Built something you're proud of? Tell the story. A quick G2 review of App Engine or Build Agent helps other developers see what's possible on ServiceNow. Share your experience.

Setting up SSO - what is the expected login behavior with an incorrect/invalid email address?

Not applicable

3 weeks ago

We are setting up SSO with Azure/Entra.  At login when entering an invalid email address what is the expected behavior?

0 Helpfuls
  • 411 Views
3 REPLIES 3

Naveen20
ServiceNow Employee

3 weeks ago

When a user enters an email at the ServiceNow login page, the instance redirects them to the Azure/Entra ID login page (the Identity Provider). From there, the behavior branches depending on the type of "invalid":

1. Email doesn't exist in Azure/Entra ID at all Azure/Entra handles this before ServiceNow ever sees it. The user will get an error on the Microsoft login screen — something along the lines of "We couldn't find an account with that username." They never make it back to ServiceNow.

2. Email exists in Azure/Entra but not in ServiceNow The user authenticates successfully with Microsoft, and Azure sends the SAML assertion back to ServiceNow. What happens next depends on your configuration:

  • If auto-provisioning (JIT user provisioning) is enabled, ServiceNow creates a new user record and logs them in.
  • If auto-provisioning is disabled, ServiceNow can't match the assertion to an existing user. You'll typically see a login failure — often a generic "Login failed" or "User not found" error page on the ServiceNow side. The exact message depends on your Multi-Provider SSO properties and any custom error handling you've configured.

 

0 Helpfuls

Not applicable
In response to Naveen20

3 weeks ago

users can enter anything such as "banana" and it goes through via SSO rather than requesting a valid email.  SN and/or Entra/SSO should fail this correct?  So is this a SN config or an Entra config?

0 Helpfuls

Naveen20
ServiceNow Employee

3 weeks ago

In your Multi-Provider SSO Identity Provider record in ServiceNow, check these settings:

  • "Is Default" — if this is checked on your Azure IdP, ServiceNow will route all login attempts to Azure without inspecting the input. This is the most common cause of what you're seeing.
  • "Email Domain" field — this is the key field. You should populate it with your organization's email domain(s), e.g. yourcompany.com. When configured, ServiceNow uses domain-based discovery: it looks at whatever the user typed, extracts the domain portion, and only redirects to Azure if the domain matches. Something like "banana" has no domain, so it would fail at the ServiceNow level before ever hitting Azure.
0 Helpfuls