Multi Provider SSO AutoProvisioning not working

Mark Blackburn · ‎09-23-2019

Hi,

have Multi Provider SSO working with Active Directory Federation Services for authentication. If a ServiceNow user account already exists with a matching email address then logon works fine.

I now want to enable Auto Provisioning of users, but that is not working. 'Enable Auto Importing of users from all identity providers into the user table' is enabled. After the first attempted logon I went through the field mapping exercise and mapped the auto created SAML fields to the correct sys_user fields so it all appears to be mapped correctly,

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress maps to email

Sso Source maps to SSO Source

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn maps to User ID

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname maps to First name

but when a new user attempts to log in, they see an error that 'user <emailaddress> not found' and then are logged out.

I can see the record being created in the 'Imp Saml User 16o2m2twvi' table, but obviously something isn't copying that across to the sys_user table.

I've attached the syslog for a failed login.

Any ideas?

Thanks,

Mark.

Community Alums · ‎09-30-2019

This seems pretty important.

Can you check the auto provision transform map and make sure you have a coalesce selected (usually email or username).

View solution in original post

Community Alums · ‎09-30-2019

This seems pretty important.

Can you check the auto provision transform map and make sure you have a coalesce selected (usually email or username).

Mark Blackburn · ‎10-03-2019

Yep - that did it. Pity none of the documentation mentions it!!

Thanks.

Mark.