- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2019 06:26 AM
I have configured SSO for Azure AD and I'm trying to test the connection. Despite it Azure AD accepting the account details it is redirecting back, asking which account to sign out of and then asking me to close the window. Clicking Activate still says I need to test the connection.
If I force the record to be active (I know, not good), then the SSO will redirect to Azure AD and accept the log in, however it then redirects back to ServiceNow, quickly displays an error message saying something like "User: MGC7lEk/7CdtrW+Ri4rGnoN8FFSQPPmFI0zb8sKHTxk= not found" and then displays the 'you have logged out' page.
The log shows that the every step was successfully up until that error. The claim in AD is on UPN which is matching a custom field on the sys_user record. I've added the 'sso: sys_id' to the SSO source field.
Anything else I need to try?
Solved! Go to Solution.
- Labels:
-
Platform and Cloud Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2019 06:57 AM
Thanks for the reply Scott. I've ended up changing the NameID attribute to use a different claim in the SAML response. The NameID value in the SAML response was a random string. Looks like its working now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2019 06:51 AM
Please be certain to check these things on the ServiceNow side:
- Multiple Provider SSO Properties
Typically all 3 checkboxes should be checked and the final field should be "user_name", if that does not work put the name of the custom field where you have mapped UPN from Azure (why not just use OOTB and map UPN to user_name in the first place?) - IDP details (default view)
IDP SingleLogoutRequest should normally be blank - IDP details (default view)
NameID Policy should most oftem be "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" - IDP details (default view)
On the advanced tab, make sure the first field (User Field) also has the value "user_name
Additional helpful links:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-tutorial
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2019 06:57 AM
Thanks for the reply Scott. I've ended up changing the NameID attribute to use a different claim in the SAML response. The NameID value in the SAML response was a random string. Looks like its working now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2021 12:08 PM
Hi Aidan, can you please elaborate on what you did here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2021 06:40 AM
In my case, the solution was to change the nameID value in the Identity provider record. I was receiving the following from AD;
urn:oasis:names:tc:SAML:2.0:nameid-format:transientI'm not an SSO expert, but I believe the transient part was meaning I was receiving a seemingly random value each time.
Changing it to the following...
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress...worked for me. Obviously the AD side needs to be configured to send the email address.
