URL to the portal that bypasses SSO

Jeff316
Kilo Guru

‎12-28-2017 10:59 AM

Hi All,

We use Jakarta and use ADFS for SSO.

So when you go to xxx.service-now.com you are redirected to the ADFS logon screen where you enter network ID and PW and then passes your thru.

For our users that do not have accounts in AD we make sure the 'source' field is null in their user record and we enter a password in the user record in SNOW.

For those non-SSO users, they have to use a different URL to ensure they hit the SNOW logon screen and bypass the ADFS SSO screen. The URL xxx.service-now.com/login.do

This works fine.

But if I want to give the non SSO users a URL that would take them directly to the portal page, what URL would I use that ensures they are prompted with the SNOW logon screen?

If I give the non SSO user this URL xxx.service-now.com/sp? they briefly see the portal login screen for a second then it redirects them to the ADFS logon screen which they cannot use because they have no record in LDAP and must enter a SNOW ID/PW.

This question might be related, but we intend to open just the portal to the public, so these would be people who have no user record in SNOW. Other than setting portal pages to 'public' we would need these users to bypass the ADFS SSO screen and I guess they would have to bypass any SNOW logon? or does the public still attempt a logon but if no user record found it would sign them in as "guest"?

Any ideas are welcome and appreciated.

0 Helpfuls
  • 23,891 Views
12 REPLIES 12

Jeff316
Kilo Guru
In response to danpatino

‎12-28-2017 12:55 PM

Hi Dan,



Yes that page and others are set to public. But when you go to URL xxx.service-now.com/sp?   (the sp is for the service portal page), the ADFS logon screen appears. Only for a split second, I see the portal's logon page. There is either a way to add the login.do into this URL or there has to be a configuration that prevents SNOW from just redirecting everyone to the ADFS SSO logon screen.



For 90% of the users you do want them to get the ADFS SSO logon screen but SNOW doesn't know you don't have an SSO logon unless there can be something passed into the URL. Same goes for public.   When you hit the URL SNOW can't know if you are public, sso user or non-sso user unless there is a difference in the URL given to each user. Like adding login.do to the xxx.service-now.com/login.do bypasses the ADFS logon screen and gives you the SNOW logon screen.


A public user would need a URL that probably prompts for neither SSO or SNOW logon.


A non-sso user can use login.do to get to SNOW logon screen but then they go to the regular home page where I would like to give them the URL to the portal page but bypass the SSO ADFS and hit that portal logon page.


0 Helpfuls

Goran WitchDoc
ServiceNow Employee
ServiceNow Employee
In response to Jeff316

‎12-28-2017 01:02 PM

Hi Jefferey,



What you need to do here is create a public page. Clone the login widget and change in the code so it doesn't redirect to the SSO. Then you can share that link to the no users. Depending on your infrastructure and how you want, you can do your own url or just give them a url like "https://YOUR_INSTANCE.service-now.com/sp?id=YOUR_PAGE



For the widget and without going through every line. I would say you want to remove this:


find_real_file.png



Might be more things to clean up like the external checkbox etc. but by removing that, it should work. Then you can trim it down.


Preview file
218 KB

bernyalvarado
Mega Sage
In response to Goran WitchDoc

‎12-28-2017 01:18 PM

Right! What Göran said


0 Helpfuls

Steve Kelly
Mega Sage
In response to Goran WitchDoc

‎02-02-2019 01:33 PM

Hi Goran,

This is very helpful!

We are looking to do something similar at our organization, and removing the above code does allow this widget to render and process local logins, which is great.

However, what we now want to do is prevent our LDAP users from using this login widget. Do you have guidance on how to do this both client-side and server-side? Client side we can look for an email input containing '@email.com' and prevent submission/display a message, but it would be nice to also have a server-side method to abort the login for SSO users if someone were to disable the client side logic.

Thanks,

Steve

0 Helpfuls

Daniel Billing
Giga Guru

‎02-02-2019 02:16 PM

Hi,

we had more or less the same challenge. users could be in Azure AD or Identity management system or local users.

First time login is always directed to SP landing page. then they select external or internal login. selected choice is then stored on user record.

There is two sys properties you need to set:

- glide.entry.first.page.script : new SPEntryPage().getFirstPageURL();

- glide.entry.page.script : new SPEntryPage().getLoginURL();

 

Then update your SPLogin script include to set another portal if needed.

 

End result for users that have no SSO set.

find_real_file.png

Preview file
729 KB
0 Helpfuls