How to enable 'Auto redirect IdP' for multiple Identity providers?

Suggy · ‎11-02-2022

We have multiple identity providers configured. We want to enable 'Auto redirect IdP' for all of them.

I see that at a time we can activate that for only ONE IdP.

How to enable it for multiple IDP's?

David Nendza · ‎11-02-2022

I could be wrong, but isn't auto redirect IdP to direct unauthenticated users to a SSO to sign in? How would the system know which place to redirect a user to if they aren't logged in and haven't put in their username yet?

When we went from 1 IdP provider to 3 recently, we turned off the auto-redirect because otherwise anyone trying to hit our ServiceNow instance directly would be redirected to the 'main' companies Okta, and now not all the users can sign in through that. We edited the login_locate_sso UI page and added links to all 3 IdP so users can choose the one they need, and they can also use the username box and if they are in the system, it will redirect them to the right one.

tldr; marking multiple IdP providers as redirect doesn't make sense, unless you have multiple IdP's that point to the same place?

psowa · ‎11-02-2022

My my former organization we went from 1 IdP to 3 and we also turned off the auto-redirect. We instead provided each separate organization a unique SSO link (Each had a different Active Directory tenant used for authentication)

Link matched the below format that was used

https://[instance name].service-now.com/login_with_sso.do?glide_sso_id=[Sys ID for the Identity Provider]

We also set the sys_user.sso_source field to the sys ID for the Identity Provider they were associated prefixed with sso:, so the format in that field was "sso:[Sys ID for the Identity Provider]" This was done so if the customer hit https[instance].service-now.com directly, they could press "Use external login" which prompted for their sys_user.user_name, once they pressed submit the IdP would direct them to the correct one. Once they authenticated, any time they went to the [instance] URL it took them to the correct area unless they cleared cache and cookies from the browser.

We determined the Identity Provider by the Company field associated to the sys_user record and populated them by using a business rule or scheduled script. For us, each company represented each unique Active Directory tenant for authentication.

Suggy · ‎11-05-2022

Hi @David Nendza @psowa Thank your for replying.

As you know, once 'Auto redirect Idp' is enabled, user need not enter the user name/password. The moment they hit 'XYZ.service-now.com', user would be automatically logged in.

Users had also bookmarked few things like link to

Knowledge articles --> <https://xyz.service-now.com/$knowledge.do>, My incidents page, portal page etc so that next day when they login, they click on the bookmarked link and it would take them to that page directly.

But now in our instance, we have implemented multiple Idp for different set of customers, we also have multiple portals now.

Currently we are asking users to use unique links like below as we have multiple Idp's

https://[instance name].service-now.com/login_with_sso.do?glide_sso_id=[Sys ID for the Identity Provider]

But the problem now is, they cannot directly go to their bookmarked pages like knowledge home page, portal pages (multiple portals we have not for each customer) etc. User would first need to go to home page and then navigate to other pages.

Suggy · ‎11-09-2022

Anyone else 🙂