
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2017 02:44 PM
Greetings all
We are evaluating the OKTA and SN solution and decided to try the multi SSO provider option with OKTA ServiceNow UD application, but so far without success.
At this time we dont want to use the SN Share application. I decided to try this on a dev instance first to gain hands on experience.
When a user logs on to okta SN app then it redirects correctly to SN instance but then i get the logout page as SAML failed to authenticate. I have also cleaned out session cookies to be sure.
I have done a lot of research on the community posts and following and nothing obvious stands out. !
My errors say the following when i try to do test connection from the SSO Multi page. so it should work. all URL are verified correct.
Any help would be greatly appreciated.
Lookig in the logs i get this messages
10/17/17 20:12:25 (451) Read from column : audience, value: https://[instance].service-now.com
10/17/17 20:12:25 (451) Assertion audience mismatch. Expected: https://[instance].service-now.com, Actual: https://[instance].service-now.com/
10/17/17 20:12:25 (452) SAML2ValidationError: AudienceRestriction validation failed. No matching audience found.
10/17/17 20:12:25 (452) Could not validate SAMLResponse
IN debug and logs i see the following errors
ERROR SAML2: SAML2ValidationError: AudienceRestriction validation failed. No matching audience found.: no thrown error
ERROR SAML2: Assertion audience mismatch. Expected: https://devxxxxx.service-now.com, Actual: https://devxxxxx.service-now.com/: no thrown error
INFORMATION Did not find content in CDN for saml2_update1_properties-normal
Attached is screenshot of Multi SSO Setup screen.
Regards
Julian Day.
Solved! Go to Solution.
- Labels:
-
Search
-
User Experience and Design

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2017 03:16 PM
It looks like the Audience element in the SAML Response is coming back with a trailing slash, and you don't have that in your audience URL... those URLs must match.
Expected: https://[instance].service-now.com
Actual: https://[instance].service-now.com/
Try updating the sys_property "glide.authenticate.sso.saml2.audience" to include the trailing slash, or change the URL within Okta to not include the trailing slash.
More info: Set the audience URL for SAML
You can look through the script include "SAML2_update1" to see where those errors are being generated and trace the code further if you'd like.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2017 03:16 PM
It looks like the Audience element in the SAML Response is coming back with a trailing slash, and you don't have that in your audience URL... those URLs must match.
Expected: https://[instance].service-now.com
Actual: https://[instance].service-now.com/
Try updating the sys_property "glide.authenticate.sso.saml2.audience" to include the trailing slash, or change the URL within Okta to not include the trailing slash.
More info: Set the audience URL for SAML
You can look through the script include "SAML2_update1" to see where those errors are being generated and trace the code further if you'd like.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2017 03:54 AM
In Okta one of the lines had a trailing / at the end on the application url. The actual SN config was working as intended. Removed the / and all works fine now.