SAML 2 redirecting issue

sachin312
Giga Expert

‎09-24-2017 06:02 PM

Hi,

We are using SAML 2.0 to authenticate users to login to service now. Everything works fine, but we are facing issue with deep linking while using reverse proxy server method. We setup reverse proxy server in such a way that for example if user access 'https://examplesite.com' they will be redirected to 'https://demo33.service-now.com/cms/exp' cms page. The issue is saml is redirecting it to service now homepage instead of cms page. How to fix this issue. Is it possible to using proxy server and saml together?

Thank you.

Labels:
0 Helpfuls
  • 2,943 Views
5 REPLIES 5

Rajesh Mushke
Mega Sage
Mega Sage

‎09-24-2017 07:36 PM

Hello Sachin,


SAML 2.0 troubleshooting


Before contacting support, try the troubleshooting solutions available in the knowledge base on Hi.


Note: The instance does not support solutions provided by external sites.


See the following knowledge base article: KB0540617 '''SAML Error Matrix'''.


Error message: "is not a function."

This issue might occur in a multi-node environment. If the plugin does not get activated on all nodes, an error like the following appears:


org.mozilla.javascript.EcmaError: [JavaPackage org.opensaml.saml2.core.impl.AuthnRequestBuilder] is not a function.



This error occurs because the plugin was not active and did not load the .jar file. Therefore, the code appears to be missing. Contact Technical Support to restart nodes that are missing the plugin.
SAML does not authenticate users accessing CMS pages.By default, CMS pages are public and therefore do not require authentication. If you want SAML to authenticate CMS pages, change the view_content.do public page from active=true to active=false.
Cannot redirect a user back to a CMS page after SAML authentication.By default, the SSO integration uses a URL parameter called URI to control where the user is directed after authentication at the IdP. SSO ignores relative URLs. For example, SSO cannot redirect users to a /ess relative URL. Instead, the user has to navigate to a URL such as /nav_to.do?uri=/ess, which uses deep linking syntax.

However, this puts the ESS portal inside the main navigation content IFrame. In other words, the site does not take up the full page, but rather loads as a page in your instance. For more information, see CMS Sites and Single Sign-On.


If you change the CMS entry page to make it private by setting view_content.do to active=false, deep linking behavior then requires a customization to the Installation Exitlogin script. Create a script that looks for the URI portion of the URL and constructs aRelayState URL parameter containing the relative URL path to redirect users after authenticating at the IdP.


SAML does not redirect users to the appropriate page after authentication.Determine if the relay state is passed out to the IdP and then passed back during authentication. You can do this with a browser capable of saving HTTP request headers and POST info, such as Chrome with its built-in developer tools, or Firefox with the add-on called HTTPfox. For Internet Explorer, use a third-party application such as Fiddler. The goal is to watch the requests pass from the client (browser) to the instance, and from the client to the IdP.


Thanks,
Rajashekhar Mushke
Rising star : 2022 - 2024
Community Leader -2018
Connect me on LinkedIn : Rajashekhar Mushke

Cuneyt
Tera Contributor
In response to Rajesh Mushke

‎12-04-2020 02:25 AM

We have this issue "SAML does not redirect users to the appropriate page after authentication."

The relaystate is always "navpage.do" and the users can only access to the appropriate page on the second time they click to the url. Because in the first click they are authenticated and redirected to navpage then they click again to go the the expected page. We couldn't solve this, do you have any idea how to proceed with this ? 

0 Helpfuls

Rajesh Mushke
Mega Sage
Mega Sage

‎09-24-2017 07:38 PM

Please do below step,



SAML does not authenticate users accessing CMS pages.By default, CMS pages are public and therefore do not require authentication. If you want SAML to authenticate CMS pages, change the view_content.dopublic page from active=true to active=false


Thanks,
Rajashekhar Mushke
Rising star : 2022 - 2024
Community Leader -2018
Connect me on LinkedIn : Rajashekhar Mushke
0 Helpfuls

sachin312
Giga Expert
In response to Rajesh Mushke

‎09-24-2017 07:48 PM

view_content.do is already set to false. We have this issue when we use reverse proxy server method to redirect user to cms page. When we try to access cms pages normal saml redirect works fine.


0 Helpfuls