ServiceNow doesn't recognize SAML response from IdP

oleg7 · ‎08-02-2017

I'm configuring SAML2 authentication, all the setting look fine, but when user tries to login it gets redirected to the Identity Provider and successfully logins there, then IdP redirects the user back to ServiceNow and ... the user is still not authenticated in SN.

I tried to debug the authentication process by pressing "Test Connection" in the properties form and here is what I get in the log:

08/02/17 13:46:15 (963) Testing SSO: 0e42df80dbaae644524836fffe9619ec

08/02/17 13:46:15 (966) Read from column : name, value: idporten-sptest2.difi.no-TEST

08/02/17 13:46:15 (967) Use the SSOHelper passed in.

08/02/17 13:46:15 (967) Read from column : service_url, value: https://trondheimcsmtest.service-now.com/csm

08/02/17 13:46:15 (968) Read from column : clock_skew, value: 60

08/02/17 13:46:15 (968) Read from column : idp_authnrequest_url, value: https://idporten-ver1.difi.no/opensso/SSORedirect/metaAlias/norge.no/idp3

08/02/17 13:46:15 (968) Read from column : service_url, value: https://trondheimcsmtest.service-now.com/csm

08/02/17 13:46:15 (969) Read from column : force_authn, value: 1

08/02/17 13:46:15 (969) Read from column : is_passive, value: 0

08/02/17 13:46:15 (970) Read from column : issuer, value: trondheimcsmtest

08/02/17 13:46:15 (971) Read from column : nameid_policy, value: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

08/02/17 13:46:15 (972) Read from column : service_url, value: https://trondheimcsmtest.service-now.com/csm

08/02/17 13:46:15 (972) Read from column : idp_authnrequest_url, value: https://idporten-ver1.difi.no/opensso/SSORedirect/metaAlias/norge.no/idp3

08/02/17 13:46:15 (972) Read from column : createrequestedauthncontext, value: 0

08/02/17 13:46:15 (978) SAML Request xml: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://XXXXX.service-now.com/csm" Destination="https://XXXXXX" ForceAuthn="true" ID="SNC346566be21a179b61b68abfa860786d8" IsPassive="false" IssueInstant="2017-08-02T11:46:15.970Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://XXXXX.service-now.com/csm" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">XXXXXXX</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></saml2p:AuthnRequest>

08/02/17 13:46:15 (979) Stripping down the serviceURL: https://XXXXXX.service-now.com/csm to a base URL of: https://XXXXXXX.service-now.com

08/02/17 13:46:15 (979) Generating a Test Connection Relay State of: https://XXXXXX.service-now.com/csmSNCRSEPsysparm_saml_tc=true&glide_sso_id=0e42df80dbaae644524836fffe9619ec&exit_name=MultiSSO

08/02/17 13:46:15 (981) Read from column : require_signed_authnrequest, value: 1

08/02/17 13:46:15 (981) Read from column : sign_algorithmuri, value: http://www.w3.org/2000/09/xmldsig#rsa-sha1

08/02/17 13:46:15 (982) Read from column : signing_key_alias, value: authentication certificate

08/02/17 13:46:15 (982) Read from column : signing_key_password, value: ********

08/02/17 13:46:16 (015) Redirecting to: https://XXXXXXXXXX/idp3?SAMLRequest=lVJNb5tAEP0raO98JsFkZSxRW1UtpQkybg65LTCOV2Jn6c7gtP%2B%2BgB0l7cFSrzPvY/a9XZIyXdLLYuAj7uDnAMTeL9MhyfMmF4NDaRVpkqgMkORGVsX3B5kEkeydZdvYTngFETjWFtcWaTDgKnAn3cCP3UMujsw9yTBkZ7E9gjYNGR6dAjqDfLRvQWNNOM6Ftxk3GtUk9kHVbW8dA/oncHHQ6oMO0Ia2BySyYVU97aDVDhoODbAqOq0oROteYYKN5BvhfbWugfmhuWA3gPC2m1xUj%2Bub2/QuTWtIYhUv7us0rtNM1QeVpdEiS9tsBFKpiPQJcnFQHU1UogG2SKyQc5FE8cKPMj9K9nEsb1MZ3wX3i%2BhFeOUloS8aW42v1%2BOszyCS3/b70i%2Bfqv0scNItuMcR/b9JPoOjOcVRXKyWc6Nyvtx9Lvn6Ueq9WbH613UZfpa8GPRyOnW7KW2nm99e0XX2be1AMbzHPhZhFF93nSa69Q8zVLJTSBqQRbi6mP79Z1d/AA%3D%3D&RelayState=https%3A//XXXXXXXXXX.service-now.com/csmSNCRSEPsysparm_saml_tc%3Dtrue%26glide_sso_id%3D0e42df80dbaae644524836fffe9619ec%26exit_name%3DMultiSSO&SigAlg=http%3A//www.w3.org/2000/09/xmldsig%23rsa-sha1&Signature=cHatRDH/b/qbaZz2D7J47g1Z8vOc1wnP9q%2B5/8pLPudG6%2Bnaw4WGno6K7YV4xf6gV7xJkTP%2B0nU3Z/%2B3l7qR4oy%2BF1RptHuqFBduBjLHSWovRoXfXG25LqLcW891GCcXjmP0WlGUgzM1EUSz40mR1O1n4Z4I6bvLKjq2TwIi7WKef/LzK7OzaJCuqlemmtSlftiF75SRuvl8t73ulo5q03K0R7sRmw4joW3im1zfqw62j6aFzY8dxU/4nXxiW/8z//mLxM9cIZi3vJdxNWSmLgc4y9h%2BXm62kNVD0gVismcuBUwJ1qOb6oTLgDGfzb2m9LalQh8PafZ/eE3XUJs4/g%3D%3D

08/02/17 13:46:16 (016) Generated request ID: SNC346566be21a179b61b68abfa860786d8

Then I try to enter my credentials, authentication at IdP is successful, I get redirected back to https://XXXX.service-now.com/csm and NOTHING. Service-Now still thinks I'm not authenticated. Nothing more in the log.

When I try to look at the requests made in browser console, i can clearly see a POST request to https://XXXXX.service-now.com/csm with SAMLResponse after I enter my user details

Does anyone have any idea why service-now doesn't respond to a successful SAML Response ? Or where should I look?

corina · ‎08-02-2017

I think it should be a bit longer output.

I can see this

==

Information SAMLResponseObject not found in GlideController

==

Do you see maybe also

==

SAML failed to login, Status code is urn:oasis:names:tc:SAML:2.0:status:Responder. When it is supposed to be urn:oasis:names:tc:SAML:2.0:status:Success: no thrown error

==

If yes, means a response cannot be found.

IT cut my previous update somehow, I was asking for a print screen with the identity provider settings if possible, as it should not take you back to cms, vut to the homepage.

oleg7 · ‎08-02-2017

Does it mean that the homepage should always be /navpage.do ??

I can't find anything more in the logs

corina · ‎08-02-2017

yes exactly, remove the csm.

Also, entity issuer should be xxx.service-now.com

Example

oleg7 · ‎08-02-2017

thanks - we will test it now