Setting up SSO - what is the expected login behavior with an incorrect/invalid email address?

PamN37341128037 · 3 hours ago

We are setting up SSO with Azure/Entra. At login when entering an invalid email address what is the expected behavior?

Naveen20 · 3 hours ago

When a user enters an email at the ServiceNow login page, the instance redirects them to the Azure/Entra ID login page (the Identity Provider). From there, the behavior branches depending on the type of "invalid":

1. Email doesn't exist in Azure/Entra ID at all Azure/Entra handles this before ServiceNow ever sees it. The user will get an error on the Microsoft login screen — something along the lines of "We couldn't find an account with that username." They never make it back to ServiceNow.

2. Email exists in Azure/Entra but not in ServiceNow The user authenticates successfully with Microsoft, and Azure sends the SAML assertion back to ServiceNow. What happens next depends on your configuration:

If auto-provisioning (JIT user provisioning) is enabled, ServiceNow creates a new user record and logs them in.
If auto-provisioning is disabled, ServiceNow can't match the assertion to an existing user. You'll typically see a login failure — often a generic "Login failed" or "User not found" error page on the ServiceNow side. The exact message depends on your Multi-Provider SSO properties and any custom error handling you've configured.

PamN37341128037 · 2 hours ago

users can enter anything such as "banana" and it goes through via SSO rather than requesting a valid email. SN and/or Entra/SSO should fail this correct? So is this a SN config or an Entra config?