Multi SSO login and ESS users

andysummers · ‎09-27-2017

I've seen numerous threads about SSO and different types of login possible within the system but I'm not clear on exactly how to implement the following requirement, help or advice would be appreciated!

In my company we use ServiceNow (Istanbul) with MultiSSO enabled - ew have ADFS set up as an Idp and it's working fine. There appears to be a slightly customised single-sign-on script running from this Idp called MultiSSO_SAML2_Update1. We had a professional services partner help set this up initially who is no longer on the scene so I'm not sure where to make changes.

From any machine, internally or outside the company, if you go to our root SN url you're automatically redirected to our standard MS ADFS login page with the blue pane on the right. Looks rubbish. Once you sign in however you're in to SN just fine. Future attempts to hit the base url in new browser windows simply log in automatically, something to do with the token you're issued the first time round?

Some of our external customers need to access our instance. For now as it's only a few, they have the cms/clean+login.do link that jumps straight in to a local login page. Of course if they aren't already logged in however and they receive a mail with a link from the platform, they are going to be taken to our ADFS page rather than a local login page, and I don't think this is very neat or professional.

I know we can use a property to override email links and so that they first point to other login pages but I want to keep this as simple as possble for now. On another of our company sites we have ADFS in place, but when you go to that site you see a splash page first that says Company User or External User. Click the first and it takes you to ADFS, the second link takes you to a local login page. I'm wondering if it would be an idea to have this for SN and if so, where do I intercept the redirect to ADFS currently so that it takes you to the splash page?

I know we can also set up other IDPs and have multi provider single sign on also, does this mean in theory we could integrate with customer's ADFS solutions as well and they could log in via their own? In which case, my big question is how does SN know which IDP to authenticate you with before you have seen a login page?

If we can have a splash page at least before internal users are taken to adfs so that an external user has a link to the local login page this would help a lot. Most of our users don't have a local password, it's only a few customers that do. So I'm just looking for the best way to show the correct login page really.

Gaurav Bajaj · ‎09-27-2017

Hi,

There is a UI page login_locate_sso which load the external login page. please modify it to remove the userId textbox and see if it works.

Also check whether the script include calling is validating it or not.

I am running short of time today, will check back later if you would need some help.

Please mark correct/helpful based on the impact of the response.

Thanks

Gaurav

Gaurav Bajaj · ‎09-27-2017

Hey Andy,

Did you get through this workaround for your problem? Please let me know if you need any help with the script.

Thanks

Gaurav

andysummers · ‎09-28-2017

hi Gaurav - been a bit busy since yesterday. I'm hoping to get a change to look at this again soon, I'll let you know how we get on. Thanks for your help

Gaurav Bajaj · ‎09-28-2017

Nps

I was thinking if you can try redirecting to your IDP directly from external link instead of going to external login page itself.

You can do by calling the function from locate sso UI page which leads the to creation of samlRequest and redirects to IDP.

Please mark correct/helpful based on the impact of the response.

Thanks

Gaurav