SAML 2.0 - need help with RelayState issue - not working when a session is already open

Tom Sienkiewicz · ‎11-19-2016

Hi,

We have SAML 2.0 configured (client uses ADFS 2.0) to include a relay state in the URL. The problem is with deep linking from email notifications.

What happens is, if the user does not have a browser open / ServiceNow session running - they get authenticated properly and taken to the deep link page (in this case, my_approvals in service portal). However, if they already did that once or simply have SN open in a browser, any subsequent link from notification ends up on the main page instead of the correct deep link page.

It looks like the Relay State is only processed correctly the first time and any subsequent links get 'trimmed'... it is beyond my level of competence regarding ADFS so any help would be greatly appreciated.

The link in the notification is constructed as below (<> are replaced with real values of course):

https:// adfs.<CLIENTNAME>.ag/adfs/ls/IdpinitiatedSignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252F<INSTANCE>.service-now.com%26RelayState%3Dhttps://<INSTANCE>.service-now.com/service_management/my_approvals.do

Any suggestions? thanks a lot!

laurelin · ‎01-10-2018

We have the most recent version, and we have already customized our copy of the script (which led to other problems).

When do you want "nav_to.do?uri=" inserted into a URL? (Most of the time, if you are using the "standard" servicenow interface, UI16 or UI15 or whatever -- anything with the usual application navigator along the left side). When do you NOT want this? When you are using a service portal. How do you know the difference? Good question.

I'm investigating customizing the script, and these are the kinds of questions that are coming up. It's complicated.

-- lauri

khadim · ‎02-04-2018

Hi Lauri,

We do have similar requirement where we want to redirect users to different homepage(different service portals)based on their role/group. Is it possible to do this with changing code in the same MultiSSO_SAML2_Update1 with different relayState.

I found this link but not able to find script where to change code : http://www.john-james-andersen.com/blog/service-now/add-role-based-home-pages-with-saml-2-0-in-servi...

laurelin · ‎02-05-2018

We have not found a good solution to this. I'm beginning to think that there is no perfect solution. The permutations seem to involve two intertwingled questions:

1) when do you want a 'nav_to.do?uri=' inserted into the URL? when not?

2) when do you want to HTML-encode the URL, and when not?

The logic for number 2 might be possible (look for some probably-there-already-if-the-URL-is-already-encoded characters such as "%20" (space) or "%3F" (?) or "%3D" (=), and if you find any of these, then assume the URL has already been meta-quoted, do not repeat.

The logic for number 1 is MUCH harder, and involves running through any and all sp_portal names that may exist in your instance (because if you're going to a portal, you don't want the nav_to.do which sends you back to the old CMS UI). And maybe some intelligence about figuring out if you are in a "deep link" URL or not (refreshing credentials for the iframe, as opposed to landing on a page from the start).

No good answers at present.

jpitts · ‎12-07-2018

We are experiencing this issue in Kingston. Has anyone found a fix for it yet?

First login lands a non roled user onto the service portal. Second attempt lands at the default self service user homepage.

Nigel SS · ‎12-28-2018

I've posted a potential solution here: https://community.servicenow.com/community?id=community_question&sys_id=53e4872ddbd8dbc01dcaf3231f961926