Azure SSO login process

[Melissa Gurney]

Hi,

We are in the process of moving away from ADFS for our single sign on method to AzureSSO. I have configured everything within Azure as-per the advice given from Hornbill support and Microsoft https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hornbill-tutorial 

During testing, after clicking on Hornbill's "Sign in with SSO" blue button, I have been presented with the Azure login page where I have to click the account to then continue log in. Is this expected? I am not required to enter any credentials, but it is a two step process for users where they are required to click two separate times to log in. 

I can't see anything within the Hornbill Profile configuration relating to this, or within the Azure SSO Hornbill Config page either. Is this expected behaviour? I was expecting to click the blue Hornbill sign in button and it just log the user in, as it does with ADFS. 

Thank you

Melissa 

[Gerry]

@Melissa Gurney

That is controlled by the Azure service, I expect there are options to configure and control it.  Hornbill does not control this behaviour.  At the point you press the Login with SSO button on Hornbill we redirect to ADAzure based on your configuration.  Its up to ADAzure what it does from that point, up until it redirects back to our service with you having been authorised by ASAzure.   The default when using ADFS (or at least how most people have it configured is, when you are redirected to AD with a request for access to a resource (in your case Hornbill), the ADFS server will, if you are already authernitcated, simply redirect you directly back to Hornbill with an appropriate authorisation assertion.  Sounds like what is happening above is when you redirect to ADAzure, even though you are authorized already, its holding you in its landing page until you click the account, or whatever its expecting you to do. 

The specifics and details of how ADAzure works is beyond the scope of my understanding (and most if not all of the technical folks at Hornbill), this is really a question you would need to pitch towards Microsoft or your internal ADAzure experts. 

Gerry

[Melissa Gurney]

Thanks @Gerry for your response. After some time it did stop doing it, thankfully. There didn't seem to be anywhere to configure this, apart from some under the hood code that would be done within the application itself where it forwards the request off to Azure. 

I do have another question - Do sessions within Service Manager periodically reauthenticate? As in, if someone has a tab open in Chrome that has authenticated as one account are they then able to open up Chrome and sign in as another Microsoft user and remain logged in to service manager as that first user? We have gone live with AzureSSO and had a couple of reports of users being signed out of Service Manager if they are logging into another browser session with a different account (which is required).

Mel

[Martyn Houghton]

@Melissa Gurney

In order to use another account with Hornbill you would need to use a private/incognito browser window (or different browser), as the session/authentication cookies will be shared across normal browser sessions.

Cheers

Martyn

[Gerry]

@Melissa Gurney

"Do sessions within Service Manager periodically reauthenticate?"  yes, sometimes. What happens is this.  When you login and authenticate with your AD, Hornbill will create you a "user sesson", and this session sets a cookie on your browser which is a reference to your session.  Using Hornbill from that point forward will not go and re-authenticate with AD, it relies on the created Hornbill session.  However, this does have a timeout, so if you were to refresh the browser window, then Hornbill *may* re-authenticate you with your SSO provider, if SSO is configured. 

If you open up another browser window, it will, by default, use the same cookie as that cookie (ESPSessionState) remains valid across browser instances.  As @Martyn Houghton says above, if you want to log into two different user accounts on the same computer, you will need to open a new incognito window, this is how we do it when demoing the software

Gerry