Service Portal login page ignoring glide_sso_id cookie.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-07-2020 04:25 AM
Hi,
We are currently using 2 different SAML IDP's in our ServiceNow instance and are testing the Multi-Provider SSO module to provide SSO seamlessly for users coming from both IDP's.
Referring to this flow: https://docs.servicenow.com/bundle/orlando-platform-administration/page/integrate/authentication/con...l
After succesfully entering your username using "use external login" and redirection and login to the correct IDP (determined by SSO provider in User profile or determined by default IDP), a cookie is set "glide_sso_id" with the identifier of your IDP in the browser. When you reconnect to ServiceNow, this cookie will automatically redirect you again to your IDP, even when logged off completely, without having to first specify your username in SNOW login page.
This all works great in the backend of ServiceNow, but ServiceNow will completely ignore the "glide_sso_id" cookie in the Service Portal and will always send you to the Service Portal login page where you have to select "external login" again and have to fill in your username again.
Can anyone help me where to alter this behavior so the Service Portal will also check this cookie for seamless redirection to the correct IDP?
- Labels:
-
Service Portal Development
- 1,541 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-07-2024 02:25 PM
You will have to customize your login widget so that it responds to the glide_sso_cookie. This is what I did.
In the server script, grab the cookie value with the following:
var request = GlideTransaction.get().getRequest();
var cookies = request.getCookies();
data.user_idp = GlideCookieMan.getCookieValue(cookies, 'glide_sso_id');
Then, in the client script, you can check for the presence of "data.user_idp" and redirect to that if available (see lines 1 and 8):
if (!c.data.is_logged_in && c.data.multisso_enabled && c.data.user_idp) {
var pageId = $location.search().id || $scope.page.id;
var isLoginPage = ($scope.portal.login_page_dv == pageId) || ('login' == pageId);
c.server.get({
action: "set_sso_destination",
pageURI: isLoginPage ? null : $location.url()
}).then(function() {
$window.location = "/login_with_sso.do?glide_sso_id=" + c.data.user_idp;
});
} else if (!c.data.is_logged_in && c.data.certAuthRedirect && c.data.cert_based_auth && c.data.certHeader == "true") {
login(null, null, true);
}Note that this is customized OOB code in the Login widget (/sp_widget.do?sys_id=6506d341cb33020000f8d856634c9cdc). For my scenario, I simply replaced "c.data.default_idp" with the new "c.data.user_idp" property since no default IdP is set. Keep in mind that users will need to clear their cookies if an IdP is deactivated.
If you have a default IdP and still want users to be redirected to that, you could use the code snippet above twice--one referencing "c.data.user_idp" and another referencing "c.data.default_idp".
