How Does SAML Select an SSO Source for New Users with the Auto-Provision Setting?

KyleLaurel · ‎10-11-2023

Hello Everyone,

We are working to migrate some of our users to a new Azure environment from an existing one, and are wanting to set up a new identity provider record in ServiceNow to allow them to log into the instances with SSO through SAML from the new Azure instance. We will be continuing to use an existing identity provider for the SAML connection with the old Azure environment. Both of these IDP records have auto-provisioning users set to true, and default/auto-redirect set to false.

So far, the new IDP record has been created and populated with Metadata, certificates, etc. and we are testing this login with a new user from the new Azure environment. The new user does not have an account created in the ServiceNow instance yet, and when they log into the instance they are being redirected to the old IDP by default.

My question is how does the relationship between SSO source and user account work for user accounts that have not yet been created in ServiceNow from SAML? I understand setting a SSO source on existing user accounts, but how is that controlled/supported for new users to select or filter to a specific SSO source?

Wayne Woodgate1 · ‎09-06-2024

I have this same issue, i find the documentation bewildering and can find now reference to how the SSO source is populated. I had hoped that there would be something to tell me for existing contacts/users follow route A and when creating new users either through auto provisioning or not follow Routes B or C.
I can't be the only person to ever need so i'm not sure why its so difficult to find good (read useable) information.

Wayne Woodgate1 · ‎09-06-2024

I have just happened upon the fact that Company has a sso source field that can be exposed too, i found if i populate that with the relevent sources sysid and tried my test use i was able to get in via the use external login route as i required.