SSO authentication not including a check for inactive users?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 12:11 PM
An SSO user was trying to login to ServiceNow (authenticated via our intranet, which is currently working), but once ServiceNow loaded they were redirected back to our intranet (this is our configured redirect page for unsuccessful logins).
I found that the user ID for this user was in ServiceNow twice, one marked as Active = True, and one marked as Active = False. For the Active = False version of the user, I changed his User ID, and he was then able to SSO authenticate into ServiceNow.
Does anyone know for sure if there is a check being done for Active = False when doing an SSO authentication? I cannot find properties to modify the incoming user check, beyond the typical incoming header for the username etc.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 02:03 PM
as Per wiki --The LDAP server responds with an authorized or unauthorized message that the ServiceNow system uses to determine whether access should be granted.
Browse the account for that user in LDAP and check that the old account is inactive there. SN get message to give access of SN in yes/no.
Try to debug for these.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 02:07 PM
Hmm.. well our SSO isn't doing a direct LDAP lookup. We are using a handshake type token authentication, where ServiceNow loads up an external authentication script located within our network, and then that authentication script passes on the signed in user information back to ServiceNow. If the user is not active, they can't get to the external authentication script, so the old disabled user account is never coming into the equation for us.
