Service-Now SSO failing for nameid-format:transient

Raj Rayala1
Kilo Explorer

‎07-23-2019 06:43 AM

Our IDP (shibboleth) only support NameID Policy transient (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) & we have User Field to match in user table is : user_name.

No documentation found in service-now docs around this transient NameID Policy. 

NameID Policy

User exist in both systems. Getting error : urn:oasis:names:tc:SAML:2.0:nameid-format:transient

User Field : user_name

User: AAdzZWNyZXQxPsj7IyvWeDGT+VrPcWq2m6HSUz9thrCTyzjkSJurl1QKBbDhENb9PK6G+YcwK8L26wubRBGjCEq1XRYbZS6QzPcJa7IHfe77ydlIbBe9smrQdV/Z9XFcD05zVoNhKoKk3IETCFDCp+Qi9ToAAoVYk4U08TuPiZ2imDQ= not found

Ensure that the user you are trying the test connection with is present in the system.


Ensure that 'User Field' property value corresponds to the value set in the IDP returned through 'Subject NameID' in the response.

 

Labels:
0 Helpfuls
  • 2,918 Views
11 REPLIES 11

Raj56
Kilo Guru
In response to Nisha6

‎05-24-2021 12:30 PM

Hey Nisha,

Look for SAML response & see what's coming back in the SAML response. These values are case sensitive, so make to use what ever coming back in your Name Id attribute.

"Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>rrayala@emaildomain.com</AttributeValue>".

 

This you have to use in Name Id Attribute (Advanced tab) of your SAML configurations. For your reference here is what I had in my SAML configurations.

ServiceNow support also very helpful in assisting this. 

find_real_file.png

find_real_file.png

Preview file
101 KB
Preview file
117 KB
0 Helpfuls

Nisha6
Kilo Explorer
In response to Raj56

‎05-25-2021 12:40 AM

@Raj Rayala , Thanks for your reply 

Below is a SAML response I am receiving :


<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">WC65XMQsjxbQrrSymyskxdvGxJTzsueR+Sw3o8T85rM=</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="SNC22e734459926b200ac6208111d385d20" NotOnOrAfter="2021-05-24T18:41:09.672Z" Recipient="https://instance.service-now.com/navpage.do"/></SubjectConfirmation></Subject><Conditions NotBefore="2021-05-24T17:36:09.672Z" NotOnOrAfter="2021-05-24T18:41:09.672Z"><AudienceRestriction><Audience>https://instance.service-now.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>b3f4f7c2-72ce-4192-aba4-d6c7719b57009</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>b8f7a6a0-b0de-4536-896d-2cc05bf32880</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>TEST USER</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/b3f4f7c2-72ce-4192-aba4-d6c7719b57009/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>TEST</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>USER</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>TEST.USER@EXAMPLE.COM</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>TEST.USER@AZURE.com</AttributeValue></Attribute><Attribute Name="company"><AttributeValue>test</AttributeValue></Attribute><Attribute Name="location"><AttributeValue>testing</AttributeValue></Attribute><Attribute Name="country"><AttributeValue>US</AttributeValue></Attribute><Attribute Name="city"><AttributeValue>Minneapolis</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2021-05-24T17:40:46.495Z" SessionIndex="_c5a8cb35-b068-48da-8964-a54225d2dc9900"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

Which field value and which field I should use in that NameID Attribute?
TEST.USER@AZURE.com - this email address is coming from azure AD.

TEST.USER@EXAMPLE.COM - this user email address is present in system.

Could you please help me with this?

In your screenshot you set this as "EMPLID" in my case should I have to use "name" field in NameID attribute?
In user table "name" field contains fullname.

Thanks and Regards,

Nisha Singh

Preview file
91 KB
Preview file
98 KB
0 Helpfuls

Raj56
Kilo Guru
In response to Nisha6

‎05-25-2021 06:38 AM

Yes, please use "name" as your "NameID attribute. Let me know if that works. 

 

Thanks,
Raj

0 Helpfuls

Vaibhav Kumar Y
Tera Expert

‎03-01-2023 12:30 AM

Hey Raj

while testing the connection 
It's showing "you signed out of your account"

instead of showing the test result

VaibhavKumarY_0-1677659365170.png

Can you please tell me what is going wrong
Thanks,

Vaibhav

 

Preview file
39 KB
0 Helpfuls

sarnowskip
Tera Contributor
In response to Vaibhav Kumar Y

‎04-26-2023 09:22 AM

Hi Vaibhav,

Did you resolve your issue? I am facing similar problem right now as well. 

 

Thanks 

Piotr

0 Helpfuls