Welcome to Community Week 2025! Join us to learn, connect, and be recognized as we celebrate the spirit of Community and the power of AI. Get the details  

SSO ISSUE

JackieZhang
Tera Contributor

yesterday

We have encountered several issues during the SSO implementation. The client uses a self-developed IdP. First, we are unsure whether the SAML Request uses the GET or POST method. Second, When using the POST method, an error is reported stating that the method is incorrect. When using the GET method, the IdP side requires a certificate; how to generate ServiceNow's X.509 certificate? 

0 Helpfuls
  • 311 Views
9 REPLIES 9

Me Being Mustaq
Tera Guru

yesterday

Hi @JackieZhang ,

 

ServiceNow doesn’t generate X.509 certificates automatically — you need to create one manually and upload it.

 

1. Generate the Certificate

Use a tool like OpenSSL or an online certificate generator to create a public/private key pair.

# Generate private key
openssl genrsa -out saml.key 2048

# Generate certificate signing request (CSR)
openssl req -new -key saml.key -out saml.csr

# Generate self-signed certificate
openssl x509 -req -days 365 -in saml.csr -signkey saml.key -out saml.crt

This gives you:

  • saml.key → Private key
  • saml.crt → Public certificate (X.509)

2. Upload to ServiceNow

  • Navigate to Multi-Provider SSO → Certificates.
  • Click New, choose type X.509 Certificate.
  • Paste the contents of saml.crt into the certificate field.
  • Save and activate.

3. Link to Identity Provider

  • Go to Multi-Provider SSO → Identity Providers.
  • Open your IdP record.
  • Under X.509 Certificate, select the one you just uploaded.

 GET vs POST Binding in SAML

ServiceNow supports both HTTP-Redirect (GET) and HTTP-POST bindings for SAML requests. The correct method depends on what your IdP expects:

  • GET (Redirect Binding):
    • SAML request is sent via URL query parameters.
    • Often used for initial login redirection.
    • Requires signing the request with a certificate.
  • POST (POST Binding):         
  • SAML request is sent in the body of an HTML form.
  • More secure for transmitting large payloads.

If your IdP reports “method incorrect” for POST, it likely expects GET. You can configure this in ServiceNow:

To Set Binding Method:

  • Go to your Identity Provider record.
  • Set AuthnRequest Binding to either HTTP-Redirect (GET) or HTTP-POST.

 Troubleshooting Tips

  • Mismatch in binding method is a common cause of SSO failure. Confirm with the IdP team which method they expect.
  • If using GET and the IdP requires a certificate, ensure the X.509 certificate is active and linked properly.
  • Use SAML Debug Logs in ServiceNow to trace the request and response flow.

 

If it is helpful, please hit the thumbs button and accept the correct solution by referring to this solution in the future it will be helpful to them.

 

 

Thanks & Regards,

Mohammed Mustaq Shaik

 

0 Helpfuls

JackieZhang
Tera Contributor
In response to Me Being Mustaq

yesterday

how about the Private key? should upload to Idp? but Idp team told us servicenow should load Private Key and idp should use public key.  when I loaded the private key to servicenow. It throw an error it is not pem. 

0 Helpfuls

Me Being Mustaq
Tera Guru
In response to JackieZhang

yesterday

Hi @JackieZhang ,

 

You're absolutely right to clarify this - and the IdP team is correct: ServiceNow should hold the private key, and the IdP should use the public key (certificate) to verify signed SAML requests.

 

How SAML Signing Works in ServiceNow

  • ServiceNow (SP) signs the SAML AuthnRequest using its private key.

  • The IdP verifies the signature using the public key (X.509 certificate).

  • This ensures the request is authentic and hasn’t been tampered with.

The reason You Got the “Not PEM” Error is because ServiceNow expects the private key to be in PEM format, which looks like this:

-----BEGIN PRIVATE KEY-----
(base64 content)
-----END PRIVATE KEY-----

If your key is in PKCS#1 format (starts with -----BEGIN RSA PRIVATE KEY-----), ServiceNow may reject it.

 

You can follow simple way to fix this in this You can convert your RSA key to PKCS#8 (PEM) format using OpenSSL:

openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.key -out saml_pkcs8.key -nocrypt

This will generate a file (saml_pkcs8.key) with the correct format

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Then:

  1. Go to Multi-Provider SSO → Certificates.

  2. Click New, choose Private Key.

  3. Paste the contents of saml_pkcs8.key into the field.

  4. Save and link it to your Identity Provider record.

  • Private Key stored in servicenow with the format of  PEM (PKCS#8)

  • Public Certificate stored in Idp with the format of X.509 (PEM)

 

If it is helpful, please hit the thumbs button and accept the correct solution by referring to this solution in the future it will be helpful to them.

 

Thanks & Regards,

Mohammed Mustaq Shaik

0 Helpfuls

JackieZhang
Tera Contributor
In response to Me Being Mustaq

yesterday

Hi Mustaq

I try to use cmd

openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.key -out saml_pkcs8.key -nocrypt ,but we still can't be uploaded to Servicenow. It still throw the error not PEM.

0 Helpfuls