The Single Sign-On module provides a simplified user interface to set up SAML integration for the exchange of user authentication and authorization data. The information is exchanged among an identity provider (IdP), a service provider (SP), and a principal (user) on a web browser.

• The SP sends a SAML authentication request message to the IdP, asking to authenticate the user.
• The IdP typically asks the user for a user name and password, and if the password is correct, the IdP sends back a SAML authentication response stating that the user logged in successfully at the IdP.
• The authenticated user is logged in to the instance.

Login (AuthnRequest)

1. The principal requests a target resource at the service provider, such as https://instance.service-now.com/. The instance checks the request to see if the user has already validated with the IdP and, if so, remaining steps are skipped.
2. The instance constructs an AuthnRequest to send to the IdP. The instance also constructs and sends a RelayState URL parameter value, which is an opaque reference to state information maintained at the service provider. The integration encodes the authorization request and sends it to the SSO service.The SSO service processes the authorization request and performs a security check. If the user does not have a valid security context, the IdP identifies the user by prompting for login credentials. If the user is already logged in, the IdP responds appropriately.
3. After collecting the required login credentials, the SSO service validates the request and responds with an encoded XHTML form.
4. The instance decodes the form and compares the user information with records in the User table. The session ID is extracted so it can be used in the logout request.

Logout (SingleLogoutRequest)

IdP certificate