Updating SSO SAML Metadata Configuration
Customers who have configured their SAML metadata before March 2021 are required to update their SAML configuration due to changes made to Hornbills SAML metadata and service endpoints. This necessary change to the endpoints that your SAML Identity provider uses to authenticate SSO requests for Hornbill users is due to changes in the technology stack. These changes remove reliance on legacy PHP code, favouring a modern front end architecture providing better performance and security.
A banner will appear within the Hornbill Admin tool for all customers required to make the change; no further action is necessary for those who do not receive the banner.
An exclamation mark in a yellow triangle highlights each affected SSO configuration identified using legacy SAML metadata endpoints. Users can still log in successfully as we currently redirect the legacy endpoint to the new endpoint automatically. However, updating the configuration will speed up the user login process for end-users and provide excellent reliability and security.
Updating the Metadata Configuration
- Open the Hornbill Admin Tool
- Navigate to the following page: Home > System > Security > SSO Profiles
Accessing the Hornbill Metadata
Viewing the Metadata
Hornbill's SAML metadata can be viewed using the following steps and the details provided used to manually update your SAML Identity Provider.
- Click on the Metadata
Button
- Select the tab for the service you are using SAML for in Hornbill
- Make a note of the Entity ID, Reply URL and Sign On URL
Downloading the Metadata
Alternatively, you can download the metadata for each service and, if supported, upload them to your SAML Identity Provider.
- Click on the Download button for the service you are using SAML for in Hornbill, e.g.
Updating your SAML Identity Provider
To apply the metadata, you must refer to your Identity Providers documentation for the steps required. Further details can be found [here].
| Entity ID | https://sso.hornbill.com/rickyfdemo/live | Globally unique identifier for SAML entity. |
| Reply URL | https://mdh-p01-api.hornbill.com/rickyfdemo/xmlmc/sso/saml2/authorize/user/live | The reply URL is where the application expects to receive the authentication token. This is also referred to as the “Assertion Consumer Service” (ACS) in SAML. |
| Sign-on URL | https://live.hornbill.com/rickyfdemo/ | This URL contains the sign-in page for this application that will perform the service provider-initiated single sign-on. |
Updating the Hornbill SSO Profile
- Open the Hornbill Admin Tool
- Navigate to the following page: Home > System > Security > SSO Profiles
- Open the required SSO Profile
- The relevant entry will have an exclamation mark next to the entry.
- Click on the Update SAML Profile button and select Yes at the warning message
- Cick OK to confirm
Once completed, the SAML profile will be updated and use the latest Hornbill metadata to authenticate idP. We also encourage that the option Auto Update Certificate is enabled, which will ensure that as your Identity Provider updates its signing certificate, it will automatically and securely update on the configured Hornbill SSO Profiles. Further details can be found here