Has anyone gotten Paris OIDC SSO to work with AWS Cognito?

spease · ‎08-18-2020

As the title says, has anyone gotten this to work? I've looked around and searched the forums and the web, and I've not seen anyone that seems to have attempted it.

.well_known seems to not work because Cognito doesn't say it supports response type 'id_token', presumably because "token" acts as the more traditional "token id_token" type in Cognito.

From a quick glance around the the script includes, it looks like the relevant code to modify to support this may be in SNC.GlideMultiSSO, which I don't believe we can customize. I'm assuming this is the stumbling block (though I would love to be proven wrong!) to getting SSO to Cognito.

I've tried setting it up manually as well- "Log in Via Cognito" button seems to just redirect me to 'not_allowed.do", and manually triggering the SSO directly from AWS lands me on "oauth_redirect.do" with the error "Your OAuth redirect failed. Please check if the redirect URL setup in your OAuth configuration matches your ServiceNow instance URL." (which I believe it does- there's two redirect URLs set, the IdP's "Servicenow Homepage" set to <instanceURL>/navpage.do, the OIDC Entity's Redirect URL, which is <instanceURL>/oauth_redirect.do). Everything is Authorization Grant as well.

Any ways to get this to work?

ServiceNow Tec2 · ‎09-18-2020

This has been resolved by ServiceNow Technical Support. Please refer to KB0719167 for more information.

View solution in original post

spease · ‎10-23-2020

Hi Jahnavi,

Unfortunately, there was no solution. The resolution to the case was effectively that servicenow does not support cognito, because servicenow is following the OIDC spec and Cognito is technically not. They opened a feature request on my behalf, but I have seen no updates regarding it (I'm not sure I would?).

Our solution was to use an AWS API Gateway and a custom lambda function to create a 'shim' that translates SAML AuthNrequests and LogoutRequests to OIDC authorization grants and so on. This allows full SSO throughput, though SLO does not technically 'finish' since you can't be redirected back to ServiceNow to finish things without storing some kind of state. That said, even with that hiccup, you still get logged out of servicenow and logged out of cognito.

I can't really recommend that solution, as it requires a fair amount of knowledge of both SAML's implementation and OIDC's implementation.

Jeremy Gibbons1 · ‎03-13-2021

Hi all,

I was able to get this to work (at least it looks like it), with a couple of tweaks:

I retrieved the Cognito autoconfig JSON file, and manually edited it to add "id_token" to the list of "response_types_supported"
I then hosted the resulting JSON file in a public S3 bucket with static website hosting enabled
I configured the Multiprovider SSO plugin by pointing it to the resulting URL.
I did not use ServiceNowInstance/oauth_redirect.do as the redirect URL, but rather left it at navpage.do, and provided the raw instance URL and navpage.do as redirect URLs in the Cognito settings
I then configured the affected users with the "SSO Source" field set to sso:sys_id_of_my_identity_provider

And presto, I was able to login !

I think the SN documentation should better clarify the difference between the legacy OAuth support and the new OIDC support, since the redirect URLs are not the same at all.

Hope that helps some of you.