Updating AD FS configuration
Updating SSO configuration is most commonly required when you renew certificates within AD FS as Skills Base needs to receive a copy of the updated certificates via your Identity Provider metadata.
There are also other circumstances where you may need to update SSO configuration.
This procedure will require a brief outage of Single Sign On Services. As such scheduling a suitable time when users will not be adversely impacted will be required.
A local Administrator account differs from an SSO Administrator account in that SSO accounts can only be accessed via Single Sign On. A local account has a local password stored within Skills Base and so can be accessed even when Single Sign On services are unavailable. This is critical in case the SSO integration breaks and you become unable to log in via Single Sign On. Note that a local account can also be accessed via SSO as long as the email address in Skills Base exactly matches that within Active Directory.
Make the necessary updates to your AD FS configuration which may include renewing any certificates. Note this will temporarily break the SSO integration with Skills Base. We cannot provide specific instructions for things like updating AD FS certificates however there are numerous resources available on the Internet.
We need to now download the Identity Provider metadata file from your AD FS server which contains all of the updated information that Skills Base needs to know about your AD FS server.
Your metatdata file is generally available by opening a web browser and appending the following after your AD FS domain name:
Note that you must use https to access this, and not http. Once you have the file, save it somewhere for use in the next step.
- Log in to Skills Base as an administrator
- Click the [Administration > Authentication] menu item
- In the Identity Providers section, fins your Identity Provider and click the edit button (denoted by a pencil icon)
- For SAML IdP Metadata select Upload an XML file
- Click Browse and select the AD FS metadata file you downloaded in Step 4 above.
- Click Save
The update is complete. Now it's time to test it.
- Log into Skills Base using your shortcut link. You should be redirected to your AD FS server and presented with an authentication prompt.
- Log in using your Organizational Active Directory credentials
If an AD FS page displays an error
If you are receiving an error message from your AD FS server, you can check the AD FS error log by:
- Going to the event viewer
- Expand "Applications and Services logs"
- Expand "AD FS"
- View the "Admin" log.
If a Skills Base page displays an error
Please read the notes about your server's clock on the following page: Single Sign On if you receive one of the following errors from Skills Base:
- "Received an assertion that is valid in the future. Check clock synchronization on IdP and SP."
- "Received an assertion that has expired. Check clock synchronization on IdP and SP."
- "Received an assertion with a session that has expired. Check clock synchronization on IdP and SP."