ServiceNow doesn't recognize SAML response from IdP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2017 05:04 AM
I'm configuring SAML2 authentication, all the setting look fine, but when user tries to login it gets redirected to the Identity Provider and successfully logins there, then IdP redirects the user back to ServiceNow and ... the user is still not authenticated in SN.
I tried to debug the authentication process by pressing "Test Connection" in the properties form and here is what I get in the log:
08/02/17 13:46:15 (963) Testing SSO: 0e42df80dbaae644524836fffe9619ec
08/02/17 13:46:15 (966) Read from column : name, value: idporten-sptest2.difi.no-TEST
08/02/17 13:46:15 (967) Use the SSOHelper passed in.
08/02/17 13:46:15 (967) Read from column : service_url, value: https://trondheimcsmtest.service-now.com/csm
08/02/17 13:46:15 (968) Read from column : clock_skew, value: 60
08/02/17 13:46:15 (968) Read from column : idp_authnrequest_url, value: https://idporten-ver1.difi.no/opensso/SSORedirect/metaAlias/norge.no/idp3
08/02/17 13:46:15 (968) Read from column : service_url, value: https://trondheimcsmtest.service-now.com/csm
08/02/17 13:46:15 (969) Read from column : force_authn, value: 1
08/02/17 13:46:15 (969) Read from column : is_passive, value: 0
08/02/17 13:46:15 (970) Read from column : issuer, value: trondheimcsmtest
08/02/17 13:46:15 (971) Read from column : nameid_policy, value: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
08/02/17 13:46:15 (972) Read from column : service_url, value: https://trondheimcsmtest.service-now.com/csm
08/02/17 13:46:15 (972) Read from column : idp_authnrequest_url, value: https://idporten-ver1.difi.no/opensso/SSORedirect/metaAlias/norge.no/idp3
08/02/17 13:46:15 (972) Read from column : createrequestedauthncontext, value: 0
08/02/17 13:46:15 (978) SAML Request xml: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://XXXXX.service-now.com/csm" Destination="https://XXXXXX" ForceAuthn="true" ID="SNC346566be21a179b61b68abfa860786d8" IsPassive="false" IssueInstant="2017-08-02T11:46:15.970Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://XXXXX.service-now.com/csm" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">XXXXXXX</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></saml2p:AuthnRequest>
08/02/17 13:46:15 (979) Stripping down the serviceURL: https://XXXXXX.service-now.com/csm to a base URL of: https://XXXXXXX.service-now.com
08/02/17 13:46:15 (979) Generating a Test Connection Relay State of: https://XXXXXX.service-now.com/csmSNCRSEPsysparm_saml_tc=true&glide_sso_id=0e42df80dbaae644524836fffe9619ec&exit_name=MultiSSO
08/02/17 13:46:15 (981) Read from column : require_signed_authnrequest, value: 1
08/02/17 13:46:15 (981) Read from column : sign_algorithmuri, value: http://www.w3.org/2000/09/xmldsig#rsa-sha1
08/02/17 13:46:15 (982) Read from column : signing_key_alias, value: authentication certificate
08/02/17 13:46:15 (982) Read from column : signing_key_password, value: ********
08/02/17 13:46:16 (015) Redirecting to: https://XXXXXXXXXX/idp3?SAMLRequest=lVJNb5tAEP0raO98JsFkZSxRW1UtpQkybg65LTCOV2Jn6c7gtP%2B%2BgB0l7cFSrzPvY/a9XZIyXdLLYuAj7uDnAMTeL9MhyfMmF4NDaRVpkqgMkORGVsX3B5kEkeydZdvYTngFETjWFtcWaTDgKnAn3cCP3UMujsw9yTBkZ7E9gjYNGR6dAjqDfLRvQWNNOM6Ftxk3GtUk9kHVbW8dA/oncHHQ6oMO0Ia2BySyYVU97aDVDhoODbAqOq0oROteYYKN5BvhfbWugfmhuWA3gPC2m1xUj%2Bub2/QuTWtIYhUv7us0rtNM1QeVpdEiS9tsBFKpiPQJcnFQHU1UogG2SKyQc5FE8cKPMj9K9nEsb1MZ3wX3i%2BhFeOUloS8aW42v1%2BOszyCS3/b70i%2Bfqv0scNItuMcR/b9JPoOjOcVRXKyWc6Nyvtx9Lvn6Ueq9WbH613UZfpa8GPRyOnW7KW2nm99e0XX2be1AMbzHPhZhFF93nSa69Q8zVLJTSBqQRbi6mP79Z1d/AA%3D%3D&RelayState=https%3A//XXXXXXXXXX.service-now.com/csmSNCRSEPsysparm_saml_tc%3Dtrue%26glide_sso_id%3D0e42df80dbaae644524836fffe9619ec%26exit_name%3DMultiSSO&SigAlg=http%3A//www.w3.org/2000/09/xmldsig%23rsa-sha1&Signature=cHatRDH/b/qbaZz2D7J47g1Z8vOc1wnP9q%2B5/8pLPudG6%2Bnaw4WGno6K7YV4xf6gV7xJkTP%2B0nU3Z/%2B3l7qR4oy%2BF1RptHuqFBduBjLHSWovRoXfXG25LqLcW891GCcXjmP0WlGUgzM1EUSz40mR1O1n4Z4I6bvLKjq2TwIi7WKef/LzK7OzaJCuqlemmtSlftiF75SRuvl8t73ulo5q03K0R7sRmw4joW3im1zfqw62j6aFzY8dxU/4nXxiW/8z//mLxM9cIZi3vJdxNWSmLgc4y9h%2BXm62kNVD0gVismcuBUwJ1qOb6oTLgDGfzb2m9LalQh8PafZ/eE3XUJs4/g%3D%3D
08/02/17 13:46:16 (016) Generated request ID: SNC346566be21a179b61b68abfa860786d8
Then I try to enter my credentials, authentication at IdP is successful, I get redirected back to https://XXXX.service-now.com/csm and NOTHING. Service-Now still thinks I'm not authenticated. Nothing more in the log.
When I try to look at the requests made in browser console, i can clearly see a POST request to https://XXXXX.service-now.com/csm with SAMLResponse after I enter my user details
Does anyone have any idea why service-now doesn't respond to a successful SAML Response ? Or where should I look?
- Labels:
-
Integrations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2017 06:11 AM
Hello Oleg.
Please enable debug under MultiuSSO - properties , and then take the information from System logs and past it here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2017 06:19 AM
Yes, I enabled logging and those logs in my question are everything I get when authenticating
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2017 06:39 AM
Hello Oleg.
This looks very much like a test connection output.
You can go here: https://YOURINSTANCE.service-now.com/syslog_list.do?sysparm_query=sys_created_onONToday%40javascript...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2017 06:51 AM
Yes, it was test connection output, here are system logs:
02.08.2017 15:46:32
Information SAML Request xml: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://XXX.service-now.com/csm" Destination="https://YYY" ForceAuthn="true" ID="SNC0db8519da95cc4a4387a3e08721e4979" IsPassive="false" IssueInstant="2017-08-02T13:46:32.489Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://XXX.service-now.com/csm" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">XXX</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></saml2p:AuthnRequest> *** Script
02.08.2017 15:46:32
Information Read from column : nameid_policy, value: urn:oasis:names:tc:SAML:2.0:nameid-format:transient *** Script
02.08.2017 15:46:32
Information userToLogin: https://YYY?SAMLRequest=lVLLbtswEPwVgXe9lVoiLAOKjaIG0sSw3B5yY6h1TEBaqtyV0/59JdlB0x4M9Lo7j%2BUMl6S6Nu... *** Script
02.08.2017 15:46:32
Information There may be Deep Linking involved with this SAML request *** Script
02.08.2017 15:46:32
Information ScriptName : MultiSSO_SAML2_Update1 *** Script
02.08.2017 15:46:32
Information Redirecting to: https://YYY?SAMLRequest=lVLLbtswEPwVgXe9lVoiLAOKjaIG0sSw3B5yY6h1TEBaqtyV0/59JdlB0x4M9Lo7j%2BUMl6S6Nu... *** Script
02.08.2017 15:46:32
Information SAMLResponseObject not found in GlideController. *** Script
02.08.2017 15:46:32
Information Generating a Relay State of: https://XXX.service-now.com/saml_redirector.do?sysparm_nostack=true&sysparm_uri=/nav_to.do%3Furi%3D%...
