ServiceNow instance is not sending an AuthnRequest to IdP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 12:46 PM
Hi,
I'm testing out our dev serviceNow instance SAML 2.0 capabilities with an IdP. After requesting a target resource at the service provider (instance.service-now.com), I get redirected to our configured IdP. The request does not contain a SAMLRequest with the AuthnRequest. As a result the IdP throws an exception.
1) Is there a SAML Properties setting in ServiceNow that I'm missing or is there something wrong with my instance and I should get it reset or SSO re-enabled.
2) Also I noticed that before I get redirected to the Identity Provider (IdP), there is a logout_redirect call issued. Is this a default action by ServiceNow to call this logout before the SAML SSO redirect to IdP.
GET https://dev295.service-now.com/navpage.do HTTP/1.1
GET https://dev295.service-now.com/logout_redirect.do?sysparm_url=https%3A//idp.provider.com%3A9031/idp/SSO.saml2 HTTP/1.1
GET https://idp.provider.com:9031/idp/SSO.saml2 HTTP/1.1
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 12:55 PM
Not sure what Idp you are using, iti found for the ADFS, the following was useful and I then did some more work and updated an existing community thread
Configuring ADFS 2.0 to Communicate with SAML 2.0 - ServiceNow Wik
https://community.servicenow.com/message/703642#703642
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 01:00 PM
I'm using PingFederate. I'm not getting anything from my ServiceNow instance when I initiated. I'm suppose to get an AuthnRequest that is sent to the IdP, instead nothing is sent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 01:01 PM
There are a number of properties that don't look right in that instance SAML settings:
- "The Identity Provider URL which will issue the SAML2 security token with user info." - this may be right but in most IDPs it is not a url but a word or something..... Just check that
- "Sign AuthnRequest....." - This should not be checked and is a new feature unless your IDP wants the AuthnRequest Signed. In order for that to work, the IDP needs to have the ServiceNow certificate installed.
- "The entity identification, or the issuer" - This is normally set to the same value as the property below it which is the url of the instance without the navpage.do on the end without a / too... https://dev295.service-now.com
- "The NameID policy to use for returning the Subject's NameID in the SAMLResponse....." - This may be correct but just make sure that the "unspecified" token is what your IDP is transforming the value into to use and pass back to ServiceNow.
- The certificate HAS to be the one named "SAML 2.0". The one you have in there named "SAML 2.0 - NL" can be in there but the SAML code does not look for that and find it. You either have to change the code to look for the SAML 2.0 - NL, which we don't recommend since you own that code from here on out, or you rename the one you want to use to SAML 2.0 and rename the test one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 01:16 PM
Thanks for the quick reply Jason.
1. I did have a word in previous steps but changed it since. Still didn't effect the outcome.
2. Again, this was checked in a test but unchecked still didn't work.
3. changed to what you mentioned
4. verified that this is what the IDP is using
5. renamed the certificate to the appropriate name.
I still don't see the SAMLRequest (AuthnRequest) being sent from ServiceNow. I have a trace set and there are no parameters sent from ServiceNow when redirected to IdP.
