FAQ
When a username/password is entered in the Web UI of HMP, is the information that is sent encrypted between the client PC and HMP and HMP and the Active Directory server for queries? Are the passwords for local users stored as encrypted text on the HMP server?
SSL is used between the browser and the server for the login page at all times. From HMP to AD, there is a negotiation that happens during a bind with the AD server and it's dependent of that negotiation as to whether the password is sent using a secure challenge/response (SASL) or using plaintext. This is irrespective of the connection type between the client and server (i.e. LDAP over SSL on port 636 commonly, or LDAP without SSL over port 389 commonly). We recommend SSL connections to maintain security of the user information (group memberships, etc.) that is passed.
We use an internal database that is not accessible outside the HMP server to securely store hashed passwords. The system user (haiadmin) is stored in a hashed form outside this database.
When a user authenticates via SSO, is it recorded in the system logs or is it only recorded on the SSO provider side? How can I identify when users are connected or logged in?
The SSO logs are stored in calypso.log. They are not very detailed, but at least provide an idea about what is going on. There are also logs for AD FS.
When a user logs out of HMP, do they have to quit their browser?
When you log out of HMP you may see a message directing you to close your browser to log out completely. If you just close the tab, and then open a new one and go to URL for your HMP server, you are still recognized as being logged in. If you log out and then quit your browser, then next time you should have to log back in.
This behaviour is related to two things: the session in HMP and the SAML token lifetime. Logging out of HMP expires the HMP session for that user, but has no effect on the validity of the current SAML token. There is a browser cookie that establishes the validity of this token. If the cookie does not exist, the browser takes the user through the SAML SSO process with the SSO provider, who will detect that there is a valid session, and give a cookie back to browser. This cookie is why SSO providers suggest closing the browser. The cookie is what is used to pass back to our system to say the user is valid.
Note
Because of the SAML token lifetime, you may not see any difference if you sign out of HMP and close the browser. Even if the cookie for the browser session is no longer present, when you navigate back to the HMP server the browser still checks the AD FS server, which will say "valid token" and send a fresh cookie back to your browser.
Why can't I log in as haiadmin?
It is not possible to authenticate as the haiadmin user through single sign-on, since the haiadmin credentials are stored in a local file on HMP, not in Active Directory. If you want to log in as haiadmin, you must log in through HMP by manually going to the local login address, e.g. https://hmp-address/login.
Does HMP communicate directly with identity providers?
It's a common SSO misconception that the service provider (SP) and the identity provider (IdP) exchange information directly. It's actually the browser that is handling the exchanges between the two systems, with a trust that has been established between the IdP and SP.
Where are the sign-in protocol configuration files located on HMP?
While .config files for SAML, OAuth and WS-Fed do exist, it is strongly recommended that they not be modified directly.
Are user email addresses case sensitive?
In HMP versions 2.4 through 2.6, any email addresses entered in the HMP server's AD settings must match the case of that address in the Active Directory database (i.e. SallySmith@Example.com ≠ sallysmith@example.com). As of HMP 2.6.1, the case sensitivity restriction has been removed.
Is there any way to bypass SSO?
If for any reason you need to bypass SSO (e.g. if you experience an error during SSO configuration), point your browser to https://hmp-address/login. The standard HMP login page will appear. You can use the default haiadmin user and password to log in.
Does SSO in HMP integrate with Windows security?
No, this would require integration with the Windows GINA, IE, and Kerberos. HMP supports the more standard browser-based single sign-on, where once the user has authenticated through a web-based authorization to the SSO portal, they can visit participating services like HMP, and have authorization assigned without re-entering credentials.
If the Token Signing Certificate has priority over the certificate fetched from the Identity Metadata URL, why are both fields mandatory in HMP's SSO settings?
This should not be the case. It is a known issue that will be addressed in an upcoming release.
Why is sso/callback used as both the Relying Party Identifier and the browser redirect URL?
The /sso/callback URL is used in two ways for HMP: as an identifier URI and as a browser redirect URL. The Relying Party Identifier (RPI) field in the HMP SSO settings must match the identifier configured on the identity provider. But while it is possible for the RPI to have other values, using the /sso/callback URL is valid and simplifies configuration. The browser redirect URL must always use https://<FQDN of HMP>/sso/callback. It doesn't need to be set anywhere in the HMP SSO settings for SAML2 or WS-Fed, but must be configured on AD FS, as the SAML SSO service URL or WS-Fed passive protocol URL, respectively.
How do STBs connect with HMP when SSO with AD FS has been enabled?
Set Top Boxes inherit the permissions of the user or group with which they are associated. Customers can choose to setup service accounts for STB management in HMP, or they can use any AD/LDAP account they wish to manage in HMP to provide STB permissions. There is no authentication on the player side to an AD/LDAP account, as it is a hardware permission controlled by the HMP STB administrator.