Force SSO from Base URL of the Instance

tstocking
Tera Guru

Is there a way to force redirection to the SSO provider from the base URL of an instance?

Use this:   https://myinstance.service-now.com

Instead of this:   https://myinstance.service-now.com/login_with_sso.do?glide sso id=a343f9efe98fa98fef8e9d8fef9ew8c8

1 ACCEPTED SOLUTION

Found the solution, fully documented on the Wiki (face palm!).   Thanks for your help!



Modify the primary and default IdP


View solution in original post

11 REPLIES 11

Chuck Tomasi
Tera Patron

Hi Todd,



Yes, it is possible. It should be the default after you set up SSO (using the Multiple Provide Single Sign-on plugin.



Take a look at these for assistance:



Multiple Provider Single Sign-On - ServiceNow Wiki


External Authentication (Single Sign-On - SSO) - ServiceNow Wiki (section 5.1)


Thanks for responding Chuck!   I was hoping that was the case but I see some users getting the login page with username/password and also the "Use External Login" link which of course they can click and enter their email address and force the SSO process.   So the expected behavior is that when a user hits the base URL, it should automatically force the SSO login?


Yes Todd. The base URL should redirect.



It shouldn't be specific to some users at that point because it doesn't know one user from another. It could be a browser cache issue in that their session is interfering with the redirect to the SSO page.


We have three instances and see the same behavior on all three after configuring SSO.   Users will see this page first:



login_screen_1.gif



Which they can then click on the "Use External Login" link which brings them to this screen:



login_screen_2.gif


Where they can put in their email address and login.   We are looking for a way to avoid all of this altogether and just force them to log in using SSO.   Is the above the normal/expected behavior? Based on the Wiki (Multiple Provider Single Sign-On - ServiceNow Wiki )   they recommend telling users to go to the SSO link first but is there a way to redirect them without sending them the long url?