Error accessing descriptor for metaObject: package_private script include function MultiSSOLogin

Mohd Aizat Md R · ‎08-15-2022

Hello Everyone.

Anyone know what is below error about?

I'm getting this error in the log while debugging external web client live chat.

Error accessing descriptor for metaObject: package_private script include function MultiSSOLogin: no thrown error

Thanks

Jason Siegrist · ‎08-25-2022

Having same issue connecting from Okta to SN via the MutliSSO IDP

Jason Siegrist · ‎08-25-2022

Turn on SSO logs.

I noticed that there were two errors during the SSO login from the IDP.

Error

*** Script: Ensure that the user you are trying to login is from the correct source, as mentioned in company's sso source field for user in servicenow instance.: no thrown error

Error

Ensure that the user you are trying to login is from the correct source, as mentioned in company's sso source field for user in servicenow instance.

and

Error

Error accessing descriptor for metaObject: package_private script include function MultiSSOLogin: no thrown error

In the past, the basic troubleshooting of MutliSSO following an upgrade has been to disable (save) and enable (save) the SSO property.

"Enable multiple Provider SSO" (glide.authenticate.multisso.enabled)

This resets & aligns the installation exits for SSO.

Also double-check the user and company record for the correct entry (blank is a correct entry) in the SSO_Source fields.

Bill Ye Zhang · ‎12-23-2022

Hi Mohd,

The error may indicate that the user logs in via Multi-Provider SSO in PROD but the SSO is turned off in the instance where this error is present. Does this issue fit the scenario?

Thanks,

Simon Midtvedt · ‎02-09-2023

Hi Bill,

I think you might be onto something here.

Our situation:

We were getting the same error after cloning PROD to DEV and TEST. We had set up Multi-Provider SSO with OIDC in DEV, but not in TEST and PROD. We did, however, have an Oauth2.0 config in TEST for user import.
We were not able to log in to the DEV or TEST using multifactor authentication (MFA) or SSO after cloning.
All excludes and preservers seemed to be respected by the cloning process, since the configs of the identity providers and the MFA authentication information remained in the target instances (not overwritten).

After a lot of digging, we finally found something:

Installation exits (scripts for defining login/logout behavior) are cloned to target instances OOTB.
However, as these may vary depending on the instance (DEV/TEST/PROD), there is an OOTB Clone Cleanup Script caled "Fix MultiSSO IEs" that runs after cloning is complete.
The purpose of the "Fix MultiSSO IEs" script is to ensure that the installation exit records (sys_installation_exit) are correctly activated and deactivated depending on the login configuration of the target instance.
We found that the installation exit "SAML2SingleSignon_update1" was activated by default in PROD, which was ultimately interfering with how the clean up script activated and deactivated the correct installation exits.
The only reason I can think of is that since PROD did not have any Multi-Provider SSO configs at all, we cloned the wrong installation exits initially, and the clean up script was not able to fix the installation exits correctly.

Solution:

By manually deactivating the "SAML2SingleSignon_update1" and activating "MultiSSOv2" installation exits, we fixed the issue.
However, I believe if we deactivate "SAML2SingleSignon_update1" in PROD before we clone, this might fix the issue.
I have also read somewhere that it is not recommended to customize these installation exits, but I see no other way out in this situation..