AZURE AD SSO intergration wierd certificate error

Go to solution
wakespirit
Kilo Guru

‎05-15-2019 07:20 AM

Dear all,

I try to test the SSO integration of service now and Azure AD.

For that I have follow instruction from the link below :

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-tutorial

 

But when I test my connection I have a certification validation error. See log information below :

05/15/19 16:15:06 (485) Testing SSO: ded57877db55330071897b82399619c4
05/15/19 16:15:06 (486) sysparm_form_fields: sysparm_ck=adcbf43fdb55330071897b82399619f068a00c8882632ccf1feb20f8c31999d1e3910607&sys_base_uri=https%3A%2F%2Fdev80449.service-now.com%2F&sys_target=saml2_update1_properties&sys_uniqueName=sys_id&sys_uniqueValue=ded57877db55330071897b82399619c4&sys_displayValue=Microsoft+Azure+Federated+Single+Sign-on&sys_titleValue=Microsoft+Azure+Federated+Single+Sign-on&onLoad_sys_updated_on=2019-05-15+14%3A08%3A41&sys_row=0&sys_modCount=4&sys_action=none&sysparm_collection=&sysparm_collectionID=&sysparm_collection_key=&sysparm_collection_related_field=&sysparm_collection_relationship=&sysparm_redirect_url=&sysparm_goto_url=&isFormPage=true&sysparm_referring_url=&sysparm_view=&sysparm_changeset=&sysparm_template_editable=&sysparm_record_row=2&sysparm_record_list=ORDERBYname&sysparm_record_rows=3&sysparm_record_target=sso_properties&sysparm_modify_check=true&sysparm_action_template=&sysparm_link_collection=&sysparm_pop_onLoad=&sysparm_nameofstack=&sysparm_transaction_scope=&sysparm_record_scope=&sysparm_ck=adcbf43fdb55330071897b82399619f068a00c8882632ccf1feb20f8c31999d1e3910607&sys_original.saml2_update1_properties.name=Microsoft+Azure+Federated+Single+Sign-on&saml2_update1_properties.name=Microsoft+Azure+Federated+Single+Sign-on&sys_original.saml2_update1_properties.default=false&saml2_update1_properties.default=false&sys_original.saml2_update1_properties.active=false&saml2_update1_properties.active=false&sys_original.saml2_update1_properties.is_primary=false&saml2_update1_properties.is_primary=false&sys_original.saml2_update1_properties.idp=https%3A%2F%2Fsts.windows.net%2F7db21ac6-930a-4e7f-8b84-ec5bd1961069%2F&saml2_update1_properties.idp=https%3A%2F%2Fsts.windows.net%2F7db21ac6-930a-4e7f-8b84-ec5bd1961069%2F&sys_original.saml2_update1_properties.idp_authnrequest_url=https%3A%2F%2Flogin.microsoftonline.com%2F7db21ac6-930a-4e7f-8b84-ec5bd1961069%2Fsaml2&saml2_update1_properties.idp_authnrequest_url=https%3A%2F%2Flogin.microsoftonline.com%2F7db21ac6-930a-4e7f-8b84-ec5bd1961069%2Fsaml2&sys_original.saml2_update1_properties.idp_logout_url=&saml2_update1_properties.idp_logout_url=&sys_original.saml2_update1_properties.service_url=https%3A%2F%2Fdev80449.service-now.com%2Fnavpage.do&saml2_update1_properties.service_url=https%3A%2F%2Fdev80449.service-now.com%2Fnavpage.do&sys_original.saml2_update1_properties.issuer=https%3A%2F%2Fdev80449.service-now.com&saml2_update1_properties.issuer=https%3A%2F%2Fdev80449.service-now.com&sys_original.saml2_update1_properties.audience=https%3A%2F%2Fdev80449.service-now.com&saml2_update1_properties.audience=https%3A%2F%2Fdev80449.service-now.com&sys_original.saml2_update1_properties.nameid_policy=urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.1%3Anameid-format%3Aunspecified&saml2_update1_properties.nameid_policy=urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.1%3Anameid-format%3Aunspecified&sys_original.saml2_update1_properties.external_logout_redirect=external_logout_complete.do&saml2_update1_properties.external_logout_redirect=external_logout_complete.do&sys_original.saml2_update1_properties.failed_requirement_redirect=&saml2_update1_properties.failed_requirement_redirect=&sys_original.saml2_update1_properties.signing_key_alias=&saml2_update1_properties.signing_key_alias=&sys_original.saml2_update1_properties.signing_key_password=********&saml2_update1_properties.signing_key_password=********&ni.nolog.saml2_update1_properties.signing_key_password=true&sys_original.saml2_update1_properties.encrypt_assertion=false&saml2_update1_properties.encrypt_assertion=false&sys_original.saml2_update1_properties.sign_algorithmuri=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&saml2_update1_properties.sign_algorithmuri=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&sys_original.saml2_update1_properties.require_signed_authnrequest=false&saml2_update1_properties.require_signed_authnrequest=false&sys_original.saml2_update1_properties.require_signed_logoutrequest=false&saml2_update1_properties.require_signed_logoutrequest=false&sys_original.saml2_update1_properties.auto_provision=true&ni.saml2_update1_properties.auto_provision=true&saml2_update1_properties.auto_provision=true&sys_original.saml2_update1_properties.auto_update_user=true&ni.saml2_update1_properties.auto_update_user=true&saml2_update1_properties.auto_update_user=true&sys_original.saml2_update1_properties.user_field=email&saml2_update1_properties.user_field=email&sys_original.saml2_update1_properties.nameid_attribute=&saml2_update1_properties.nameid_attribute=&sys_original.saml2_update1_properties.createrequestedauthncontext=false&saml2_update1_properties.createrequestedauthncontext=false&sys_original.saml2_update1_properties.authncontextcassref_method=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APasswordProtectedTransport&saml2_update1_properties.authncontextcassref_method=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APasswordProtectedTransport&sys_original.saml2_update1_properties.force_authn=false&saml2_update1_properties.force_authn=false&sys_original.saml2_update1_properties.is_passive=false&saml2_update1_properties.is_passive=false&sys_original.saml2_update1_properties.sso_script=c9eabf531b121100227e5581be07131f&saml2_update1_properties.sso_script=c9eabf531b121100227e5581be07131f&sys_display.original.saml2_update1_properties.sso_script=MultiSSO_SAML2_Update1&sys_display.saml2_update1_properties.sso_script=MultiSSO_SAML2_Update1&lookup.saml2_update1_properties.sso_script=&viewr.saml2_update1_properties.sso_script=&sys_original.saml2_update1_properties.clock_skew=180&saml2_update1_properties.clock_skew=180&sys_original.saml2_update1_properties.idp_logout_binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-Redirect&saml2_update1_properties.idp_logout_binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-Redirect&sys_original.saml2_update1_properties.idp_metadata_url=https%3A%2F%2Flogin.microsoftonline.com%2F7db21ac6-930a-4e7f-8b84-ec5bd1961069%2Ffederationmetadata%2F2007-06%2Ffederationmetadata.xml%3Fappid%3Dd7a9a185-1cae-43b8-82b4-aeca6af3b932&saml2_update1_properties.idp_metadata_url=https%3A%2F%2Flogin.microsoftonline.com%2F7db21ac6-930a-4e7f-8b84-ec5bd1961069%2Ffederationmetadata%2F2007-06%2Ffederationmetadata.xml%3Fappid%3Dd7a9a185-1cae-43b8-82b4-aeca6af3b932&not_important=sysverb_update&sysparm_encoded_record=&sysverb_update_and_stay=&sysverb_insert=&sysverb_insert_and_stay=&show_history=&personalizer_saml2_update1_properties=true&sysparm_changes_tested=true&saml2_update1_properties.active=false&ni.saml2_update1_properties.active=true
05/15/19 16:15:06 (490) field changed: name, value =Microsoft+Azure+Federated+Single+Sign-on
05/15/19 16:15:06 (491) masked field changed: signing_key_password
05/15/19 16:15:06 (494) Read from column : name, value: Microsoft+Azure+Federated+Single+Sign-on
05/15/19 16:15:06 (495) Use the SSOHelper passed in.
05/15/19 16:15:06 (495) Read from column : service_url, value: https://dev80449.service-now.com/navpage.do
05/15/19 16:15:06 (496) Read from column : clock_skew, value: 180
05/15/19 16:15:06 (496) Read from column : idp_authnrequest_url, value: https://login.microsoftonline.com/7db21ac6-930a-4e7f-8b84-ec5bd1961069/saml2
05/15/19 16:15:06 (497) Read from column : force_authn, value: 0
05/15/19 16:15:06 (497) Read from column : is_passive, value: 0
05/15/19 16:15:06 (498) Read from column : issuer, value: https://dev80449.service-now.com
05/15/19 16:15:06 (499) Read from column : nameid_policy, value: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
05/15/19 16:15:06 (499) Read from column : service_url, value: https://dev80449.service-now.com/navpage.do
05/15/19 16:15:06 (500) Read from column : idp_authnrequest_url, value: https://login.microsoftonline.com/7db21ac6-930a-4e7f-8b84-ec5bd1961069/saml2
05/15/19 16:15:06 (500) Read from column : createrequestedauthncontext, value: 0
05/15/19 16:15:06 (635) SAML Request xml: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://dev80449.service-now.com/navpage.do" Destination="https://login.microsoftonline.com/7db21ac6-930a-4e7f-8b84-ec5bd1961069/saml2" ForceAuthn="true" ID="SNCaf3354d9712f8f3aaa4ac2b103294b92" IsPassive="false" IssueInstant="2019-05-15T14:15:06.498Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://dev80449.service-now.com/navpage.do" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://dev80449.service-now.com</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></saml2p:AuthnRequest>
05/15/19 16:15:06 (636) Stripping down the serviceURL: https://dev80449.service-now.com/navpage.do to a base URL of: https://dev80449.service-now.com
05/15/19 16:15:06 (637) Generating a Test Connection Relay State of: https://dev80449.service-now.com/navpage.doSNCRSEPsysparm_saml_tc=true&glide_sso_id=ded57877db55330071897b82399619c4&exit_name=MultiSSO
05/15/19 16:15:06 (637) Read from column : require_signed_authnrequest, value: 0
05/15/19 16:15:06 (638) Redirecting to: https://login.microsoftonline.com/7db21ac6-930a-4e7f-8b84-ec5bd1961069/saml2?SAMLRequest=lVLJbtswEP0VgXct1GJLhGXAtVHUQJoasZtDbyNq5BCQSJVDKe3fV5YdJD00Ra6cecu8xxVB18a92AzuST%2FgzwHJeb%2B6VpO4Tko2WC0MkCKhoUMSTorj5uudiINI9NY4I03LvA0RWqeM3hpNQ4f2iHZUEr8%2F3JXsybmeRBjWOOZRmhYBXYe%2BNs%2BBNF2oYezhjEFtmLebLCgNF65XZGvOSgedktaQaZzRrdI4Q5d1FXOQC79IIvBTXDZ%2BXuWpjzKral4seLQowvkW5n02VuJ8asmcHZB5%2B13JjvdbaJIkS%2BtiyeMmbxIASEHGFY%2BSuEirYoLu6QBEasSSNdDSBUo04F6TA%2B1KFke88KPM59mJp4JnIloEaZH%2FYN7hltEnpWulz%2B8HWl2XSHw5nQ7%2B4dvxNBOMqkZ7P21%2FMMtHtDTnOHGz9WqOQczG7duW3%2FcEL9Wy9f%2FEV%2BFbiZtgLy7O97uDaZX87W3a1jxvLYLDlxamXjpw%2F3bBAz6%2FqNpv5lUxaOpRqkZhzcL1Tfbvb7z%2BAw%3D%3D&RelayState=https%3A%2F%2Fdev80449.service-now.com%2Fnavpage.doSNCRSEPsysparm_saml_tc%3Dtrue%26glide_sso_id%3Dded57877db55330071897b82399619c4%26exit_name%3DMultiSSO
05/15/19 16:15:06 (638) Generated request ID: SNCaf3354d9712f8f3aaa4ac2b103294b92
05/15/19 16:15:06 (639) Read from column : popup_dlg_width, value: 900
05/15/19 16:15:06 (639) Read from column : popup_dlg_height, value: 800
05/15/19 16:15:30 (603) Extracted RelayState: https://dev80449.service-now.com/navpage.do
05/15/19 16:15:30 (604) SSO glide record test_saml_connection_gr is returned
05/15/19 16:15:30 (604) sso_id:ded57877db55330071897b82399619c4
05/15/19 16:15:30 (604) User attempting to login using SSO Microsoft+Azure+Federated+Single+Sign-on
05/15/19 16:15:30 (606) ScriptName : MultiSSO_SAML2_Update1
05/15/19 16:15:30 (607) Use the SSOHelper passed in.
05/15/19 16:15:30 (607) Read from column : service_url, value: https://dev80449.service-now.com/navpage.do
05/15/19 16:15:30 (607) Read from column : clock_skew, value: 180
05/15/19 16:15:30 (608) SAMLResponseObject not found in GlideController.
05/15/19 16:15:30 (609) SAML Response xml: <samlp:Response ID="_11ffe14c-c99b-4281-a07e-19400199b5c2" Version="2.0" IssueInstant="2019-05-15T14:15:30.461Z" Destination="https://dev80449.service-now.com/navpage.do" InResponseTo="SNCaf3354d9712f8f3aaa4ac2b103294b92" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/7db21ac6-930a-4e7f-8b84-ec5bd1961069/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_8f8e88ac-a581-42f0-8e52-617c6f0c2b00" IssueInstant="2019-05-15T14:15:30.461Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/7db21ac6-930a-4e7f-8b84-ec5bd1961069/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_8f8e88ac-a581-42f0-8e52-617c6f0c2b00"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>5+cG+9m62bit9IsJNUyDtpMFCy1d6ZJ8wM9GPvCBQl4=</DigestValue></Reference></SignedInfo><SignatureValue>vz3pdbUKwY8FecLCdaMkhGADK90yLJyWluYX60TWXUTo3tCfi9TjLSQR8zVF8Rq1gWfan5oBBO3/klLdEB7qGoxQkuBNCyLWAmPwatsOCAsv16ROn+rgIMJYsPDurzplhCTmeOxDZAfRgCKHtf8BUA4BusIjA+QXL6QQPIkQH7VBn6a9WH8/29WsWIgfGqHnGHzXTvbQS3PSaftJl5v5eBoKoQswXlzFaVh436J+jfg0pVEAoRqHf9r9Busu8J2u5EeQQSpL0Blnrr/eswqhvBiJIkG1p+IPQPhsndWuhDz8umXNG5F0Rpy4tH+sWCmqw5zLsG/3WEGIxsw7JNR+TA==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQIJ0MGXP3/JRCLX1VV7MwnzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xOTA1MTMwNzIzMzhaFw0yMjA1MTMwNzIzMzhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ozDPIL5zv/HDt1PKOl1JsOnMB2I+gw3r9VhL0A9OXXh7tPs7ucJgpXrWAK/MNlbfogx6KLiAylQX6SX96eJNM+YwDjBNFORksxOMusHg2kx/SoDGJzgwmL+3hX3Qlhu1cBUJ1ZFMYikE0MKy9qSrle2aSwUX5P79jT1+y7spj9aFnBYJRUxWwSatL7fFL05Gd7G96B9JnbohkDXlei/dQ+Y2yxFEZs8AT+2HEgV50NMFAwdXc2YYBCFK1uS38Pz3wwKbKbORaDeYndGeBzL5B/WQkeX4uSHtCo9T+Z5cBXeQzAGeSQZk5JTyaSbw+taDX9cCBlMeSDzBBlgY9c9lQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC7B/ztHrzAfbvqYaTunDhxbkjX33RxF7/tCpxsFSdUPLkddLSdj2CdbJNWW2FogSt6Dkabl1EvNFnBg2UujoNlyCA+ZwO30AECcnehPojpnB5eP9KKaNaW/eUVbMlA01aj5qHR4p8EuzgPMhDSAmSyMbUmnnw+ia58u/TrpZr11vm5ixPra4Y6vKEZ7hiwZqCaGsY3v/jq6ez828pvMzVepUKnR+ovl/WNKnNfYXzLJp1hIRxNdtaEQ4HTatfvVil/IkMo9Ple6avQXXCaKtqg8aYvJuYd8YtSzNDhDonMH9L+UFrtRcg9K3cPBrOqfqwCMI26HKvwlzbYNcJ5KP9l</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">serge_calderara_hotmail.com#EXT#@SCALDERARA.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="SNCaf3354d9712f8f3aaa4ac2b103294b92" NotOnOrAfter="2019-05-15T14:20:30.461Z" Recipient="https://dev80449.service-now.com/navpage.do"/></SubjectConfirmation></Subject><Conditions NotBefore="2019-05-15T14:10:30.445Z" NotOnOrAfter="2019-05-15T15:10:30.445Z"><AudienceRestriction><Audience>https://dev80449.service-now.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>7db21ac6-930a-4e7f-8b84-ec5bd1961069</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>700b4bb6-5ec4-4bc0-85bf-63472675b982</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>serge_calderara@hotmail.com</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>live.com</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>serge</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>calderara</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>serge_calderara@hotmail.com</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>serge_calderara_hotmail.com#EXT#@SCALDERARA.onmicrosoft.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2019-05-15T14:15:27.002Z" SessionIndex="_8f8e88ac-a581-42f0-8e52-617c6f0c2b00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
05/15/19 16:15:30 (611) Response object created
05/15/19 16:15:30 (612) Issue Instant: 2019-05-15T14:15:30.461Z
05/15/19 16:15:30 (612) Session inResponseTo: SNCaf3354d9712f8f3aaa4ac2b103294b92
05/15/19 16:15:30 (613) Status code: urn:oasis:names:tc:SAML:2.0:status:Success
05/15/19 16:15:30 (613) Status message: null
05/15/19 16:15:30 (613) Signature Reference ID: _11ffe14c-c99b-4281-a07e-19400199b5c2
05/15/19 16:15:30 (614) SAML assertion is not encrypted.
05/15/19 16:15:30 (614) Subject NameID:serge_calderara_hotmail.com#EXT#@SCALDERARA.onmicrosoft.com
05/15/19 16:15:30 (614) SAML2 NameID: serge_calderara_hotmail.com#EXT#@SCALDERARA.onmicrosoft.com
05/15/19 16:15:30 (615) SessionIndex: _8f8e88ac-a581-42f0-8e52-617c6f0c2b00
05/15/19 16:15:30 (615) SAML2 SessionIndex: _8f8e88ac-a581-42f0-8e52-617c6f0c2b00
05/15/19 16:15:30 (618) Validating SAML response against the certificate : https://sts.windows.net/7db21ac6-930a-4e7f-8b84-ec5bd1961069/_1
05/15/19 16:15:30 (619) certificate Issuer DN: CN=Microsoft Azure Federated SSO Certificate
05/15/19 16:15:30 (619) certificate valid date from: Wed May 15 06:28:47 PDT 2019
05/15/19 16:15:30 (620) certificate valid date to: Sun May 15 06:28:47 PDT 2022
05/15/19 16:15:30 (620) Current timestamp: Wed May 15 07:15:30 PDT 2019
05/15/19 16:15:30 (621) Public key created
05/15/19 16:15:30 (621) Signature not in response, attempting to get signature from assertion
05/15/19 16:15:30 (621) Got signature
05/15/19 16:15:30 (622) <?xml version="1.0" encoding="UTF-8"?><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_8f8e88ac-a581-42f0-8e52-617c6f0c2b00"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>5+cG+9m62bit9IsJNUyDtpMFCy1d6ZJ8wM9GPvCBQl4=</DigestValue></Reference></SignedInfo><SignatureValue>vz3pdbUKwY8FecLCdaMkhGADK90yLJyWluYX60TWXUTo3tCfi9TjLSQR8zVF8Rq1gWfan5oBBO3/klLdEB7qGoxQkuBNCyLWAmPwatsOCAsv16ROn+rgIMJYsPDurzplhCTmeOxDZAfRgCKHtf8BUA4BusIjA+QXL6QQPIkQH7VBn6a9WH8/29WsWIgfGqHnGHzXTvbQS3PSaftJl5v5eBoKoQswXlzFaVh436J+jfg0pVEAoRqHf9r9Busu8J2u5EeQQSpL0Blnrr/eswqhvBiJIkG1p+IPQPhsndWuhDz8umXNG5F0Rpy4tH+sWCmqw5zLsG/3WEGIxsw7JNR+TA==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQIJ0MGXP3/JRCLX1VV7MwnzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xOTA1MTMwNzIzMzhaFw0yMjA1MTMwNzIzMzhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ozDPIL5zv/HDt1PKOl1JsOnMB2I+gw3r9VhL0A9OXXh7tPs7ucJgpXrWAK/MNlbfogx6KLiAylQX6SX96eJNM+YwDjBNFORksxOMusHg2kx/SoDGJzgwmL+3hX3Qlhu1cBUJ1ZFMYikE0MKy9qSrle2aSwUX5P79jT1+y7spj9aFnBYJRUxWwSatL7fFL05Gd7G96B9JnbohkDXlei/dQ+Y2yxFEZs8AT+2HEgV50NMFAwdXc2YYBCFK1uS38Pz3wwKbKbORaDeYndGeBzL5B/WQkeX4uSHtCo9T+Z5cBXeQzAGeSQZk5JTyaSbw+taDX9cCBlMeSDzBBlgY9c9lQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC7B/ztHrzAfbvqYaTunDhxbkjX33RxF7/tCpxsFSdUPLkddLSdj2CdbJNWW2FogSt6Dkabl1EvNFnBg2UujoNlyCA+ZwO30AECcnehPojpnB5eP9KKaNaW/eUVbMlA01aj5qHR4p8EuzgPMhDSAmSyMbUmnnw+ia58u/TrpZr11vm5ixPra4Y6vKEZ7hiwZqCaGsY3v/jq6ez828pvMzVepUKnR+ovl/WNKnNfYXzLJp1hIRxNdtaEQ4HTatfvVil/IkMo9Ple6avQXXCaKtqg8aYvJuYd8YtSzNDhDonMH9L+UFrtRcg9K3cPBrOqfqwCMI26HKvwlzbYNcJ5KP9l</X509Certificate></X509Data></KeyInfo></Signature>
05/15/19 16:15:30 (625) Failed to validate signature profile.
05/15/19 16:15:30 (626) Signature did not validate against the credential's key
05/15/19 16:15:30 (626) SAML2ValidationError: Signature did not validate against the credential's key
05/15/19 16:15:30 (627) Could not validate SAMLResponse
05/15/19 16:15:30 (627) request type : request
05/15/19 16:15:30 (628) We will be redirecting user to the URL: /saml_test_conn_completed.do?sysparm_nostack=true&sysparm_test_sso_id=ded57877db55330071897b82399619c4
05/15/19 16:15:30 (628) Unable to authenticate user. Test connection failed.
05/15/19 16:15:30 (773) SSO glide record test_saml_connection_gr is returned
05/15/19 16:15:30 (774) Use the SSOHelper passed in.
05/15/19 16:15:30 (775) Read from column : service_url, value: https://dev80449.service-now.com/navpage.do
05/15/19 16:15:30 (775) Read from column : clock_skew, value: 180
05/15/19 16:15:30 (776) User originally logined with db
05/15/19 16:15:30 (777) User session is using SSO : null
05/15/19 16:15:30 (777) Testing SSO: ded57877db55330071897b82399619c4
05/15/19 16:15:30 (778) StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success
05/15/19 16:15:30 (779) Read from column : idp_logout_url, value: null
05/15/19 16:15:30 (781) Does it need logout? false

I have cross check teh certificate value compare to what I ahve download as explain in instruction and all is fine.

I have no idea what it is failing.

Can you help , anyone have any idea ?

regards

Labels:
0 Helpfuls
  • 3,433 Views
1 ACCEPTED SOLUTION

Go to solution
Tim Provin
Mega Guru
In response to wakespirit

‎05-15-2019 08:25 AM

That is exactly what it means.  The field that Azure is using it identify the user contains user@hotmail.com#ext#@user.onmicrosoft.com, so that is what it is expecting to find in ServiceNow.  I'm assuming that in your ServiceNow IdP record under the advanced tab you have "email" in the "User Field" field, so that is what would need to match.  I don't know the Azure configuration well enough to tell you how to modify it to use something different for the Subject NameID, but you could always create a field in ServiceNow to hold this value, and adjust the "User Field" to point at the newly created field. 

If you want to try to adjust the Subject NameID in Azure, here is the Microsoft doc.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customi...

View solution in original post

Preview file
47 KB
0 Helpfuls
4 REPLIES 4

Go to solution
Tim Provin
Mega Guru

‎05-15-2019 07:25 AM

Do you have the following property set in you IdP configuration?  The Microsoft documentation shows that this field should be blank, but I have never been able to successful configure it without supplying the SingleLogoutRequest.

 

find_real_file.png

Preview file
18 KB
0 Helpfuls

Go to solution
wakespirit
Kilo Guru
In response to Tim Provin

‎05-15-2019 08:15 AM

yes it is saying that it should be blank but if I am not provinding it, I am not able to validate the test connection and get error that logout url is not provided

If I test the connection from inside service now i get folloing error :

find_real_file.png

what does that mean ?

the user@hotmail adress user is added as a user in Azure configuration and is also present in Servicenow

what does this #ext#@user.onmicrosoft.com ?

Does it means my externmal user need to be identified in serviceNow as :

user@hotmail.com#ext#@user.onmicrosoft.com instead of simply user@hotmail.com ?

regards

Preview file
78 KB
0 Helpfuls

Go to solution
Tim Provin
Mega Guru
In response to wakespirit

‎05-15-2019 08:25 AM

That is exactly what it means.  The field that Azure is using it identify the user contains user@hotmail.com#ext#@user.onmicrosoft.com, so that is what it is expecting to find in ServiceNow.  I'm assuming that in your ServiceNow IdP record under the advanced tab you have "email" in the "User Field" field, so that is what would need to match.  I don't know the Azure configuration well enough to tell you how to modify it to use something different for the Subject NameID, but you could always create a field in ServiceNow to hold this value, and adjust the "User Field" to point at the newly created field. 

If you want to try to adjust the Subject NameID in Azure, here is the Microsoft doc.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customi...

Preview file
47 KB
0 Helpfuls

Go to solution
wakespirit
Kilo Guru
In response to Tim Provin

‎05-15-2019 11:53 PM

Hello,

Thanks for your info.

This is what I have notice exactly, the user I was using was a user that I have invited to participate in the authentication but was not part of the rel domain name as aother users.

So all exteral user are handle that way in azure by MS, so I add to use effectively the whole syntax.

I simply try with a real user from AD and it works straigth away.

Thanks

regards

0 Helpfuls