Could not validate SAML Response

denisetaylor681
Kilo Explorer

‎06-03-2017 10:34 AM

I have Multi-Provider SSO set up with ADFS 2.0 on several Istanbul instances and every few days (correlates around ADFS auto-logout from other tools such as Office365, Box, etc) I have a small number of users that get stuck in this endless loop of not being able to login to SN.   When they type the URL into their browser, it flashes a red "Could not validate SAML Response" momentarily and then tells them they've logged out successfully.   It happens to me in our Dev instance, and very unfortunately, to my VP in our Prod instance.

Logs provided below.

Could not validate SAML Response.png

The extremely weird part about it is it seems to be tied somehow to cookies.   If I try logging in through Chrome incognito, I get in just fine.   The only way I've found to get out of this loop is to have users (me included) clear cookies to the "beginning of time".   After doing that, typing in the instance URL will take users to the ADFS login page.   Then we're good for a couple of days until ADFS auto-logs out, and we're back to square one.   Note: if the instance is not up in a tab at the time of auto-logout, then the problem doesn't occur.

I'm on a Windows machine using Chrome; my VP is on a Mac using Safari.

Labels:
Preview file
27 KB
0 Helpfuls
  • 5,609 Views
3 REPLIES 3

andrewpilachows
Kilo Guru

‎06-03-2017 06:42 PM

Few quick things, are you able to check logs on the IdP?   Is the right signing certificate set up?



Are the systems managed?   Are you able to configure the browsers to set the site as trusted?



Has the session timeout been modified in SNow? This KB indicates that the SNow timeout must be longer than the SAML provider timeout in order to trigger the login page.


ServiceNow KB: ServiceNow session timeout not triggering expected UI warning or message when SAML en...


0 Helpfuls

brian_degroot
ServiceNow Employee
ServiceNow Employee

‎06-05-2017 04:34 AM

Hi Denise,



This is going to be something you'll probably want to consult with you IdP administrators on. If you haven't already, try updating the metadata from your instance on the IdP. If that doesn't resolve the issue, the log files from the IdP should help explain why it isn't handling the request properly. Any errors seen here will be best addressed by the identity service provider support teams. But if you can provide these log files, we can try our best to assist.



Thank you,



Brian


0 Helpfuls

Sakshi14
Giga Expert

‎08-28-2017 04:14 AM

Hi Denise,



Were you able to find a solution/workaround for this? I am facing a similar issue and once we clear the cookies, it seems to work as expected.


0 Helpfuls