Multi SSO login and ESS users

andysummers · ‎09-27-2017

I've seen numerous threads about SSO and different types of login possible within the system but I'm not clear on exactly how to implement the following requirement, help or advice would be appreciated!

In my company we use ServiceNow (Istanbul) with MultiSSO enabled - ew have ADFS set up as an Idp and it's working fine. There appears to be a slightly customised single-sign-on script running from this Idp called MultiSSO_SAML2_Update1. We had a professional services partner help set this up initially who is no longer on the scene so I'm not sure where to make changes.

From any machine, internally or outside the company, if you go to our root SN url you're automatically redirected to our standard MS ADFS login page with the blue pane on the right. Looks rubbish. Once you sign in however you're in to SN just fine. Future attempts to hit the base url in new browser windows simply log in automatically, something to do with the token you're issued the first time round?

Some of our external customers need to access our instance. For now as it's only a few, they have the cms/clean+login.do link that jumps straight in to a local login page. Of course if they aren't already logged in however and they receive a mail with a link from the platform, they are going to be taken to our ADFS page rather than a local login page, and I don't think this is very neat or professional.

I know we can use a property to override email links and so that they first point to other login pages but I want to keep this as simple as possble for now. On another of our company sites we have ADFS in place, but when you go to that site you see a splash page first that says Company User or External User. Click the first and it takes you to ADFS, the second link takes you to a local login page. I'm wondering if it would be an idea to have this for SN and if so, where do I intercept the redirect to ADFS currently so that it takes you to the splash page?

I know we can also set up other IDPs and have multi provider single sign on also, does this mean in theory we could integrate with customer's ADFS solutions as well and they could log in via their own? In which case, my big question is how does SN know which IDP to authenticate you with before you have seen a login page?

If we can have a splash page at least before internal users are taken to adfs so that an external user has a link to the local login page this would help a lot. Most of our users don't have a local password, it's only a few customers that do. So I'm just looking for the best way to show the correct login page really.

Gaurav Bajaj · ‎09-27-2017

Hi

It seems like you want to enable external login link on the login page and not redirect all users to IDP by default.

Please check the below property and remove the value from there and try login in a new incognito window.

glide.authenticate.sso.redirect.idp

It Redirect all users to this IDP (Requires the sys_id of the IDP as the value).

After removing the value and trying the base url of your instance, you will be presented below page.

Now, use the external login for ADFS users and this will take you to page where you need to fill the user ID.(Although native users can directly fill in the credentials on same page).

Please mark correct/helpful based on the impact of the response.

Thanks

Gaurav

andysummers · ‎09-27-2017

Thanks Gaurav.

The suggestion you made works just like you show but it seems to me that the majority of users who rely on ADFS would then be disadvantaged as they will always have to click "Use External Login". When I click that link I see

but it doesn't matter what I put in that UserID box, it always logs me in under my own name, with no password.

So is this External Login page effectively using my AD credentials? I think it is because on my company network I'm just logged in automatically if I press submit above. But on my machine at home when I see this External Login page, I can leave the box empty and press submit, then it takes me to my ADFS page as I would hope.

---

If these login pages can be customised easily it might just work.

Gaurav Bajaj · ‎09-27-2017

Hi Andy,

Did you try it in Incognito Window after you enter your userId, it should take you to ADFS page only.

UserId is basically a decision taker for which IDP it should hit to in case of multiple IDPs.

This is the OOB behavior which SNOW provides one to utilize both ADFS and native login from the same console.

Please mark correct/helpful based on the impact of the response.

Thanks

Gaurav

andysummers · ‎09-27-2017

Hi Guarav,

Yes I used an incognito window on my company laptop, as soon as I entered anything in the external login box it logged me straight in as me. I tried a colleague's user id as well but it logged in as me.

I then tried an incognito window on my mac at home and the external log in page took me to the ADFS login page, again I could leave it blank or put anything I wanted in the external page so I almost need to remove user ID field and just change the Submit button to say login or something perhaps.

Is this the behaviour you expect?