Error creating SSO with Azure

erico
Kilo Contributor

I'm trying to create an Identity Provider that authenticates to Azure.  I've gotten most of the way there, but I'm stuck with the attached error screen and message.

Ensure that the user you are trying the test connection with is present in the system.
Ensure that 'User Field' property value corresponds to the value set in the IDP returned through 'Subject NameID' in the response.

From reading some other posts, I've been able to surmise that my SAML query isn't matching the expected authentication field for some reason.  So if I'm looking for user_name from ServiceNow, I'm not getting user_name out of Azure or vice versa.

I've created the user in Azure and I've created the user in ServiceNow.  So the user exists in both systems.

I'm really not sure what I'm supposed to do from here.  I've attached my SSO configuration screen as well.

Any help is greatly appreciated!

Eric

 

1 ACCEPTED SOLUTION

joel_ruiz1
Tera Expert

Erico,

Try changing the NameID Policy to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" and the User Field to "email". Let me know if that works.

-Joel R.

View solution in original post

9 REPLIES 9

joel_ruiz1
Tera Expert

So off the bat I see the IDP is not active, there is a link at the bottom of the form I believe to make it active. Also you have to make sure you associate the IDP to the User record by putting "SSO:<sys_id of IDP> in the SSO Source of the user record.

 

Hope this helps!

 

-Joel R.

joel_ruiz1
Tera Expert

Erico,

Try changing the NameID Policy to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" and the User Field to "email". Let me know if that works.

-Joel R.

I wanted to add this fixed an issue we had after we renamed an instance.  We renamed our sandbox and SSO broke.  We only changed the URL in our Azure urls in box Azure and ServiceNow instance and it would not work. Our Azure server guy found this post and suggested we changed our NameID Policy from "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" to your suggestion and it fixed our issue.  What is weird is all of our other instances are still using "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" just fine!

Thank you!

You are welcome, glad I could be of assistance!