Blank white page after authenticating to Banner 9 Administrative Pages via Azure AD
Rarely, a user may see a blank white browser page after successfully authenticating into Banner 9 Administrative Pages via Azure AD. The URL will also look something like https://hawkadm.sju.edu/applicationNavigator/saml/SSO
This is due to a timing mismatch between Application Navigator and the back-end BannerAdmin web application. The solution in this case is to remove the "/saml/SSO" portion in the URL and hit enter to reload the page. This will almost always clear the issue, although in some very rare cases, it may need to be attempted more than once.
NOTE: If you attempt to reload the page with /saml/SSO still in the URL path, it will indicate that you are logged out. If you click on the "Return Home" button, it will force a full log out and prompt you to log in again. For this reason it is advised to instead just trim the URL as described above.
This issue is being actively worked on with Ellucian and Microsoft support.
Google Chrome Incognito - Service Invocation Failed
User is seeing "Service Invocation Failed" message in Banner 9 Administrative Pages after authenticating while using a Chromium-based web browser in Incognito mode. This is due to a defect in the BannerAdmin web application. This error will not occur when Banner is accessed in a regular Chromium window, or via any other web browsers (i.e. Firefox, Safari, etc.).
To get around this, you have to change your Chrome security settings as follows:
1) Click on the three vertical dots in the top right corner, then click on "Settings"
2) On the left-hand side, click on "Security and Privacy"
3) In the center panel, click on "Cookies and other site data"
4) Click on the radio button next to "Allow all cookies" (by default Chrome will be set to "Block third-party cookies in Incognito)
That's it! Banner 9 Admin will now work in Chrome incognito.
Invalid Username/Password after authenticating to Banner 9 Administrative Pages via Azure AD
In some circumstances, a users SAML token from Azure will become out of sync with Banner. This is due to a hard-coded maxAuthenticationAge parameter set in Banner, which will not allow it to accept an SSO token that is older than 12 hours. As a result, the SAML payload from Azure is rejected, resulting in a blank username being asserted, and thus the "Invalid Username/Password" message.
Although the Azure SAML application for Banner is configured to require a user to re-authenticate after 12 hours, there may be some edge cases where this doesn't occur. To fix this, the user must manually log out of Azure to kill their session token, then log into Banner again. Alternately, using another browser or going into Incognito mode will force a new Azure session.
Here is the manual logout URL for Banner 9 Admin. This will also clear out your Azure session, and log you out of any other Azure-authenticated systems:
https://hawkadm.sju.edu/applicationNavigator/saml/sso/SingleLogout
Firefox - Service Invocation Failed
An issue has been uncovered with the latest release of Firefox (version 118.0.1+) which is causing Banner 9 Administrative Pages to throw the error message "Service Invocation Failed" when attempting to open a page. This is due to new strict privacy settings included in the latest version of Firefox which is blocking Third Party Cookies, which isn't playing well with Banner's unique authentication methods.
To resolve this, first log on to Banner 9 Administrative Pages via https://hawkadm.sju.edu/applicationNavigator just like you normally would. Then click on the shield icon to the left of the URL bar here:
Next, untoggle the "Enhanced Tracking Protection" switch so that it is set to OFF:
This should allow you to bypass the Third Party Cookie restriction, and allow pages to load again properly in Firefox.
Google Chrome - Service Invocation Failed
The same issue with strict privacy settings that affects Firefox is now slowly being rolled out to Google Chrome. This will also result in a "Service Invocation Failed" error message when attempting to load a page within Banner 9 Admin. The work around to this is effectively the same:
Click on the main Chrome menu in the top right corner, and then Settings:
On the left hand side, click on Privacy and Security, and then click Tracking Protection towards the middle of the screen:
Scroll towards the bottom and find the section labeled "Sites allowed to use third-party cookies" and click on the Add button:
Add in the following URLs:
https://hawkadm.sju.edu
https://ppnxhawkadm.sju.edu
Once finished, close the browser out completely, and attempt to log in to Banner 9 Administrative Pages again, it should now allow the back end pages to be called properly.