Single Sign-On ADFS 2.0

[samwoo]

Good morning,

I am posting this on behalf of my colleague jonnutt who has registered to the forums but still pending registration.

Quote

I am trying to enable Single Sign On for the Service Domain to enable this for the Self Service Portal and have been trying to follow the steps in the below wiki entry.

https://wiki.hornbill.com/index.php/Single_Sign_On_with_SAML_2.0

I’ve downloaded the SAML for the Service Domain with no configuration from the below link in the Administration

Once I get change approval for this internally I will action in my change window later this week (Currently Friday Morning), but is this the sufficient information to import into my ADFS 2.0 implementation?

Once completed in the ADFS configuration, I then add the service into the binding on a new profile. What is recommended in the Service?

As this is so infrequently setup and will be only the 2^nd ADFS trust we have used, I am feeling I may need a specialist to confirm my understanding and if needed support during the change window.

Regards,

Jon

 

[JonNutt]

Hi,

 

Just to let you know I am now here. Thanks Sam.

 

Jon.

[Gerry]

Samuel,

You should use the HTTP-Redirect binding I believe. 

Gerry

[samwoo]

Hi Gerry,

Thanks for the response, i have relayed this to Jon who can now take over any future response/queries regarding single sign-on.

Many thanks,

Samuel.

Off Topic: Jon and I both have an issue... we have subscribed to this post but we have not received any notification emails. We've checked our mail control system and nothing have come in. I've had this problem since i first registered but since I regularly check the "Unread" posts on Hornbill I've not had the need to see any email notifications... but going forward I would prefer this. Is there a bug or is it done differently?

[TrevorKillick]

Hi Samuel

If you click in Notifications and the Notification Settings you can manage which notifications the forum will send you emails about.

Kind Regards

Trevor Killick

[JonNutt]

Hi,

We attempted this on Friday, but had to rollback the change due to unforeseen challenges. Has anyone setup this on ADFS 2.0 that can offer any insights?

I configured ADFS to have a relying party trust using the XML Download here:

Then configured ADFS as standard using the following Claim Rules

Then configured the Profile.

When turned on, I found various erratic behaviours in different browsers and domains between Hornbill's authentication and our ADFS. So I turned it off and regressed.

I think we have some ADFS errors which we are progressing separately with Microsoft as Authentication still asked for password at the ADFS page and wasn't a true single sign on.

However, has anyone else successfully setup an ADFS 2 Single Sign On that I can compare my setup with?

Jon.

 

[TrevorKillick]

Hi Jon

Can you provide any more specifics around the erratic behaviour?

As for not seeing true SSO, browsers need to be configured to pass through your Domain Authentication details as documented on our wiki here:

https://wiki.hornbill.com/index.php/SSO_Example_Config_Microsoft_ADFS_2.0_for_Guest_Accounts#Configuring_Single_Sign-on_in_the_Browser

Kind Regards

Trevor Killick

[JonNutt]

Hi,

In Internet Explorer 10 on a cleared cache, when enabled I still got the Hornbill specific login page, when accessing my service.hornbill.com instance login page. However in Google Chrome Enterprise, again with a cleared cache I got the ADFS prompts.

I'll review your link shortly as I missed that on my original pass.

Regards,

Jon.

[Gerry]

Hi Jon,

We have many customers using Hornbill SAML 2.0 with ADFS so we are confident it works, the link that Trevor sent you has a worked example config that we have used when testing.  It is sometimes difficult to track down problems without looking closely at your specific configuration and looking at debug information in your browser and having an in-depth understanding the SAML protocol etc.  We are not Microsoft ADFS experts ourselves, we follow the SAML 2.0 standard which ADFS supports, but ADFS can be complex to configure correctly.  If its a complicated problem we can probably identify an expert that could remote into your environment and worth with you/your AD team to figure out whats wrong - if you do need that level of help please let us know - if you do need this level of help though, this would be delivered under our expert services so would be chargeable at our prescribed hourly rates.  

Gerry

[JonNutt]

Hi,

Thanks for the advice so far. After experimenting with various settings, I now am able to access my ADFS sign in page (in the same way as our existing ADFS instance is working for email)

However after authenticating I get the following 500 Internal Server Error from the hornbill side.

Is this a true error or is the issue still my side?

Regards,

Jon.

[Gerry]

Jon,

According to our logs your configuration is wrong, you need to import your ADFS meta data when setting up the SSO profile on Hornbill, this will put all the right information into the SSO profile and it should work.

Gerry

[JonNutt]

Hi,

Thanks for this, but alas still getting the HTTP 500 error.

To detail the setup see below:

Setup our ADFS instance using your Meta Data as before.

Then configured the SSO Profile on Hornbill as thus (sensitive data obfuscated)

:

Then added our FederationMetaData URL by pressing this button:

to point to URL "https:\\xxxxxxxxxxx.wokingham.gov.uk/FederationMetadata/xxxxxxxxxx/FederationMetadata.xml"

Tested on a clean cached browser. Got the same 500 Error.

Jon.

[Gerry]

Jon,

We are looking into why we are throwing such an ambiguous error, from the logs it still appears to be a config issue, but we need to get to the bottom of why the error our service is throwing back is so ambiguous, it should be more descriptive of the actual problem.  Please bear with us...  

Gerry

[Gerry]

Jon,

While we are looking at the error message problem, if you look at the Hornbill SSO profile screen you have posted you will see that Entity ID and Name ID are wrong, they should be pointing at the Idp, not the Hornbill Service.  Given you have imported the meta data from your AD it seems odd that these fields have these values, the only explanation would be your ADFS end is misconfigured and the meta data is wrong.  

Try creating a new Hornbill SSO profile, and instead of typing anything in manually just import the meta data from your ADFS server. If your Entity ID and Name ID still point to our service end point then there configuration issues with ADFS.

Gerry

[Gerry]

Jon,

I have just been told by our network team that the 500 responses from our back end servers were being blocked, this was wrong and has now been corrected, if you try again you should see a far more meaningful error message from our service

Gerry

[JonNutt]

Thanks Gerry,

I now have a more meaningful error.

Jon.

[JonNutt]

I've just read your earlier post about the idP so I'm just going to trash the existing SSO Profile and recreate as well. So please wait for an updated state of play.

Jon.

[JonNutt]

Great News. I am now able to authenticate via ADFS. Thanks Removing this generic error really helped!

However:

All hornbill domains are now pointing to ADFS. Can we restrict this to the service domain only?

Jon.

[Gerry]

Jon,

Glad its sorted now. Not sure I understand what you are asking re the domain restriction, can you expand on your question please?

 

Gerry

[TrevorKillick]

Hi Jon

Currently all User Realm SSO Profiles point work for live.hornbill.com and service.hornbill.com it is not currently possible to use SSO for only one of these.

I will raise this with development for considering. 

Kind Regards

Trevor Killick

[JonNutt]

Trevor's interpretation is correct. We only want end user access via the Service Portal only to be utilising Single Sign On.

The biggest challenge would be if a critical issue with our AD or Network meaning we were effectiely locked out of Hornbill. (That being said, the inability to login to Hornbill won't be high on the list to fix!)

Jon.

[Victor]

You can bypass the AD authentication or to be more precise use Hornbill authentication by issuing ?ESPBasic=true in your URL.

https://live.hornbill.com/<instance_ID>/?ESPBasic=true

This will enforce Hornbill authentication rather than SSO.

[JonNutt]

Hi Victor,

Thanks for this, however I have just tried this and still tries to authenticate via ADFS. When I turn off the SSO Profile I then get a Hornbill Authentication.

Jon.

[Victor]

Probably browser cache still goes for ADFS ...try it with an incognito window or clearing browsing data...

[TrevorKillick]

Unfortunately the ?ESPBasic=true URL Param i only available in Administration and we would not advise its used permanently, it was only added so Administration can be access when a faulty or incorrectly configured SSO Profile is setup.

Kind Regards

Trevor Killick