SSO with Service Portal and Multiple Identity Providers

DVO · ‎05-01-2020

Hi All,

We have multiple identity providers (and all properties enabled) and are wanting users to have a seamless SSO experience when accessing portal. Users will be accessing portal via Okta/azure or manually portal URL. The issue is - whenever a user attempts to access Portal, they are forced to manually input a login instead of SSO.

I have looked into setting a default identity provider in the glide.authenticate.sso.redirect.idp property but that does not allow other users outside of that default idP log in and authenticate.

Has any one been able to achieve accessing their Portal through SSO? Is there a way set which SSO idP users are redirected to? Can we dynamically modify this system property to do so?

Thanks,

DirkRedeker · ‎05-01-2020

Hi

How do you expect this to work at all. First, you want users to access ServiceNow by logging in directly to the instance (for some users).

This disallow a default idp, as people would all get there.

Then you have multiple idp connected. That means "somewhat somewhere" must find out, which is the correct idp to utilize.

This can be done by manually selecting an integrated idp or can be done automatically by forwarding a user to his/her idp after letting know the user's email (which can be done by ServiceNow).

Then the email domain will identify the idp in charge, to which servicenow will forward you.

There is no way to send a user somewhere without knowing anything about that user.

So, what is your missing part?

Let me know if that answered your question and mark my answer as correcta nd helpful

BR Dirk

DrewW · ‎05-01-2020

Both Okta and Azure support providing an icon to click in there respective web portals, so are you saying that when they use one of these it still asks them to login?

You can also provide the user with a link that specifies which SSO provider to use so if they are already logged into there provider it will do some redirecting and then they will be in ServiceNow without having to enter there user and PW.

The only way to not have the user put in there user name and password is to make sure that Okta and/or Azure are integrated with the windows login. I know that Okta has something for this but have never used it. Not sure about Azure.

I have used ADFS to get people into ServiceNow without having them login but again thats because we made sure that the browser would automatically pass the credentials to ADFS when the user was in the building.

Keep in mind that when using SSO that its the external provider that dictates everything and just passes the needed info to ServiceNow to indicate what user just logged in. So you need to make sure that Okta and Azure are providing a seamless experience and then after that its all about the link they click to get into the system.

DVO · ‎05-04-2020

Hi Drew.

Thank you for your reply.

We have two tiles for ServiceNow - Platform (regular view) and Portal. The platform tile works with SSO because of the way idP is set up to redirect users there. However, our Portal tile will always take users to a login page (if the user has no visited ServiceNow previously in the session). I cannot get our users into Portal with SSO because for some reason, the system does not know which idP to send the users to until after they input their credentials. I have tried setting a default idP, which enables my Portal tile to automatically SSO if the user has an account within that idP but this simply does not work for users outside of the idP.

I would appreciate any additional insight into this.

DrewW · ‎05-05-2020

A few things

Set the SSO provider idP in the url that they use to get at ServiceNow.

Have one icon that has the SSO provider set in the URL then use the service portal redirect process to direct them to either the platform interface or the service portal. The give people a link in the platform to open the service portal when people need it.

Look at the SSO provider and see if there is a configuration change you need to make. When you send them to the Service Portal and they are not logged in the system directs them at the SSO provider who takes care of everything after that. So if they are getting prompted to login again I would say its the SSO provider not recognizing the fact that the user is already logged in. If the user was already logged in the SSO provider would simply redirect the user back to ServiceNow with the proper info and ServiceNow would show them the page they were trying to get at.

Sarfraz4 · ‎03-23-2021

Is it custom Portal or OOB one?. Can you confirm if the landing page in portal configuration is set to something? or blank?