Could not validate SAML Response

jpavanaryan · ‎03-28-2016

Hello Folks,

I am trying to integrate ServiceNow with Windows Active Directory (Server 2012 R2). I did the following steps based on wiki tutorial Configuring ADFS 3.0 to Communicate with SAML 2.0 - ServiceNow Wiki so far

1. Configured ADDS, ADFS, DNS, ADCS etc.. in Windows Server 2012 R2

2. Imported PEM certificate in SN

3. Configured Relay party claim rules and other stuff

Once everything completed, I tried to login. It displays an error saying that "Could not validate SAML Response". I checked logs but I didn't find anything. If anyone faced similar situation Please let me know

Thanks

tony_barratt · ‎03-28-2016

Hi,

Could you enable sso debugging and post the output found in script logs? Search for "SAML" in the script logs and sort by date.

edit:

see also

SAML 2.0 Troubleshooting - ServiceNow Wiki

Best Regards

Tony

jpavanaryan · ‎03-29-2016

Hello Tony,

Thanks for the response. I already enabled. Please find response from server

Timestamp	Level	Thread name	Session Id	Message
09:18:09.153	Info	Default-thread-11	23E1D894DB6A1A009C9631B0CF96199D	*** Script: Read from property : glide.authenticate.sso.saml2.service_url, value : https://dev20352.service-now.com/navpage.do
09:18:09.155	Info	Default-thread-11	23E1D894DB6A1A009C9631B0CF96199D	*** Script: Read from property : glide.authenticate.sso.saml2.clockskew, value : 60
09:18:09.157	Info	Default-thread-11	23E1D894DB6A1A009C9631B0CF96199D	*** Script: SAML Response xml: <samlp:Response ID="_f82fb91a-42a9-4693-874a-868a9b0b5923" Version="2.0" IssueInstant="2016-03-29T16:18:32.679Z" Destination="https://dev20352.service-now.com/navpage.do" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://BCMC-Test01.bcmc.test/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_3d8b64d3-1e9a-437d-93e9-923d2ba3436c" IssueInstant="2016-03-29T16:18:32.678Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://BCMC-Test01.bcmc.test/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3d8b64d3-1e9a-437d-93e9-923d2ba3436c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>BvLbZG2DOy8yDnB/HIQGz4yamDfy2nqQyxNf+gF0d6o=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>H7wUrWckasKyvM9M3kC/uoZ50kdC5wxUcjnxSN4ke8WRf8YuB1iz6VierXxvLqAfNyDlVXl/0rcPjVRbYrRzoSB+Na/Wk1e806MVluxphnB910ONkFjKrN7FkpNwqW8JAVUkH90HBsZbVcFAm8UFFRAYePd+caSlnkdmM068B4K6ke5pgCsMu75/0R9F417u9HbpcKYwLAVtaDFhYvc3FlQ7LF2ngUTH9ZbNA5z1d1n7qd9PzGGTlx2Qc+LFcWhVS08Q0Ok/bZXJ8EAZfURIHKAHmiGnWF4mydy0dHQkeCPsK2Nzo7TC/dso/T6XAKuXM7q2oNnqkRUlzS21CG+ZtQ==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC5jCCAc6gAwIBAgIQHDeMde9Zl5tCY1qD1p7n9DANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBCQ01DLVRlc3QwMS5iY21jLnRlc3QwHhcNMTYwMzI4MTg1MzQ0WhcNMTcwMzI4MTg1MzQ0WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBCQ01DLVRlc3QwMS5iY21jLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDX8zqFdc54zqxWk0kkum0TZJqk9rCCgZ2ZDJoUN8Wu/3c9blyiqhTaYpBL/iW6HkRm2EXGFIWM1H7TSA/dAOIpuZG4KMrx3AO7h/2/+ZdQBGfn2x57G+rvNHLsQGMaabCajD9554Jhx3kIbWc6gdtM2UKt5B5io2Ahxv1+UjXrR1UYdvUkILTqwYtinaab26ZWRogkf2YO0AJfVqtvBUOsmATfOMAP9MXQWIk9UqYtzQv9XKZfN+GSMFHu4OhFcAHzSbA4VEzveNB29g6q9Oi0qaSM6ov8SZx9O6q2DR6Vy46JCl/6xiDqh6rD9POmaGYEow+MNegQMK9QvRExlY1/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACZnDJgrr/4rJjXyuT32oTlHPgiQisIUNGCIGVd9uMI+MzfakZGlgBdeuaYEMX7eBK1a+PtA2Iy711K3ICE9+xLCkyhubvQTfzAeIDznWpgtWPTWOmdkWC/H0FQ/L7qDYiZVWbNhsq4avT2uBvYwYHkQgVP+oKBN/rU+U4DbKGDpd0sGFgH9CngPBzCyO6FhTdij3ZSoeWswf4ixynjUsxLYOs0qQFKQklgbTq54yQE7J27AYfaslf1qXFF4/OTlrEa0UBWbXaT/tnGL/Fd+q1UEWmBHN+cCkJuM1QX0KjSfiFvGoVD3a8LM+1/p7ZXOzYhkryqx2xIH9BlaBQKHnj0=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="2016-03-29T16:23:32.679Z" Recipient="https://dev20352.service-now.com/navpage.do" /></SubjectConfirmation></Subject><Conditions NotBefore="2016-03-29T16:18:32.674Z" NotOnOrAfter="2016-03-29T17:18:32.674Z"><AudienceRestriction><Audience>https://dev20352.service-now.com/</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2016-03-29T16:18:32.525Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

jpavanaryan · ‎03-29-2016

And also

I found these errors from logs

Timestamp	Level	Thread name	Session Id	Message
10:35:50.259	Error	Default-thread-2	D58468D8DB6A1A009C9631B0CF961973	SEVERE * ERROR * SAML2: Failed to validate signature profile.
10:35:50.260	Error	Default-thread-2	D58468D8DB6A1A009C9631B0CF961973	SEVERE * ERROR * SAML2: SAML2ValidationError: Signature did not validate against the credential's key
10:35:50.262	Error	Default-thread-2	D58468D8DB6A1A009C9631B0CF961973	SEVERE * ERROR * SAML2: Could not validate SAMLResponse

jpavanaryan · ‎03-29-2016

Hello Tony,

After going through one of the article in Hi.ServiceNow, I fixed the issue.

Configuring ADFS 3.0 to Communicate with SAML 2.0 - ServiceNow Wiki

From section 6 (content from above link) I can do that I able to login using https://<ADLink>/adfs/ls/idpinitiatedsignon.aspx and modified properties according to 3rd step (section 6). But I can not login using my instance web link, It still says "Service Unavailable 503 error"