Service-Now SSO failing for nameid-format:transient
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2019 06:43 AM
Our IDP (shibboleth) only support NameID Policy transient (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) & we have User Field to match in user table is : user_name.
No documentation found in service-now docs around this transient NameID Policy.
NameID Policy :
User exist in both systems. Getting error : urn:oasis:names:tc:SAML:2.0:nameid-format:transient
User Field : user_name
User: AAdzZWNyZXQxPsj7IyvWeDGT+VrPcWq2m6HSUz9thrCTyzjkSJurl1QKBbDhENb9PK6G+YcwK8L26wubRBGjCEq1XRYbZS6QzPcJa7IHfe77ydlIbBe9smrQdV/Z9XFcD05zVoNhKoKk3IETCFDCp+Qi9ToAAoVYk4U08TuPiZ2imDQ= not found
Ensure that the user you are trying the test connection with is present in the system.
Ensure that 'User Field' property value corresponds to the value set in the IDP returned through 'Subject NameID' in the response.
- Labels:
-
Integrations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2023 05:29 AM
Hello Everyone,
I came across the same issue. In my case I had to adjust the "NameID Policy" field on the Identity Provider record.
In my case the value is: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Official Documentation from Microsoft:
Allowed SAML authentication request's NameIDPolicy formats are:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
If my answer helped you, please mark it as Helpful/Solution.
Thanks & many regards - Manuel
If my answer helped you, please mark it as Helpful/Solution.
Thanks & many Regards - Manuel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2024 04:46 AM - edited 04-02-2024 04:48 AM
Theres a bit more information around the formats
This means that Transient cannot be used for authentication
If NameIDPolicy is provided, you can include its optional Format attribute. The Format attribute can have only one of the following values; any other value results in an error.
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Microsoft Entra ID issues the NameID claim as a pairwise identifier.
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Microsoft Entra ID issues the NameID claim in e-mail address format.
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: This value permits Microsoft Entra ID to select the claim format. Microsoft Entra ID issues the NameID claim as a pairwise identifier.
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Microsoft Entra ID issues the NameID claim as a randomly generated value that is unique to the current SSO operation. This means that the value is temporary and cannot be used to identify the authenticating user.
See docs for more info:
https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#nameidpolicy
