URL to the portal that bypasses SSO

Jeff316 · ‎12-28-2017

Hi All,

We use Jakarta and use ADFS for SSO.

So when you go to xxx.service-now.com you are redirected to the ADFS logon screen where you enter network ID and PW and then passes your thru.

For our users that do not have accounts in AD we make sure the 'source' field is null in their user record and we enter a password in the user record in SNOW.

For those non-SSO users, they have to use a different URL to ensure they hit the SNOW logon screen and bypass the ADFS SSO screen. The URL xxx.service-now.com/login.do

This works fine.

But if I want to give the non SSO users a URL that would take them directly to the portal page, what URL would I use that ensures they are prompted with the SNOW logon screen?

If I give the non SSO user this URL xxx.service-now.com/sp? they briefly see the portal login screen for a second then it redirects them to the ADFS logon screen which they cannot use because they have no record in LDAP and must enter a SNOW ID/PW.

This question might be related, but we intend to open just the portal to the public, so these would be people who have no user record in SNOW. Other than setting portal pages to 'public' we would need these users to bypass the ADFS SSO screen and I guess they would have to bypass any SNOW logon? or does the public still attempt a logon but if no user record found it would sign them in as "guest"?

Any ideas are welcome and appreciated.

Steve Kelly · ‎02-03-2019

Thanks Daniel.

Out of curiosity, what is the approximate breakdown of your user audience in terms of SSO vs local? We have been using SSO for a couple of years now, and the local login is something we are going to introduce soon. Changing how our current SSO users log in now could cause some confusion. Although I suppose we could potentially set that SSO selection choice on all our user records ahead of time to mitigate that.

Our guest user population would be very small, probably only 1-2% if even. So I am debating whether to just create a local login page for guests only and direct them to that.

Daniel Billing · ‎02-03-2019

<1% local. a couple of suppliers and system accounts.

Policy is to always control access through identity systems... but there is always a couple of special occasions.

this setup was mostly for first time logins as we couldn't during user import always define their SSO source.

Brian McMinn2 · ‎02-03-2019

In London, you can set up your own Portal URL's under Custom URL and have that point to the portal of your choice. In Jakarta, the best bet is in Multi SSO, do not set up an Automatic Direct IDP

glide.authenticate.sso.redirect.idp is the property you want to set to nothing. Keep the default checked on your IDP provider but this method will uncheck the auto redirect. The regular employee users can enter the instance

1. Through the IDP page (like Okta)

2. On the login page click "Use External Login" and have them put in their IDP credentials.

As far as redirecting external or public customers to the portal you can you use roles or groups in the script include called "SPEntryPage"

After the return URL you can redirect to many portals by checking if the user is a member of a group, has a certain role or no roles if they are a public user.

Be sure to also update these system properties with the new script.

glide.entry.page.script new SPEntryPage().getLoginURL();
glide.entry.first.page.script . new SPEntryPage().getFirstPageURL();

This should be all you need. Please mark correct if this helps you.

				var returnUrl = this.portal;
		if (redirectURL && redirectURL != "true") {
			var spUrl = new GlideSPScriptable().mapUrlToSPUrl(redirectURL);
			returnUrl = spUrl ? this.portal + "?" + spUrl : redirectURL;
		}
		 if ((gs.getUser().isMemberOf('customers')) == true)
			returnUrl = '/codoc';
		 if ((gs.getUser().isMemberOf('Service-Now All Employees')) == true)
			returnUrl = '/sp';
		  if((gs.getUser().hasRole('sn_customerservice.facility_customer'))){
			returnUrl = '/csp';
		 }
		 if((gs.getUser().hasRole('super_user_consumer'))) {
			 returnUrl = '/csp';
		 }
		 if((gs.getUser().hasRole('family')))
			returnUrl = '/faf';