Updating AD FS configuration

Updating AD FS configuration

Updating SSO configuration is most commonly required when you renew certificates within AD FS as Skills Base needs to receive a copy of the updated certificates via your Identity Provider metadata.

There are also other circumstances where you may need to update SSO configuration.


Step 1 - Schedule a suitable period of downtime

This procedure will require a brief outage of Single Sign On Services. As such scheduling a suitable time when users will not be adversely impacted will be required.


Step 2 - Ensure you have a local Skills Base Administrator account

A local Administrator account differs from an SSO Administrator account in that SSO accounts can only be accessed via Single Sign On. A local account has a local password stored within Skills Base and so can be accessed even when Single Sign On services are unavailable. This is critical in case the SSO integration breaks and you become unable to log in via Single Sign On. Note that a local account can also be accessed via SSO as long as the email address in Skills Base exactly matches that within Active Directory.


Step 3 - Make the changes to AD FS

Make the necessary updates to your AD FS configuration which may include renewing any certificates. Note this will temporarily break the SSO integration with Skills Base. We cannot provide specific instructions for things like updating AD FS certificates however there are numerous resources available on the Internet.


Step 4 - Download your new AD FS IdP metadata file

We need to now download the Identity Provider metadata file from your AD FS server which contains all of the updated information that Skills Base needs to know about your AD FS server.

Your metatdata file is generally available by opening a web browser and appending the following after your AD FS domain name:


/federationmetadata/2007-06/federationmetadata.xml


For example: https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml


Note that you must use https to access this, and not http. Once you have the file, save it somewhere for use in the next step.


Step 5 - Configure Skills Base

  1. Log in to Skills Base as an administrator
  2. Click the [Administration > Authentication] menu item
  3. In the Identity Providers section, fins your Identity Provider and click the edit button (denoted by a pencil icon)
  4. For SAML IdP Metadata select Upload an XML file
  5. Click Browse and select the AD FS metadata file you downloaded in Step 4 above.
  6. Click Save


Step 6 - Test

The update is complete. Now it's time to test it.

  1. Log into Skills Base using your shortcut link. You should be redirected to your AD FS server and presented with an authentication prompt.
  2. Log in using your Organizational Active Directory credentials


Troubleshooting

If an AD FS page displays an error

If you are receiving an error message from your AD FS server, you can check the AD FS error log by:

  1. Going to the event viewer
  2. Expand "Applications and Services logs"
  3. Expand "AD FS"
  4. View the "Admin" log.


If a Skills Base page displays an error

Please read the notes about your server's clock on the following page: Single Sign On if you receive one of the following errors from Skills Base:

  • "Received an assertion that is valid in the future. Check clock synchronization on IdP and SP."
  • "Received an assertion that has expired. Check clock synchronization on IdP and SP."
  • "Received an assertion with a session that has expired. Check clock synchronization on IdP and SP."