SSO config - "The SAML response has a use time later than the servers current time"

[bwood]

Hi

As a company we're implementing an ADFS/SAML SSO configuration. We don't require auto provisioning as we used the LDAP import tool to import our users.

I followed the SSO instructions provided by Bob Dickinson during our 30 day switch on process. Everything seemed to go ok and the relevant metadata was imported into Hornbill. However when trying to access the service portal I get prompted to login (on both IE and Chrome), I also get the attached error when entering my login credentials and clicking login. Any help would be much appreciated.

Many Thanks

Ben

Vospers Motor House

[James Ainsworth]

Hi Ben,

This is due to a time different in the system clocks between your Domain Controller and SAML. I believe that there is a 2 minute threshold before SAML security kicks in and prevents further authentications. I'll see what other information I can get for you to correct this.

[bwood]

Hi James.

Thank you for the quick response.

[James Ainsworth]

Hi Ben,

I would check your clock on your domain controller and update the time using a reliable internet time server. As soon as this is done, check and see if you are able to login. If this resolves your issue, you may want to keep an eye on the clock on your domain controller in case it is losing time. If this is the case, you may find that this will happen again over a period of time and you might want to look for a solution to keep the domain controller's clock up to date.

Let us know if this doesn't solve your issue.

[Hornbill Staff DR]

Hi Ben,

thanks for your post.

From the information given there are potentially two issues here.

Firstly, even though SSO is enabled within the Hornbill Application, at times it will be necessary to ensure your browser of choice is configured to "allow login using the current username and password". There is various information regarding this available online. Using a search term such as "enabling automatic SSO in chrome" will yield some good results.

Secondly, as James has indicated, the error you are seeing is suggesting that the clocks on the instance and your iDP are out of sync. There is a time tolerance when it comes to validating a SAML assertion to ensure that it is recent, by default Hornbill allows +/- 60 seconds. Anything that falls outside that tolerance will fail to validate.

There is a setting that controls the size of this tolerance, and it is found in Hornbill Administration in the context of instance configuration > settings > advanced: security.saml.timeSkewCompensation

I hope that helps but please let us know if you need more information.

Thanks

Dan

[bwood]

Thank you both, for your responses. I'm new to this forum and I've got to say the support has been fantastic!

[bwood]

Hi

I altered the security.saml.timeSkewCompensation setting to test if this would work. If resolved the original error but I now get the following error:

[James Ainsworth]

When creating your mappings between AD and SAML you would map the SAM-Account-Name to Name ID

In Hornbill Administration when configuring SSO the Name id would normally be left blank if you are using the above mapping. Only if you have changed the Outgoing Claim Type from Name ID would you need to populate this field in Hornbill Administration.

Can you confirm if you have set a value in this field or if you are using a different Outgoing Claim Type other than Name ID for the SAM Account Name?

[bwood]

Hi James

Thank you, the name ID in the admin tool had a set value. I've removed this and I can now log in via chrome. Sorry to keep chucking issues at you but a couple of other issues we have:

• Please correct me if I'm wrong (which is more than likely) but shouldn't SSO allow the user straight through without being prompted to login. At the moment we're being prompted to login the first time we go to the portal. Also, it only allows you to login if your username is in the format of username@domain e.g. bwood@vospers. Is this correct?
  
• Using Internet Explorer v.11 we can't login at all. It prompts you for your credentials (attached screenshot) and after inputting them we get a HTTP 400 Bad Request error (2nd attached screeshot)
  

Again, thank you for all your help so far.

[James Ainsworth]

Different browsers work differently with SSO. Some better than others. If you are being prompted for a user name and password this is most likely the settings for the browser causing this. You may have to search for the appropriate settings for each of the different browsers that you use. The first thing to look at are the settings in your Internet Options on your local computer.

1. Go to your Control Panel and locate the Internet Options and select the Security tab

2. Click on the "Local Intranet" zone icon

3. Click on the "Sites" button

4. Click on the "Advanced" button

5. Click on "Add" and add the URL for your ADFS server and click "Close" when finished

6. Click on "Custom Level" button

7. Locate the "User Authentication" options and select "Automatic logon with current username and password"

8. Close and re-open your browser.

If this works on your local system, you may want to consider having this as part of your Domain Policy. If you try to access your Hornbill instance from a computer that is not on your Domain, you will find that you are still prompted for a username and password that first time you connect.

Let me know if you are still getting the 400 error on IE after setting this.

[bwood]

Morning James

Sorry to be the bearer of bad news but we're still getting the 400 error.

[bwood]

Hi

Thanks again for all your help. Thought id mention that the issue is now resolved.

I had to add the URL of the ADFS server into Trusted Sites and set the security level to low. I then had to tweak a couple of the options within custom level.

[James Ainsworth]

That's great news that you are up and running.