How to enable seamless sso login to users when multiple IDPs are activated?

Suggy
Giga Sage

‎12-17-2024 08:47 PM - edited ‎12-17-2024 08:48 PM

We have different set of users and have 3 different identity providers say X, Y, Z.

 

User set A - should use 'X' IDP

User set B - should use 'Y' IDP

User set C - should use 'Z' IDP

 

The moment respective users from A or B or C hit https://XXXXXX.service-now.com

it should automatically take them to respective IDPs for authentication.

 

How can I do it?

 

0 Helpfuls
  • 738 Views
6 REPLIES 6

Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee
In response to Suggy

‎01-07-2025 01:50 AM

Hi @Suggy

This can be achieved by using the Company's SSO Source field. in the core_company table, there is a field named sso_source similar to how we have in sys_user table.

 

If you want to redirect the users belonging to any specific company to an specific IDP, then please set the sso_source field of that company in above table as - "sso:<name of the IDP SysID>"

 

List of IDPs (sso_properties) - 

Screenshot 2025-01-07 at 3.11.47 PM.png

 

List of the companies (core_company) -

Screenshot 2025-01-07 at 3.01.32 PM.png

 

List of the users (sys_user) -

Screenshot 2025-01-07 at 3.14.38 PM.png

 

https://instance.service-now.com/login.do -> Login with SSO -> Enter the username -> Based on the username, it will identify the company -> based on user company, it will identify the SSO Source and IDP and will redirect to that IDP.

 

Screenshot 2025-01-07 at 3.19.36 PM.png

 

There is no need to do any additional changes. The above mentioned changes are sufficient to achive the use case of redirection based on the company of the users.

 

Thanks!

0 Helpfuls

Andr_ Oliveira
Tera Contributor
In response to Ambuj Tripathi

‎02-04-2025 04:40 AM

Hi   @Ambuj Tripathi 

 

 we are facing a similar issue regarding the configuration of multiple IDPs in our environment. The solutions provided only allow the definition of IDPs per portal, which is not compatible with our implementation of multiple IDPs.

Currently, we already have the OOTB (Out-Of-The-Box) logic implemented in the backend that recognizes users with previously initiated sessions and retrieves the specific IDP for each user. We need to understand if it is possible to apply this logic in the frontend.

Here are the specific details of our situation:

  • The solution provided by ServiceNow only allows the definition of IDPs per portal.
  • We need an OOTB solution that recognizes previously authenticated users and retrieves the appropriate IDPs.
  • We would like to apply this in the portal login Widget. Currently, if we apply the hardcoded Provider ID in the Widget, it exhibits the expected behavior similar to the backend, but this is not desirable as it would impact users using a different IDP.

We would greatly appreciate it if you could provide guidance on the following questions:

  • How is the user and IDP recognition logic being applied in the backend?
  • Are there alternatives or recommended methods to replicate this logic in the frontend?

Thank you in advance for your collaboration and we look forward to your response with a potential quick workaround or a permanent solution. We would also like to know if this is something that is planned to be implemented in future ServiceNow releases.

0 Helpfuls