SSO with Google as IdP

MC_Soria · ‎05-19-2017

Good day all,

Our company has "gone Google" and we now use Google as our Identity Provider (IdP) for all Single Sign-on (SSO) implementations. I have been working to get ServiceNow Multi-Provider SSO ("multi-SSO") working with Google using SAML 2.0. I've gone through the following prod. Docs in implementing in non-prod:

Configure multi-provider SSO properties

Create a SAML 2.0 update 1 SSO configuration for Multi-SSO

Create and update identity providers

Configure users for multi-provider SSO

Essentially, I've finished all the configuration steps and obtained the meta-data for the Google IdP provided by our Google admins via xml file. I've attached a screenshot of the IdP settings produced from the xml.

The issue I'm having is that ServiceNow is not not allowing login after the user is authenticated through Google. I get the following error (see attached screenshot):

"403. That's an error.

Error: app_not_configured_for_user

Service is not configured for this user.

Request Details

idpid=C0130ld7t
SAMLRequest=nVNNb9swDP0rhu7xV9d4FeIUmYNhAbrOSLwddlMlOhUgS54oJ9m/n6ykTQ5thu2gC/nI9/hIzZB1Ku/pYnDPeg2/BkAXHTqlkR4zJRmspoahRKpZB0gdp5vF1weaxyntrXGGG0WiBSJYJ42ujMahA7sBu5Mcvq8fSvLsXI80SbQEhaAF7GI8pifa7GNuukSzXc+2EAtDoqUXITUbu51rGedm0A7jrTFbBaHIJEFkIkV/758UZZVmN6kShSPRZ2M5hLlK0jLPS6LVsiSbx6ptGUsh5UWeptm0ZR+zdsrvpvAhy/PiiQkPxJohyh2cSxEHWGl0TLuS5GlWTNLbSXbXZAW9ndL8Ji6y/CeJ6pMjn6QWUm+v2/d0BCH90jT1pP62aUKDnRRgHz36n537ARaDa747mc+COzRIt5dbva6KvaySzP9OP0suSU6UPR3Vr5a1UZL/jhZKmX1lgTk/kbMDhOV0zL2vI4uzEJFi0gYohY5JtRDCAiJJXolONwsibNofn4ODiyrT9cxKHK2AA+Pu1YxLWKX8qGto/8uaqzBO+djbh8c72hsrxrsA7nU2lmnsjXUvzr2laH5KvjPfOX35b+d/AA==
RelayState=https://nielsendev.service-now.com/navpage.do

That's all we know."

Does anyone know what some of the possible causes could be? Any help is greatly appreciated.

Thanks.

MC_Soria · ‎10-16-2017

Hi All,

We were able to get this working. After looking through the logs and working with ServiceNow support, we were able to determine that the ServiceNow meta-data we configured the Google IdP with had errors - i.e. an extra space and a missing slash. Once we exported the meta-data again using the "Export Meta-Data" UI action found on the IdP record in ServiceNow and re-configured Google using the fresh meta-data, we were able to get it working.

Thanks for all your suggestions and help.

View solution in original post

sachin_namjoshi · ‎05-19-2017

Please check if following configuration is complete.

ServiceNow cloud application - G Suite Administrator Help

Regards,

Sachin

MC_Soria · ‎10-09-2017

Hi Sachin,

I've worked with our Google Team and they have completed the step outlined in the URL you provided. we did get this working in one instance but for some reason when trying to set up the rest of the instances they are not working.

We're trying to find the deviation between the working instance and the non-working instances. The non-working instances were set up following the same process, so it's proving a bit more challenging.

We're looking through the logs on both the G-Suite and ServiceNow ends. Thanks.

danpatino · ‎05-19-2017

Hi Mario,

I would start by enabling debugging and looking at the logs. You can do that by navigating to Multi-Provider SSO >> Properties >> Check Enable debug logging for the multiple provider SSO integration. In the System Logs >> Script Log Statements, you can find a cleartext version of your SAMLRequest and SAMLResponse. If you remove your certificate and post the results, community members could be more helpful.

MC_Soria · ‎10-09-2017

Thanks Dan,

We're in the process of looking through them. I'll post more info once I have it.