Accessing ServiceNow externally when SSO is enabled

Brendan Hallida
Kilo Guru

‎08-03-2016 07:45 PM

Hi all,

I have found that since we have setup SSO, users are unable to access our ServiceNow instance from outside the network.   When they do attempt, they get a Could not validate SAMLResponse error.   SSO works fine internally.

Does anyone know where I can start troubleshooting?

Thanks in Advance

Cheers,

Brendan

0 Helpfuls
  • 3,938 Views
7 REPLIES 7

gareth4
Giga Contributor

‎08-03-2016 08:37 PM

HI Brendan,



I believe that this is because your IdP (system that authenticates your users) is not available outside your network. Both the IdP and system you are logging into need to be available from the location the user is, this usually means you need to make the IdP publicly available.



Edit for clarity: I can't find the wiki link I was looking for to help show what I am talking about so I will try and explain it instead. The thing to remember with SSO is that everything happens from the users browser with URL redirects. This means that any user will need to be able to access both ServiceNow and the IdP service from wherever they are currently trying to login from for SSO to work. if there are any blockers to the access of either system your users won't be able to use SSO to login with. When you request to login to your instance ServiceNow will redirect the browser to the IdP, ServiceNow will not handle the communication on behalf of the user.



Hope this makes sense.


Thanks,


Gareth


Brendan Hallida
Kilo Guru
In response to gareth4

‎08-03-2016 10:04 PM

Hi Gareth,



Thanks for your reply. I did think this, however other applications are working via ADFS, and I am able to access the IdpInitiatedSignOn.aspx page and then select Service Now, and this works fine.




Cheers,


Brendan


Preview file
10 KB
0 Helpfuls

gareth4
Giga Contributor
In response to Brendan Hallida

‎08-04-2016 12:06 AM

Okay, so that's a good thing then, probably means your all good for access. Funnily enough I've got a similar issue myself on the ADFS setup I just started here, i just haven't had a chance to look at it yet.



The first thing to do (if you haven't already) is turn on the Debug Logging and run a test login, this should give you a lot of detail in the logs to show the response and the errors ServiceNow throws. Once you have that put it up here along with the version of SNow and SSO your running and we can see what we can do. In my experience it will likely be something the IdP isn't adding to the SAML Response and that should show up in the Response XML.


0 Helpfuls

Brendan Hallida
Kilo Guru
In response to gareth4

‎08-04-2016 12:35 AM

Hi Gareth,



Thanks for getting back to me.   Still fairly new to this all.



I have attached the logs from the time when I was attempting to log in externally.



Running Helsinki and ADFS version 4 for SSO


Preview file
18 KB
0 Helpfuls