SSO authentication not including a check for inactive users?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 12:11 PM
An SSO user was trying to login to ServiceNow (authenticated via our intranet, which is currently working), but once ServiceNow loaded they were redirected back to our intranet (this is our configured redirect page for unsuccessful logins).
I found that the user ID for this user was in ServiceNow twice, one marked as Active = True, and one marked as Active = False. For the Active = False version of the user, I changed his User ID, and he was then able to SSO authenticate into ServiceNow.
Does anyone know for sure if there is a check being done for Active = False when doing an SSO authentication? I cannot find properties to modify the incoming user check, beyond the typical incoming header for the username etc.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 12:18 PM
Wouldn't be something like the SSO mainly just check for user/pwd and if success it sends the user to ServiceNow instance, then the instance starts to see what roles etc. the user has and since it inactive, they are not able to log into the system, that's why they get thrown back out.
Dont think this is a "property" I would think this is a basic plattform config. Inactive users can't log into the system.
/Göran
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 12:21 PM
And that all makes sense Goran, but the user had an active account, but also an inactive one. When I offboard users I also make them inactive and locked out, but if they get created again in ServiceNow now in the future (such as a returning staff person) there might be a situation where a new account is made for them, often with the same username (not sure why SN allows a new account with the same username)...
I suppose I will have to add some sort of "old" tag to user's ID's when offboarding?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 12:58 PM
Inactive user can also login if their account is not set to locked out.
If you do not have this business rule active, inactive users are not automatically locked out and can still log in the instance.
http://wiki.servicenow.com/index.php?title=Managing_User_Sessions#gsc.tab=0
So you can locked out old username and use the new one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 01:40 PM
The older user account, which is "Active = False", was also marked as "Locked out = True" by that OOB business rule that is active in our system.
The newer user account (again, it's for the same User ID) is set to Active = True, and Locked out = False, so I am not sure why SSO couldn't authenticate only to this account, and ignore the locked out/inactive older account.
Thoughts?
