Simple steps to auto-enable user record on correct SSO login
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2023 01:53 AM
Sometimes your source of user data is not fully correct.
It can get incorrect data from external source or just temporary marks user as disabled while user on vacation.
Script below will mark user record as active as a result of correct SSO login.
Prerequisite
User should already exists in the system. You can update a script for user creation, but this does not look as a good practice to me.
Steps to enable script:
1. Find an actual field that map SSO user to ServiceNow user. It either user_field field in you SSO or a property like glide.authenticate.multisso.login_locate.user_field. As far as i remember property overrides field.
2. Check you SSO config. Is should have Single Sign-On Script field set to MultiSSOv2_SAML2_custom
3. Update MultiSSOv2_SAML2_custom script to with changing this.loginField to the data from step 1.
gs.include("PrototypeServer");
//MIT License. (c) Igor Kozlov - kozlov.igor.dev@gmail.com
var MultiSSOv2_SAML2_custom = Class.create();
MultiSSOv2_SAML2_custom.prototype = Object.extend(new MultiSSOv2_SAML2_internal(), {
initialize: function () {
//a field to map user to. usually you should find it in SSO config
this.loginField = "employee_number";
MultiSSOv2_SAML2_internal.prototype.initialize.call(this);
},
loginUser: function (subjectUserName) {
this.reactivateIfUserDisabled(subjectUserName);
return MultiSSOv2_SAML2_internal.prototype.loginUser.call(this, subjectUserName);
},
type: 'MultiSSOv2_SAML2_custom'
});
MultiSSOv2_SAML2_custom.prototype.reactivateIfUserDisabled = function (userData) {
var gr = new GlideRecord("sys_user");
gr.addQuery(this.loginField, userData);
gr.query();
var userFound = gr.next();
if (!userFound) {
gs.log("MultiSSOv2_SAML2_custom. Failed to find user: " + userData);
return;
}
var singleMatch = gr.getRowCount() === 1;
if (singleMatch) {
//log as you like
reactivateIfNeeded(gr);
} else {
//actually should never get here. intentiaonally disabled check yourself if you need this
//while(gr.next()){
// reactivateIfNeeded(gr);
//}
}
function reactivateIfNeeded(gr) {
var needUnlock = gr.active == false || gr.locked_out == true;
if (needUnlock) {
gr.active = true;
gr.locked_out = false;
gr.update('Making user active on SSO login');
}
}
};
