SSO - Auto Update Certificates - how often does Hornbill check for new certificate?

[Caroline]

Our SSO certificate is due to expire in 2 weeks and we've renewed it with Microsoft, Auto Update Certificates is set to On, but Hornbill hasn't yet picked up the new certificate. How frequently does Hornbill check for a new certificate?

[Gerry]

@Caroline

I think this section should help

https://docs.hornbill.com/esp-config/security/sso/single-sign-on#sso-auto-certificate-renewal-and-sso-certificate-expiry-reminders

Gerry

[Caroline]

Thanks @Gerry. I was looking on the old Wiki.

So to my simple understanding, if we have Auto Update Certificates enabled at least 10 days before the current cert expires, then 10 days before the current cert expires Hornbill will tell Microsoft to create a new certificate, and will then retrieve the new certificate?

What if we've already renewed the certificate, it's just not active yet?

[Gerry]

@Caroline

No thats not right.  Your IDP (aka Azure AD or whatever you use) will auto-renew certificates, thats a function of your IDP.  When you configure an SSO profile in your Hornbill instance, you can configure it to periodically check your iDP for updated certificates, and, if Hornbill finds an updated certificate, Hornbill will automatically import those updated certificates into your SSO profile.
 

This is all described in here: https://docs.hornbill.com/esp-config/security/sso/single-sign-on#sso-auto-certificate-renewal

Gerry

[Caroline]

Thanks @Gerry I've read that several times now and think I have figured out what we're missing. I would like to point out that the documentation refers to images that aren't there, which doesn't help, and whilst all the explanation is great for understanding the why, some clear instructions on the how would be helpful - we've had several people here reading them and it wasn't obvious to any of us.

My understanding now then, for the auto renew to work we need the following:

1) certificate to be renewed by provider (for us to action with IDP)

2) Meta Data URL to be populated (I believe this is the bit we're currently missing)

3) Auto Update Certificates to be enabled

Have I now understood correctly? My original question on frequency still hasn't been answered, the documentation only says 'periodically'.

[Gerry]

@Caroline

Thanks for the feedback, to be honest I also noticed this today. It seems we have ported the text from the wiki verbatim and not edited/reviewed the documentation, so I can only apologize for this.  We should have done a much better job here, this is not the quality levels we want our documentation to be at.  I have flagged internally to get reviewed and improved/updated.  

So yes your understanding is now correct.  Keep in mind that, depending on your IdP configuration, that metadata may/may not be publicly available, the best way to check is to get the URL, put it into the field on the SSO profile and you can press the reload button to the side of the URL field and press it, that will make our servers query the URL to look for the metadata.  If you get any error when doing that manually, then auto updates of your certs will not work.   

I will make sure the Configuring SSO documentation is updated and improved and the screenshots/illustrations are provided. 

In terms of the frequency, when SSO auto cert updates are enabled, Hornbill will check your metadata once every 24 hours. 

Thanks,

Gerry

[Caroline]

Thanks @Gerry, I got the metadata URL from my IT, added it to Hornbill, did a refresh as you suggested, and can see it has now picked up the new certificate.

Many thanks for your help on this one.