Troubleshooting Single Sign On

From Hornbill
Revision as of 16:18, 4 January 2019 by Danielr (talk | contribs)
Jump to navigation Jump to search

Home > Integration > Essential Integrations > Single Sign On with SAML 2.0 > Trouble Shooting Single Sign On

Introduction

Hornbill's Single Sign On implementation is designed to present you with helpful error messages in situations where something may not be quite right. This page outlines the common scenarios and what to do to overcome them.

If the SSO is enabled and not working correctly, this will manifest itself as one or more users being unable to login. If it becomes necessary to disable a single sign on profile, it is possible to do this using the Hornbill "admin" account. The Single Sign on Profile can be bypassed using this URL: https://admin.hornbill.com/<instance_id>/?ESPBasic=true which allows you to login using the "admin" account and take the necessary action to correct the configuration or disable the single sign on Profile altogether. The <instance_id> needs to be replaced with the ID of your instance. The user will have the option to log into Hornbill using the Hornbill user ID and password thus bypassing the SSO profile.

Related Articles

Common Issues

This error message indicates that the certificate given to Hornbill by your identity provider does not match any of the certificates currently stored in the Hornbill SSO Profile.

The public certificate used for signing the assertion is not known to the service provider

A common symptom of this error message is the expiry or renewal of an ADFS Server signing certificate. By default, the ADFS AutoCertificateRollover property is set to true so the certificates could change automatically without any direct action. This error message indicates that the certificate given to Hornbill by the identity provider does not match any of the certificates currently stored in the Hornbill SSO Profile.

Corrective Action

This can be rectified by uploading a new certificate key to the Hornbill SSO Profile. Please contact the security or administration team within your company to request for a refreshed ADFS Server certificate key.
As a general principle, we advise that the team responsible for security or administration within your company can schedule a task to update the Hornbill SSO profile with the new certificates, prior to their expiry.

For instructions on how to upload a new signing certificate (identity provider meta data) into Hornbill, click the following link: Single Sign on Profiles

Retrieved from "https://wiki.hornbill.com/index.php?title=Troubleshooting_Single_Sign_On&oldid=19870"