SAML SSO with a Custom URL

cphanson
Giga Contributor

‎05-04-2018 04:20 PM

We have a custom URL for our ServiceNow instance, and I would like to have SSO logins work.  SSO is already working on our regular / base ServiceNow URL.  Please see the scenario I'm facing below. Please note: I'm not using our real URLs below, but I'll use examples that are basically the same as our environment.

A URL like this: https://service.myfakecompany.com (this isn't a real URL)
Serves up our instance to users: https://ourinstance.service-now.com (also not real)
End users never know the ServiceNow URL - the browser always shows the first URL (our custom URL). Of course you can use either URL, but we want all of our users to use the custom URL.

I didn't set up the custom URL - that was done years ago. I assume we're using this method, but I'm not positive
https://community.servicenow.com/community?id=community_blog&sys_id=033e22addbd0dbc01dcaf3231f9619d9

We have an A record in our company's DNS that points to an IP address. I believe this server is rewriting the URL to our ServiceNow instance URL.  I'm trying to track down whoever manages this server so I can confirm exactly how its configured and be able to make updates to it if necessary.

We are now implementing SSO using the Multiple Provider SSO plugin. (This Microsoft link describes the method we're using)
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-servicenow-tutorial#configure-azure-ad-single-sign-on-for-servicenow

With the above method, SSO works perfectly with https://ourinstance.service-now.com.

However, when I try from https://service.myfakecompany.com, it does not work. When I attempt an SSO login, this is what happens:
1) Browser briefly flashes error message: Could not validate SAML Response
2) Browser reloads with this text
Logout succeeded
Logout successful
You have successfully logged out.

I need to know how to modify my configuration in ServiceNow or Azure (or both) to make this work from our custom URL. I may also need to modify whatever is happening on the server handling the re-writes, mentioned above. I accept the possibility that this may not work on both URLs… I'm happy if it just works from our custom URL and not the ServiceNow URL.

This is not a technical area that I know much about.  I'm aware there are tools like Fiddler that can help me diagnose what is going on, but I don't know how to use them.  I'm out of my depth!  Thanks in advance for any help.

Preview file
87 KB
0 Helpfuls
  • 4,557 Views
12 REPLIES 12

Erik Stolberg
Tera Guru
In response to Andrew_Marmara

‎01-27-2020 09:48 AM

I submitted a request on Okta's Ideas portal to try and get the ServiceNow UD app updated to support multiple SAML Assertion Consumer Endpoints (which would remove the "workarounds"). If anyone has a login to get to that portal, feel free to vote for it so we can maybe get some traction on it.

https://ideas.okta.com/app/#/case/116080

0 Helpfuls

Amrita22
Kilo Explorer

‎07-22-2021 01:42 PM

@cphanson , @Andrew.Marmara ,

 

Can you please help with the changes to be done on Servicenow side to enable SSO for both instance and custom URL ?

What's done?

1. Created two separate ServiceNow UD apps in Okta

2. The instance URL SSO works fine

 

What we need help with?

The SSO for custom URL doesn't work fine. We do get the redirection to Okta sign-in page but it takes us to the instance dashboard and not the service portal. What should the IdP record for Custom URL look like ? 

 

Any help regarding this is much appreciated. 

 

Thanks!

 

 

 

0 Helpfuls

BalanMahadevan
Tera Contributor
In response to Amrita22

‎10-22-2021 12:52 PM

  1. You can select the portal in custom URL config page OR
  2. Have a look at this page for adding your custom logic to redirect  Single sign-on, logins, and URL redirects | ServiceNow Docs
0 Helpfuls