Single Sign On

Updating AD FS configuration


Updating AD FS configuration

Updating SSO configuration is most commonly required when you renew certificates within AD FS as Skills Base needs to receive a copy of the updated certificates via your Identity Provider metadata.

There are also other circumstances where you may need to update SSO configuration.


Step 1 - Schedule a suitable period of downtime

This procedure will require a brief outage of Single Sign On Services. As such scheduling a suitable time when users will not be adversely impacted will be required.


Step 2 - Ensure you have a local Skills Base Administrator account

A local Administrator account differs from an SSO Administrator account in that SSO accounts can only be accessed via Single Sign On. A local account has a local password stored within Skills Base and so can be accessed even when Single Sign On services are unavailable. This is critical in case the SSO integration breaks and you become unable to log in via Single Sign On. Note that a local account can also be accessed via SSO as long as the email address in Skills Base exactly matches that within Active Directory.

To check your account type:

  1. Click "My summary" in the left hand menu
  2. Click "Actions > Edit person"
  3. Ensure that the "Type" field says "Local"


If the "Type" field says "SSO" you will need to create a local administrator account by clicking the "Add people" button in the People Directory and choosing "Manually add a person".


Step 3 - Make the changes to AD FS

Make the necessary updates to your AD FS configuration which may include renewing any certificates. Note this will temporarily break the SSO integration with Skills Base. We cannot provide specific instructions for things like updating AD FS certificates however there are numerous resources available on the Internet.


Step 4 - Download your new AD FS IdP metadata file

We need to now download the Identity Provider metadata file from your AD FS server which contains all of the updated information that Skills Base needs to know about your AD FS server.

Your metatdata file is generally available by opening a web browser and appending the following after your AD FS domain name:


/federationmetadata/2007-06/federationmetadata.xml


For example: https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml


Note that you must use https to access this, and not http. Once you have the file, save it somewhere for use in the next step.


Step 5 - Configure Skills Base

We will now provide Skills Base with all of the updated information it needs to know about your AD FS server by giving Skills Base your updated Identity Provider metadata file downloaded in the previous step.

  1. Log in to Skills Base as an administrator
  2. Click the "Admin > Authentication" menu item
  3. For "Single Sign On", select "SAML 2" from the drop down list
  4. Next to "Metadata validator" click "IdP metadata validation tool »"
  5. Using a text editor such as Notepad, open the file that you downloaded from your IdP. It's important to use a plain text editor as opening the metadata file with a web browser is not reliable for copying the contents,
  6. Copy the contents of the metadata file and paste into the text box in Skills Base.
  7. Click "Validate" to ensure the metadata is valid. Check any certificates along with their expiry dates.
  8. If the the metadata validates ok click "Back to settings"
  9. Under "Single Sign On", click the "Update IdP metadata" button
  10. Paste the metadata into the "IdP metadata" text box.
  11. Click "Save settings"


Step 6 - Test

The update is complete. Now it's time to test it.

  1. Log into Skills Base using your shortcut link. You should be redirected to your AD FS server and presented with an authentication prompt.
  2. Log in using your Organizational Active Directory credentials


Troubleshooting

If an AD FS page displays an error

If you are receiving an error message from your AD FS server, you can check the AD FS error log by:

  1. Going to the event viewer
  2. Expand "Applications and Services logs"
  3. Expand "AD FS"
  4. View the "Admin" log.


If a Skills Base page displays an error

Please read the notes about your server's clock on the following page: Single Sign On if you receive one of the following errors from Skills Base:

  • "Received an assertion that is valid in the future. Check clock synchronization on IdP and SP."
  • "Received an assertion that has expired. Check clock synchronization on IdP and SP."
  • "Received an assertion with a session that has expired. Check clock synchronization on IdP and SP."