How to force ServiceNow to show local login page after SSO logout (SSO + OIDC)

thaovan
Tera Contributor

3 weeks ago - last edited 3 weeks ago

I have configured SSO with OIDC in my ServiceNow instance, using Auth0 as the IdP.

**Behavior I see:**
- User logs in with SSO (Auth0 IdP).
- User logs out from ServiceNow.
- When trying to log in again, the system directly redirects to the Auth0 login screen,
instead of showing the ServiceNow local login page (`login.do`).

**Question:**
👉Is this the expected behavior of SSO with OIDC?
👉How can I force ServiceNow to show local login page after SSO logout instead of being redirected to the IdP login screen?

Thanks in advance for your advice!

thaovan_0-1755568662671.png

 



0 Helpfuls
  • 317 Views
2 REPLIES 2

Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee

3 weeks ago - last edited 3 weeks ago

Hi @thaovan 

 

This is expected behaviour. This happens to avoid the extra clicks for the user which has earlier opted for an specific IDP and completed the login in the past. This creates a cookie called glide_sso_id which contains the SysID of the IDP SSO ID (in your case your OIDC SSO SysID). If this cookie is present, it will always redirect the instance access to the IDP's single sign in URL which is expected behaviour.

 

This cookie gets created everytime user selects the IDP and completes the login process and this is out of box behaviour as well. If you do not want to redirect the users to IDP directly, you can choose any of the below options whichever suits your requirememts -

1 - You can think of changing the logout page in your IDP configuration to login.do or some other page which contains the link of the login page (instance/login.do). This will make sure the users are redirected to login page after logout from the IDP. But if user accesses the instance url, it will still redirect to IDP login page directly since sso_id cookie is present in the browser.

2 - You can think of customising the logout page to let the cookie be expired/removed upon landing on the logout page. Once the cookie is removed, it will not redirect to any IDP, unless you set any IDP record as auto-redirect IDP.

These are kind of workarounds, and its not something available oob, so before opting to it, please make sure to test above suggested workarounds thoroughly to avoid any further issues.

 

Cheers!

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron

3 weeks ago

@thaovan 

yes that's expected behavior.

But after logout why you want them to be taken to login.do?

Those users will sign-in with SSO so they should use SSO page only after logout, since they won't have local accounts.

I don't think this is a valid business requirement.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls