SSO with OIDC issue with claims

mathieu_brule · 4 weeks ago

Hi !

I'm actually trying to set up connecting users through an OIDC Identity provider.

Here's where I am :

- I've configured the identity provider record through a well known configuration url

- I've configured the OIDC Provider configuration like below :

When I try to connect with a test account, I fall down on the famous logout successful page.

I've debugged calls with the idp (thanks https://www.servicenow.com/community/community-resources/debugging-oidc-single-sign-on-feature-in-se...), and I see in logs my access token, and my id token.

I've decrypted the JWT through https://www.jwt.io/, and I got claims, (notably the sub claim), but no email claim.

That's why I tried to focus on sub claim, to connect my user to Snow, but it doesn't work...

Where am I wrong ?

Thanks by advance for your help !

mathieu_brule · 4 weeks ago

Ok it works now !

After verifications, my user claim was still valued on email, instead of sub.

Thanks for help !

View solution in original post

pr8172510 · 4 weeks ago

Hi mathieu_brule,

This issue is happening due to claim mapping mismatch, not the OIDC setup itself.

1. Root cause

Your ID token does NOT contain email claim
But your config is:

User Claim = email

So ServiceNow:

Tries to find user using email
Fails → redirects to logout success page

2. Why `sub` is not working

You added sub, but:

Lookup Field Path = user_name
But sub value ≠ user_name in sys_user

So mapping still fails

3. Fix (correct mapping)

You have 2 options:

Option 1 (Recommended)

Update OIDC config:

User Claim → sub
User Field → User ID (or user_name)

Then ensure:

sys_user.user_name = sub value from JWT

Option 2 (Better long-term)

Update IdP to send:

email claim

Then:

Keep User Claim = email
Map to sys_user.email

This is standard OIDC practice

4. Important check

Make sure:

User exists in ServiceNow
Field value EXACTLY matches claim (case-sensitive)

5. Quick validation

Decode JWT
Copy sub value
Check in sys_user:
- user_name == sub

mathieu_brule · 4 weeks ago

Hi @pr8172510

Thanks a lot for your feedback.

I have a test user I've created, with userID valued with the value of the sub claim, for testing (I will see later for getting back an email claim).

That's why I don't understand why it doesn't work.

I have following line in syslog :

Unable to get user based on the claim defined for oidc_provider_configuration with sys_id=c8961e082f737250182bec1bcfa4e301: no thrown error

Please help 🙂

pr8172510 · 4 weeks ago

Hi @mathieu_brule,

Your issue is user lookup mismatch, not OIDC setup.

1. Root cause

ServiceNow is reading sub
But cannot match it to sys_user

That’s why:

Unable to get user based on the claim

2. Fix

Check OIDC config:

User Claim → sub
User Field → user_name

3. Validate user (very important)

In sys_user:

user_name = exact value of sub

Must match:

Case-sensitive
No spaces

4. If still failing

sub may be UUID / different format
Not suitable for user_name

Better approach:

Get email claim from IdP
Map:
- User Claim → email
- User Field → email

mathieu_brule · 4 weeks ago

Hi,

According to the provider, we can get the email only through a call to userinfo, we have to use only the informations furnished in the JWT to authent the user 😞

So my question stands : why can't I find my user based on the sub claim, mapped to userId field ?

SSO with OIDC issue with claims

1. Root cause

2. Why sub is not working

3. Fix (correct mapping)

Option 1 (Recommended)

Option 2 (Better long-term)

4. Important check

5. Quick validation

1. Root cause

2. Fix

3. Validate user (very important)

4. If still failing

2. Why `sub` is not working