SSO with Google as IdP

Go to solution
MC_Soria
Kilo Expert

‎05-19-2017 01:36 PM

Good day all,

Our company has "gone Google" and we now use Google as our Identity Provider (IdP) for all Single Sign-on (SSO)   implementations. I have been working to get ServiceNow Multi-Provider SSO ("multi-SSO") working with Google using SAML 2.0. I've gone through the following prod. Docs in implementing in non-prod:

Configure multi-provider SSO properties

Create a SAML 2.0 update 1 SSO configuration for Multi-SSO

Create and update identity providers

Configure users for multi-provider SSO

Essentially, I've finished all the configuration steps and obtained the meta-data for the Google IdP provided by our Google admins via xml file. I've attached a screenshot of the IdP settings produced from the xml.

The issue I'm having is that ServiceNow is not not allowing login after the user is authenticated through Google. I get the following error (see attached screenshot):

"403. That's an error.

Error: app_not_configured_for_user

Service is not configured for this user.

Request Details

  • idpid=C0130ld7t
  • SAMLRequest=nVNNb9swDP0rhu7xV9d4FeIUmYNhAbrOSLwddlMlOhUgS54oJ9m/n6ykTQ5thu2gC/nI9/hIzZB1Ku/pYnDPeg2/BkAXHTqlkR4zJRmspoahRKpZB0gdp5vF1weaxyntrXGGG0WiBSJYJ42ujMahA7sBu5Mcvq8fSvLsXI80SbQEhaAF7GI8pifa7GNuukSzXc+2EAtDoqUXITUbu51rGedm0A7jrTFbBaHIJEFkIkV/758UZZVmN6kShSPRZ2M5hLlK0jLPS6LVsiSbx6ptGUsh5UWeptm0ZR+zdsrvpvAhy/PiiQkPxJohyh2cSxEHWGl0TLuS5GlWTNLbSXbXZAW9ndL8Ji6y/CeJ6pMjn6QWUm+v2/d0BCH90jT1pP62aUKDnRRgHz36n537ARaDa747mc+COzRIt5dbva6KvaySzP9OP0suSU6UPR3Vr5a1UZL/jhZKmX1lgTk/kbMDhOV0zL2vI4uzEJFi0gYohY5JtRDCAiJJXolONwsibNofn4ODiyrT9cxKHK2AA+Pu1YxLWKX8qGto/8uaqzBO+djbh8c72hsrxrsA7nU2lmnsjXUvzr2laH5KvjPfOX35b+d/AA==
  • RelayState=https://nielsendev.service-now.com/navpage.do

That's all we know."

Does anyone know what some of the possible causes could be? Any help is greatly appreciated.


Thanks.

0 Helpfuls
  • 7,324 Views
1 ACCEPTED SOLUTION

Go to solution
MC_Soria
Kilo Expert

‎10-16-2017 01:16 PM

Hi All,



We were able to get this working. After looking through the logs and working with ServiceNow support, we were able to determine that the ServiceNow meta-data we configured the Google IdP with had errors - i.e. an extra space and a missing slash. Once we exported the meta-data again using the "Export Meta-Data" UI action found on the IdP record in ServiceNow and re-configured Google using the fresh meta-data, we were able to get it working.



Thanks for all your suggestions and help.


View solution in original post

0 Helpfuls
8 REPLIES 8

Go to solution
Stacy1
Mega Guru

‎05-31-2017 01:34 PM

Hello,



We are trying this setup and have been unsuccessful.



Can you please tell me what we are supposed to put for this step?



Paste the value for ServiceNow Login URL that you have copied (https://www.service-now.com/SAMLRedirector/ClientSAMLLogin.aspx) into the ACS URL field.



Do you actually put https://www.service-now.com/SAMLRedirector/ClientSAMLLogin.aspx) ?   We are a Multi Tenant MSP and we need the Google user's to look at their particular SSO Provider details to rout them to their domain.   Is that something we put in the ACS URL?



Thanks,


Stacy


0 Helpfuls

Go to solution
MC_Soria
Kilo Expert
In response to Stacy1

‎10-16-2017 01:11 PM

Hi Stacy,



In which procedure are you performing this step? I don't recall having to do this - we just set up out IdPs in ServiceNow using the xml. provided to us by the out IdP team (Google).


0 Helpfuls

Go to solution
MC_Soria
Kilo Expert

‎10-16-2017 01:16 PM

Hi All,



We were able to get this working. After looking through the logs and working with ServiceNow support, we were able to determine that the ServiceNow meta-data we configured the Google IdP with had errors - i.e. an extra space and a missing slash. Once we exported the meta-data again using the "Export Meta-Data" UI action found on the IdP record in ServiceNow and re-configured Google using the fresh meta-data, we were able to get it working.



Thanks for all your suggestions and help.


0 Helpfuls

Go to solution
ty_roach
Tera Guru

‎08-17-2019 08:05 AM

Glad you got this solved.  One other tid-bit to share is that if you want to use ServiceNow's auto-account-creation feature within the Multi-Provider SSO application and if your integrating with Google GSuite, then you'll need to add first_name, last_name, email attributes (minimally) to the SAML record coming from the Google IdP.  That is relatively straight forward.  From within the Google Admin (admin.google.com):

  1. Select SAML app
  2. Select the ServiceNow Application that you've configured
  3. Select "Attribute Mapping"
  4. Add the attributes I mentioned above
  5. Re-generate your metadata and use that in your SN configuration

NOTE - you may need to modify the transform map fields and OnBefore script to match how you've named your source attributes.

Once you get that aligned, the auto account creation feature works great.  NOTE - this is the feature that says essentially "if the IdP has authenticated the user but the user account does not exist on the SN system, go ahead and create the account in SN based on the attributes provided in the SAML AuthnRequest msg".