Jump to content

SSO SAML Google Workspace Issue


Recommended Posts

Hi 

We have multiple email domains which means we have multiple IDP setups that log into Hornbill using SSO, however, when a specific idp is selected, we are correctly directed to log in via Google and provide MFA etc, however, instead of logging in, users are met with: 

Quote

 

403. That’s an error.

Error: app_not_configured_for_user

Service is not configured for this user.

 

 

The certificates do not expire until 2024, and the ACS URL and Entity ID in Google match our other idp settings that are working...

One thing to note, which could be related.

When we go into SSO Profiles within Hornbill, there is the following message:
 

Your SSO SAML Metadata Configuration needs to be updated, this can be done from the SSO Profiles page. Please see here for more details

However, when we try to follow the instructions as advised by above and upload the METADATA via XML, Hornbill "hangs" at "Importing Data..." and never finishes?
 
I'm aware we have had SSO since it was a PHP setup and our other "working" domains are still pointing at the php setup, unsure if this is related or not.
 
One other thing is when you download the XML from the SSO profiles page you'll notice this has "BETA" in the URL?
 
https://mdh-p01-api.hornbill.com/(ourinstance)/xmlmc/sso/saml2/authorize/user/beta
 
Tried setting up from scratch, still no luck.
Any help would be appriciated.
 
Thanks
 
Adam

 

 

Link to comment
Share on other sites

Apologies the metadata url seems incorrect, you should be able to access the correct metadata from:
https://hhq-p01-api.hornbill.com/(instance)/xmlmc/sso/saml2/metadata/user/live
You should import this metadata to your google SSO IDP, You will also need to click on the 'Update SAML Profile' button on your Google SSO Profile page in hornbill to update the metadata there.  This should only be done after importing the metadata from the URL above.
image.png

Thanks

Trevor

Link to comment
Share on other sites

31 minutes ago, TrevorHarris said:

Apologies the metadata url seems incorrect, you should be able to access the correct metadata from:
https://hhq-p01-api.hornbill.com/(instance)/xmlmc/sso/saml2/metadata/user/live
You should import this metadata to your google SSO IDP, You will also need to click on the 'Update SAML Profile' button on your Google SSO Profile page in hornbill to update the metadata there.  This should only be done after importing the metadata from the URL above.
image.png

Thanks

Trevor

HI Trevor, 

 

Thanks for your response, I have updated the URL.

However, when I try to update the metadata by posting the XML, Hornbill just hangs at "Importing Data..." with a spinning hornbill logo...

 

 

Link to comment
Share on other sites

HI Trevor, 

 

Thanks for your response, I have updated the URL.

However, when I try to update the metadata by posting the XML, Hornbill just hangs at "Importing Data..." with a spinning hornbill logo...

 

image.thumb.png.162677b232a53a380d8533e48623fbb5.png

 

Further to this, when I try to log in, I get a new error:

 

hornbill-logo-full.svg

Unable to load framework

Show Details
TypeError: Cannot read properties of undefined (reading 'modules')
    at runAppModules (https://live.hornbill.com/(INSTANCENAME)/app/esp.bootstrap.js?rel=1710_2:370:63)
    at https://live.hornbill.com/(INSTANCENAME)/app/esp.bootstrap.js?rel=1710_2:456:12

 

Thanks

 

Adam

 

Link to comment
Share on other sites

Hi @Adambingley

Could you check the roles you have for the user you're logging in as the Unable to Load Framework Error suggests the user could login but doesn't have sufficient access?  We hope to be able release core ui later this week

Thanks

Trevor

  • Like 1
Link to comment
Share on other sites

6 hours ago, TrevorHarris said:

Hi @Adambingley

Could you check the roles you have for the user you're logging in as the Unable to Load Framework Error suggests the user could login but doesn't have sufficient access?  We hope to be able release core ui later this week

Thanks

Trevor

Thanks - I set up a test user on this domain to do the testing, working as expected again for other users.

The point was that the Entity ID and ACS URL was pointing to a BETA address, changed the link provided from BETA to LIVE and it worked.

Will wait for the META data upload fix before we do the other domains as they appear to remain working at this point in time.

 

Thank you for your assistance. 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...