a5007f1ee257db5c7cf3be86e0537.png 

Link to comment
Share on other sites
John C Community Regular

John C

Posted
  • Author
Posted

@Gerry @Victor guys can one of you please help with this?

This expires this Friday and I need the new certs in place prior to then, just 10 mins of your time would be great, I think I have 95% of the work done, just missing the last part...

Link to comment
Share on other sites
Victor Grand Master

Victor

Posted
Posted

@John C my advice would be when in need of certificate update, reimport the SAML metadata. This will ensure that all the required certificates, as defined on the IdP, are brought across in the HB SSO profile. Can you do this for your SSO profile and see how it works afterwards?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...