Okta (via Multi-Provider SSO) won't redirect

Uncle Rob · ‎10-11-2017

I successfully set up an Okta integration on Dev using Multi-Provider SSO plugin.

I'm now attempting to get it to work on Prod. I believe I have everything the same as Dev, but even throwing the master Enable switch still isn't doing anything. People hit the ServiceNow URL and aren't redirected to Okta. Logins as normal.

I've got the Okta identity provider Active and Default

The two companies who will use the SSO provider have their SSO Source already populated

But every time a user goes to the base ServiceNow URL they do not redirect to the Identity Provider URL.

Am I missing something stupendously obvious here?

Patrick Schult2 · ‎10-11-2017

Presuming you want to redirect all users to Okta, did you set the default IDP property (glide.authenticate.sso.redirect.idp)? This property should have the sys_id of the identity provider record you have for Okta (the value of the saml2_update1_properties record).

https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/integrate/single-sign-on/task/t...

If you don't want to redirect all users to Okta, then what do your users see when they reach the base instance URL?

edit: edited for clarity

Uncle Rob · ‎10-11-2017

<explitive> <explitive> sys_id from dev's IDP was in the <explitive> property for <explitive> prod!

prathyusha_snow · ‎10-25-2017

According to our requirement, the users inside our company should go to servicenow through Okta so we have Multi SSO enabled for this (Updated the user record's sso source as sso: identify provider sys_id). But recently we had to use servicenow for external users too who do not want to land on Okta page. To achieve this all I did was remove the default value from glide.authenticate.sso.redirect.idp. All the users are now going to a login page no matter whether they are employees of the company or not. This is making them enter their user id and password, which we don't like. Is there a way achieve both the scenarios.

The other problem that we are facing with this is that ADs passwords stopped syncing to service now; if an employee changed his/her password they are not able to login with their new password. How can I get AD's passwords synced in Okta inturn to servicenow.

Patrick Schult2 · ‎10-25-2017

The whole point of a SAML2 based authentication like Okta is that you don't give the password to ServiceNow, from AD or otherwise. You don't want to do this - your goal should be to make Okta work correctly.

The login page you are seeing is the internal login page, which prompts for username and password. Because you are using external authentication (Okta), you don't need to type in the username and password, you just hit "Use external login". You should see a "Use external login" button on this page. Your users need to click this button and provide their usernames so that the instance can know which IdP to send them to.

If you want to make it easier for your company's users, then instruct them to use the Okta dashboard to log in to your instance OR tell them how to use the "Use external authentication" button on the default login page. You can also go into Okta and obtain a unique link that, when used, will send your employees to Okta then automatically redirect them into the instance (kind of like a magic authentication link). Talk to your Okta admin on how to get this link.

https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/integrate/single-sign-on/task/t...