Could not validate SAML Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-28-2016 02:42 PM
Hello Folks,
I am trying to integrate ServiceNow with Windows Active Directory (Server 2012 R2). I did the following steps based on wiki tutorial Configuring ADFS 3.0 to Communicate with SAML 2.0 - ServiceNow Wiki so far
1. Configured ADDS, ADFS, DNS, ADCS etc.. in Windows Server 2012 R2
2. Imported PEM certificate in SN
3. Configured Relay party claim rules and other stuff
Once everything completed, I tried to login. It displays an error saying that "Could not validate SAML Response". I checked logs but I didn't find anything. If anyone faced similar situation Please let me know
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-28-2016 10:10 PM
Hi,
Could you enable sso debugging and post the output found in script logs? Search for "SAML" in the script logs and sort by date.
edit:
see also
SAML 2.0 Troubleshooting - ServiceNow Wiki
Best Regards
Tony
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-29-2016 09:48 AM
Hello Tony,
Thanks for the response. I already enabled. Please find response from server
Timestamp | Level | Thread name | Session Id | Message |
---|---|---|---|---|
09:18:09.153 | Info | Default-thread-11 | 23E1D894DB6A1A009C9631B0CF96199D | *** Script: Read from property : glide.authenticate.sso.saml2.service_url, value : https://dev20352.service-now.com/navpage.do |
09:18:09.155 | Info | Default-thread-11 | 23E1D894DB6A1A009C9631B0CF96199D | *** Script: Read from property : glide.authenticate.sso.saml2.clockskew, value : 60 |
09:18:09.157 | Info | Default-thread-11 | 23E1D894DB6A1A009C9631B0CF96199D | *** Script: SAML Response xml: <samlp:Response ID="_f82fb91a-42a9-4693-874a-868a9b0b5923" Version="2.0" IssueInstant="2016-03-29T16:18:32.679Z" Destination="https://dev20352.service-now.com/navpage.do" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://BCMC-Test01.bcmc.test/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_3d8b64d3-1e9a-437d-93e9-923d2ba3436c" IssueInstant="2016-03-29T16:18:32.678Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://BCMC-Test01.bcmc.test/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3d8b64d3-1e9a-437d-93e9-923d2ba3436c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>BvLbZG2DOy8yDnB/HIQGz4yamDfy2nqQyxNf+gF0d6o=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>H7wUrWckasKyvM9M3kC/uoZ50kdC5wxUcjnxSN4ke8WRf8YuB1iz6VierXxvLqAfNyDlVXl/0rcPjVRbYrRzoSB+Na/Wk1e806MVluxphnB910ONkFjKrN7FkpNwqW8JAVUkH90HBsZbVcFAm8UFFRAYePd+caSlnkdmM068B4K6ke5pgCsMu75/0R9F417u9HbpcKYwLAVtaDFhYvc3FlQ7LF2ngUTH9ZbNA5z1d1n7qd9PzGGTlx2Qc+LFcWhVS08Q0Ok/bZXJ8EAZfURIHKAHmiGnWF4mydy0dHQkeCPsK2Nzo7TC/dso/T6XAKuXM7q2oNnqkRUlzS21CG+ZtQ==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC5jCCAc6gAwIBAgIQHDeMde9Zl5tCY1qD1p7n9DANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBCQ01DLVRlc3QwMS5iY21jLnRlc3QwHhcNMTYwMzI4MTg1MzQ0WhcNMTcwMzI4MTg1MzQ0WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBCQ01DLVRlc3QwMS5iY21jLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDX8zqFdc54zqxWk0kkum0TZJqk9rCCgZ2ZDJoUN8Wu/3c9blyiqhTaYpBL/iW6HkRm2EXGFIWM1H7TSA/dAOIpuZG4KMrx3AO7h/2/+ZdQBGfn2x57G+rvNHLsQGMaabCajD9554Jhx3kIbWc6gdtM2UKt5B5io2Ahxv1+UjXrR1UYdvUkILTqwYtinaab26ZWRogkf2YO0AJfVqtvBUOsmATfOMAP9MXQWIk9UqYtzQv9XKZfN+GSMFHu4OhFcAHzSbA4VEzveNB29g6q9Oi0qaSM6ov8SZx9O6q2DR6Vy46JCl/6xiDqh6rD9POmaGYEow+MNegQMK9QvRExlY1/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACZnDJgrr/4rJjXyuT32oTlHPgiQisIUNGCIGVd9uMI+MzfakZGlgBdeuaYEMX7eBK1a+PtA2Iy711K3ICE9+xLCkyhubvQTfzAeIDznWpgtWPTWOmdkWC/H0FQ/L7qDYiZVWbNhsq4avT2uBvYwYHkQgVP+oKBN/rU+U4DbKGDpd0sGFgH9CngPBzCyO6FhTdij3ZSoeWswf4ixynjUsxLYOs0qQFKQklgbTq54yQE7J27AYfaslf1qXFF4/OTlrEa0UBWbXaT/tnGL/Fd+q1UEWmBHN+cCkJuM1QX0KjSfiFvGoVD3a8LM+1/p7ZXOzYhkryqx2xIH9BlaBQKHnj0=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="2016-03-29T16:23:32.679Z" Recipient="https://dev20352.service-now.com/navpage.do" /></SubjectConfirmation></Subject><Conditions NotBefore="2016-03-29T16:18:32.674Z" NotOnOrAfter="2016-03-29T17:18:32.674Z"><AudienceRestriction><Audience>https://dev20352.service-now.com/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2016-03-29T16:18:32.525Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-29-2016 10:50 AM
And also
I found these errors from logs
Timestamp | Level | Thread name | Session Id | Message |
---|---|---|---|---|
10:35:50.259 | Error | Default-thread-2 | D58468D8DB6A1A009C9631B0CF961973 | SEVERE *** ERROR *** SAML2: Failed to validate signature profile. |
10:35:50.260 | Error | Default-thread-2 | D58468D8DB6A1A009C9631B0CF961973 | SEVERE *** ERROR *** SAML2: SAML2ValidationError: Signature did not validate against the credential's key |
10:35:50.262 | Error | Default-thread-2 | D58468D8DB6A1A009C9631B0CF961973 | SEVERE *** ERROR *** SAML2: Could not validate SAMLResponse |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-29-2016 11:16 AM
Hello Tony,
After going through one of the article in Hi.ServiceNow, I fixed the issue.
Configuring ADFS 3.0 to Communicate with SAML 2.0 - ServiceNow Wiki
From section 6 (content from above link) I can do that I able to login using https://<ADLink>/adfs/ls/idpinitiatedsignon.aspx and modified properties according to 3rd step (section 6). But I can not login using my instance web link, It still says "Service Unavailable 503 error"