Hey Michael - as far as IDP-initiated goes, I think we've pretty much figured out that the config from a ServiceNow point of view is exactly the same.

You generate/download the metadata from your SSO provider, e.g. for ADFS you visit: https://<hostname>/federationmetadata/2007-06/federationmetadata.xml

You then create the Identity Provider record in ServiceNow and copy and paste that downloaded XML into it when prompted (you can point at a URL too, but I never got that to work). The newly created record will have the certificate data etc all sorted (answering my other post from earlier) - no need to import certificates or anything.

You can then test, activate, etc in ServiceNow. I've found sometimes that doesn't work and you have to be a little hacky to just force the Identity Provider record to active in ServiceNow.

You export the metadata from the Identity Provider record and import (if possible) or manually use the details inside it to configure the ADFS/Azure endpoint.

Then you test, and in theory, it should just work. If you're using IDP-initiated approach, essentially it just means you're authenticating first via ADFS/Azure, then you're clicking on a link (I think ADFS/Azure call them "Apps") that sends you over to ServiceNow with a pre-created "token" - i.e. SeviceNow should just recognise that you're already authenticated.

For a "sneaky" IDP-initiated-ish approach, you can also use a specific ServiceNow URL on your/the customer's intranet which navigates to ServiceNow and tells it which Identity Provider record we're expecting to authenticate against - e.g.

https://<sn_instance>/login_with_sso.do?glide_sso_id=<sys_id_of_idp_record>

Honestly though, SSO seems kinda flaky in ServiceNow, and it's definitely under-documented/under-developed. Sometimes you just have to "play around" until it's all running smoothly.

Hope at least some of that helps you 🙂