Could not validate SAML Response

jpavanaryan
Tera Expert

Hello Folks,

I am trying to integrate ServiceNow with Windows Active Directory (Server 2012 R2). I did the following steps based on wiki tutorial Configuring ADFS 3.0 to Communicate with SAML 2.0 - ServiceNow Wiki so far

1. Configured ADDS, ADFS, DNS, ADCS etc.. in Windows Server 2012 R2

2. Imported PEM certificate in SN

3. Configured Relay party claim rules and other stuff

Once everything completed, I tried to login. It displays an error saying that "Could not validate SAML Response". I checked logs but I didn't find anything. If anyone faced similar situation Please let me know

Thanks

14 REPLIES 14

tony_barratt
ServiceNow Employee
ServiceNow Employee

Hi,



Could you   enable sso debugging and post the output found in script logs? Search for "SAML" in the script   logs and sort by date.



edit:


see also


SAML 2.0 Troubleshooting - ServiceNow Wiki


Best Regards



Tony


Hello Tony,



Thanks for the response. I already enabled. Please find response from server



TimestampLevelThread nameSession IdMessage
09:18:09.153InfoDefault-thread-1123E1D894DB6A1A009C9631B0CF96199D*** Script: Read from property : glide.authenticate.sso.saml2.service_url, value : https://dev20352.service-now.com/navpage.do
09:18:09.155InfoDefault-thread-1123E1D894DB6A1A009C9631B0CF96199D*** Script: Read from property : glide.authenticate.sso.saml2.clockskew, value : 60
09:18:09.157InfoDefault-thread-1123E1D894DB6A1A009C9631B0CF96199D*** Script: SAML Response xml: <samlp:Response ID="_f82fb91a-42a9-4693-874a-868a9b0b5923" Version="2.0" IssueInstant="2016-03-29T16:18:32.679Z" Destination="https://dev20352.service-now.com/navpage.do" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://BCMC-Test01.bcmc.test/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_3d8b64d3-1e9a-437d-93e9-923d2ba3436c" IssueInstant="2016-03-29T16:18:32.678Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://BCMC-Test01.bcmc.test/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3d8b64d3-1e9a-437d-93e9-923d2ba3436c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>BvLbZG2DOy8yDnB/HIQGz4yamDfy2nqQyxNf+gF0d6o=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>H7wUrWckasKyvM9M3kC/uoZ50kdC5wxUcjnxSN4ke8WRf8YuB1iz6VierXxvLqAfNyDlVXl/0rcPjVRbYrRzoSB+Na/Wk1e806MVluxphnB910ONkFjKrN7FkpNwqW8JAVUkH90HBsZbVcFAm8UFFRAYePd+caSlnkdmM068B4K6ke5pgCsMu75/0R9F417u9HbpcKYwLAVtaDFhYvc3FlQ7LF2ngUTH9ZbNA5z1d1n7qd9PzGGTlx2Qc+LFcWhVS08Q0Ok/bZXJ8EAZfURIHKAHmiGnWF4mydy0dHQkeCPsK2Nzo7TC/dso/T6XAKuXM7q2oNnqkRUlzS21CG+ZtQ==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC5jCCAc6gAwIBAgIQHDeMde9Zl5tCY1qD1p7n9DANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBCQ01DLVRlc3QwMS5iY21jLnRlc3QwHhcNMTYwMzI4MTg1MzQ0WhcNMTcwMzI4MTg1MzQ0WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBCQ01DLVRlc3QwMS5iY21jLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDX8zqFdc54zqxWk0kkum0TZJqk9rCCgZ2ZDJoUN8Wu/3c9blyiqhTaYpBL/iW6HkRm2EXGFIWM1H7TSA/dAOIpuZG4KMrx3AO7h/2/+ZdQBGfn2x57G+rvNHLsQGMaabCajD9554Jhx3kIbWc6gdtM2UKt5B5io2Ahxv1+UjXrR1UYdvUkILTqwYtinaab26ZWRogkf2YO0AJfVqtvBUOsmATfOMAP9MXQWIk9UqYtzQv9XKZfN+GSMFHu4OhFcAHzSbA4VEzveNB29g6q9Oi0qaSM6ov8SZx9O6q2DR6Vy46JCl/6xiDqh6rD9POmaGYEow+MNegQMK9QvRExlY1/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACZnDJgrr/4rJjXyuT32oTlHPgiQisIUNGCIGVd9uMI+MzfakZGlgBdeuaYEMX7eBK1a+PtA2Iy711K3ICE9+xLCkyhubvQTfzAeIDznWpgtWPTWOmdkWC/H0FQ/L7qDYiZVWbNhsq4avT2uBvYwYHkQgVP+oKBN/rU+U4DbKGDpd0sGFgH9CngPBzCyO6FhTdij3ZSoeWswf4ixynjUsxLYOs0qQFKQklgbTq54yQE7J27AYfaslf1qXFF4/OTlrEa0UBWbXaT/tnGL/Fd+q1UEWmBHN+cCkJuM1QX0KjSfiFvGoVD3a8LM+1/p7ZXOzYhkryqx2xIH9BlaBQKHnj0=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="2016-03-29T16:23:32.679Z" Recipient="https://dev20352.service-now.com/navpage.do" /></SubjectConfirmation></Subject><Conditions NotBefore="2016-03-29T16:18:32.674Z" NotOnOrAfter="2016-03-29T17:18:32.674Z"><AudienceRestriction><Audience>https://dev20352.service-now.com/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2016-03-29T16:18:32.525Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

And also



I found these errors from logs



TimestampLevelThread nameSession IdMessage
10:35:50.259ErrorDefault-thread-2D58468D8DB6A1A009C9631B0CF961973SEVERE *** ERROR *** SAML2: Failed to validate signature profile.
10:35:50.260ErrorDefault-thread-2D58468D8DB6A1A009C9631B0CF961973SEVERE *** ERROR *** SAML2: SAML2ValidationError: Signature did not validate against the credential's key
10:35:50.262ErrorDefault-thread-2D58468D8DB6A1A009C9631B0CF961973SEVERE *** ERROR *** SAML2: Could not validate SAMLResponse

Hello Tony,



After going through one of the article in Hi.ServiceNow, I fixed the issue.



Configuring ADFS 3.0 to Communicate with SAML 2.0 - ServiceNow Wiki



From section 6 (content from above link)   I can do that I able to login using https://<ADLink>/adfs/ls/idpinitiatedsignon.aspx and modified properties according to 3rd step (section 6). But I can not login using my instance web link, It still says   "Service Unavailable 503 error"