Changing default identity provider

per2 · ‎08-07-2017

Hi,

We are in the process of changing from one identity provider to another. We've setup the new one, marked it as default and verified that it works. However, our old SSO is still active but not default anymore (the SSO-manager guys doesn't want to disable it completely just yet).

The config has been active for about 2 months now, but people are still being logged in via the old provider. Is there a way to force everyone over to the new without disabling the old configuration? Or will Servicenow distribute the login requests between the two as long as they both are active?

Regards,

Per

corina · ‎08-07-2017

Hello Per.

You would need to make sure the old ipd is not mentioned in this property:glide.authenticate.sso.redirect.idp

per2 · ‎08-07-2017

Hi,

It's correct there to. I think I have found the culprit. It's the cookie glide_sso_id on the browser that holds the sys_id of the old idp. The thing is that the cookie times out in 17 years!

I cannot ask all users to clear their cookies. Is there a way to set this cookie's life to something like a month or a couple of weeks? 17 years isn't relevant.

Regards,

Per

per2 · ‎08-07-2017

Here's how we will handle it - we'll set the failed login URL to the new login url, disable the old idp triggering the failure and let the redirect handle the cookie update. After perhaps a week or two we'll change the redirect back to kb article it points to now.

corina · ‎08-07-2017

Hello Per.

Provided that fact that you mention they are both active is it safe to assume you are using MultiSSO?

If this is the case, the cookies should not interfere.

IF they are both active, then you should make a rule for logging.

The most recommended is to pass the IDP against which the users should login in the URL

https://myinstance.service-now.com/login_with_sso.do?glide sso id=sys_id of the desired idp

This indeed after a first use should create cookie on the users browser.