Jump to content

Azure SSO login process


Recommended Posts

Hi,

We are in the process of moving away from ADFS for our single sign on method to AzureSSO. I have configured everything within Azure as-per the advice given from Hornbill support and Microsoft https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hornbill-tutorial 

During testing, after clicking on Hornbill's "Sign in with SSO" blue button, I have been presented with the Azure login page where I have to click the account to then continue log in. Is this expected? I am not required to enter any credentials, but it is a two step process for users where they are required to click two separate times to log in. 

I can't see anything within the Hornbill Profile configuration relating to this, or within the Azure SSO Hornbill Config page either. Is this expected behaviour? I was expecting to click the blue Hornbill sign in button and it just log the user in, as it does with ADFS. 

Thank you

Melissa 

Link to comment
Share on other sites

@Melissa Gurney

That is controlled by the Azure service, I expect there are options to configure and control it.  Hornbill does not control this behaviour.  At the point you press the Login with SSO button on Hornbill we redirect to ADAzure based on your configuration.  Its up to ADAzure what it does from that point, up until it redirects back to our service with you having been authorised by ASAzure.   The default when using ADFS (or at least how most people have it configured is, when you are redirected to AD with a request for access to a resource (in your case Hornbill), the ADFS server will, if you are already authernitcated, simply redirect you directly back to Hornbill with an appropriate authorisation assertion.  Sounds like what is happening above is when you redirect to ADAzure, even though you are authorized already, its holding you in its landing page until you click the account, or whatever its expecting you to do. 

The specifics and details of how ADAzure works is beyond the scope of my understanding (and most if not all of the technical folks at Hornbill), this is really a question you would need to pitch towards Microsoft or your internal ADAzure experts. 

Gerry

Link to comment
Share on other sites

Thanks @Gerry for your response. After some time it did stop doing it, thankfully. There didn't seem to be anywhere to configure this, apart from some under the hood code that would be done within the application itself where it forwards the request off to Azure. 

I do have another question - Do sessions within Service Manager periodically reauthenticate? As in, if someone has a tab open in Chrome that has authenticated as one account are they then able to open up Chrome and sign in as another Microsoft user and remain logged in to service manager as that first user? We have gone live with AzureSSO and had a couple of reports of users being signed out of Service Manager if they are logging into another browser session with a different account (which is required).

Mel

Link to comment
Share on other sites

@Melissa Gurney

"Do sessions within Service Manager periodically reauthenticate?"  yes, sometimes. What happens is this.  When you login and authenticate with your AD, Hornbill will create you a "user sesson", and this session sets a cookie on your browser which is a reference to your session.  Using Hornbill from that point forward will not go and re-authenticate with AD, it relies on the created Hornbill session.  However, this does have a timeout, so if you were to refresh the browser window, then Hornbill *may* re-authenticate you with your SSO provider, if SSO is configured. 

If you open up another browser window, it will, by default, use the same cookie as that cookie (ESPSessionState) remains valid across browser instances.  As @Martyn Houghton says above, if you want to log into two different user accounts on the same computer, you will need to open a new incognito window, this is how we do it when demoing the software

Gerry

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...