Jump to content

Single Sign-On ADFS 2.0


samwoo
 Share

Recommended Posts

Good morning,

I am posting this on behalf of my colleague jonnutt who has registered to the forums but still pending registration.

Quote

I am trying to enable Single Sign On for the Service Domain to enable this for the Self Service Portal and have been trying to follow the steps in the below wiki entry.

https://wiki.hornbill.com/index.php/Single_Sign_On_with_SAML_2.0

I’ve downloaded the SAML for the Service Domain with no configuration from the below link in the Administration

SSO Profiles.png

Once I get change approval for this internally I will action in my change window later this week (Currently Friday Morning), but is this the sufficient information to import into my ADFS 2.0 implementation?

Once completed in the ADFS configuration, I then add the service into the binding on a new profile. What is recommended in the Service?

Service Binding.png

As this is so infrequently setup and will be only the 2nd ADFS trust we have used, I am feeling I may need a specialist to confirm my understanding and if needed support during the change window.

Regards,

Jon

 

Link to comment
Share on other sites

Hi Gerry,

Thanks for the response, i have relayed this to Jon who can now take over any future response/queries regarding single sign-on.

Many thanks,

Samuel.

Off Topic: Jon and I both have an issue... we have subscribed to this post but we have not received any notification emails. We've checked our mail control system and nothing have come in. I've had this problem since i first registered but since I regularly check the "Unread" posts on Hornbill I've not had the need to see any email notifications... but going forward I would prefer this. Is there a bug or is it done differently?

Link to comment
Share on other sites

Hi,

We attempted this on Friday, but had to rollback the change due to unforeseen challenges. Has anyone setup this on ADFS 2.0 that can offer any insights?

I configured ADFS to have a relying party trust using the XML Download here:

SSO1.png

Then configured ADFS as standard using the following Claim Rules

SSO2.png

SSO3.png

Then configured the Profile.

SSO4.png

When turned on, I found various erratic behaviours in different browsers and domains between Hornbill's authentication and our ADFS. So I turned it off and regressed.

I think we have some ADFS errors which we are progressing separately with Microsoft as Authentication still asked for password at the ADFS page and wasn't a true single sign on.

However, has anyone else successfully setup an ADFS 2 Single Sign On that I can compare my setup with?

Jon.

 
Link to comment
Share on other sites

Hi Jon

Can you provide any more specifics around the erratic behaviour?

As for not seeing true SSO, browsers need to be configured to pass through your Domain Authentication details as documented on our wiki here:

https://wiki.hornbill.com/index.php/SSO_Example_Config_Microsoft_ADFS_2.0_for_Guest_Accounts#Configuring_Single_Sign-on_in_the_Browser

Kind Regards

Trevor Killick

Link to comment
Share on other sites

Hi,

In Internet Explorer 10 on a cleared cache, when enabled I still got the Hornbill specific login page, when accessing my service.hornbill.com instance login page. However in Google Chrome Enterprise, again with a cleared cache I got the ADFS prompts.

I'll review your link shortly as I missed that on my original pass.

Regards,

Jon.

Link to comment
Share on other sites

Hi Jon,

We have many customers using Hornbill SAML 2.0 with ADFS so we are confident it works, the link that Trevor sent you has a worked example config that we have used when testing.  It is sometimes difficult to track down problems without looking closely at your specific configuration and looking at debug information in your browser and having an in-depth understanding the SAML protocol etc.  We are not Microsoft ADFS experts ourselves, we follow the SAML 2.0 standard which ADFS supports, but ADFS can be complex to configure correctly.  If its a complicated problem we can probably identify an expert that could remote into your environment and worth with you/your AD team to figure out whats wrong - if you do need that level of help please let us know - if you do need this level of help though, this would be delivered under our expert services so would be chargeable at our prescribed hourly rates.  

Gerry

Link to comment
Share on other sites

Hi,

Thanks for the advice so far. After experimenting with various settings, I now am able to access my ADFS sign in page (in the same way as our existing ADFS instance is working for email)

However after authenticating I get the following 500 Internal Server Error from the hornbill side.

SSO5.png

Is this a true error or is the issue still my side?

Regards,

Jon.

Link to comment
Share on other sites

Jon,

According to our logs your configuration is wrong, you need to import your ADFS meta data when setting up the SSO profile on Hornbill, this will put all the right information into the SSO profile and it should work.

Gerry

Link to comment
Share on other sites

Hi,

Thanks for this, but alas still getting the HTTP 500 error.

To detail the setup see below:

Setup our ADFS instance using your Meta Data as before.

SSO1.png

Then configured the SSO Profile on Hornbill as thus (sensitive data obfuscated)

SSO-Profile.png:

Then added our FederationMetaData URL by pressing this button:

SSO-MetaData.png

to point to URL "https:\\xxxxxxxxxxx.wokingham.gov.uk/FederationMetadata/xxxxxxxxxx/FederationMetadata.xml"

Tested on a clean cached browser. Got the same 500 Error.

SSO-Error.png

Jon.

Link to comment
Share on other sites

Jon,

We are looking into why we are throwing such an ambiguous error, from the logs it still appears to be a config issue, but we need to get to the bottom of why the error our service is throwing back is so ambiguous, it should be more descriptive of the actual problem.  Please bear with us...  

Gerry

  • Like 1
Link to comment
Share on other sites

Jon,

While we are looking at the error message problem, if you look at the Hornbill SSO profile screen you have posted you will see that Entity ID and Name ID are wrong, they should be pointing at the Idp, not the Hornbill Service.  Given you have imported the meta data from your AD it seems odd that these fields have these values, the only explanation would be your ADFS end is misconfigured and the meta data is wrong.  

Try creating a new Hornbill SSO profile, and instead of typing anything in manually just import the meta data from your ADFS server. If your Entity ID and Name ID still point to our service end point then there configuration issues with ADFS.

Gerry

  • Like 1
Link to comment
Share on other sites

Jon,

I have just been told by our network team that the 500 responses from our back end servers were being blocked, this was wrong and has now been corrected, if you try again you should see a far more meaningful error message from our service

Gerry

Link to comment
Share on other sites

Great News. I am now able to authenticate via ADFS. Thanks Removing this generic error really helped!

However:

All hornbill domains are now pointing to ADFS. Can we restrict this to the service domain only?

Jon.

Link to comment
Share on other sites

Hi Jon

Currently all User Realm SSO Profiles point work for live.hornbill.com and service.hornbill.com it is not currently possible to use SSO for only one of these.

I will raise this with development for considering. 

Kind Regards

Trevor Killick

Link to comment
Share on other sites

Trevor's interpretation is correct. We only want end user access via the Service Portal only to be utilising Single Sign On.

The biggest challenge would be if a critical issue with our AD or Network meaning we were effectiely locked out of Hornbill. (That being said, the inability to login to Hornbill won't be high on the list to fix!)

Jon.

Link to comment
Share on other sites

Unfortunately the ?ESPBasic=true URL Param i only available in Administration and we would not advise its used permanently, it was only added so Administration can be access when a faulty or incorrectly configured SSO Profile is setup.

Kind Regards

Trevor Killick 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...