OKTA SSO issues

jules2
Kilo Expert

Greetings all

We are evaluating the OKTA and SN solution and decided to try the multi SSO provider option with OKTA ServiceNow UD application, but so far without success.

At this time we dont want to use the SN Share application.     I decided to try this on a dev instance first to gain hands on experience.

When a user logs on to okta SN app then it redirects correctly to SN instance but then i get the logout page as SAML failed to authenticate. I have also cleaned out session cookies to be sure.

I have done a lot of research on the community posts and following and nothing obvious stands out. !

My errors say the following when i try to do test connection   from the SSO Multi page. so it should work. all URL are verified correct.

Any help would be greatly appreciated.

Lookig in the logs i get this messages

10/17/17 20:12:25 (451) Read from column : audience, value: https://[instance].service-now.com

10/17/17 20:12:25 (451) Assertion audience mismatch. Expected: https://[instance].service-now.com, Actual: https://[instance].service-now.com/

10/17/17 20:12:25 (452) SAML2ValidationError: AudienceRestriction validation failed. No matching audience found.

10/17/17 20:12:25 (452) Could not validate SAMLResponse

IN debug   and logs i see the following errors

ERROR SAML2: SAML2ValidationError: AudienceRestriction validation failed. No matching audience found.: no thrown error

ERROR                                       SAML2: Assertion audience mismatch. Expected: https://devxxxxx.service-now.com, Actual: https://devxxxxx.service-now.com/: no thrown error

INFORMATION           Did not find content in CDN for saml2_update1_properties-normal

Attached is screenshot of Multi SSO Setup screen.

Regards

Julian Day.

1 ACCEPTED SOLUTION

Erik Stolberg
Tera Guru

It looks like the Audience element in the SAML Response is coming back with a trailing slash, and you don't have that in your audience URL... those URLs must match.


Expected: https://[instance].service-now.com


Actual: https://[instance].service-now.com/



Try updating the sys_property "glide.authenticate.sso.saml2.audience" to include the trailing slash, or change the URL within Okta to not include the trailing slash.
More info: Set the audience URL for SAML



You can look through the script include "SAML2_update1" to see where those errors are being generated and trace the code further if you'd like.


View solution in original post

2 REPLIES 2

Erik Stolberg
Tera Guru

It looks like the Audience element in the SAML Response is coming back with a trailing slash, and you don't have that in your audience URL... those URLs must match.


Expected: https://[instance].service-now.com


Actual: https://[instance].service-now.com/



Try updating the sys_property "glide.authenticate.sso.saml2.audience" to include the trailing slash, or change the URL within Okta to not include the trailing slash.
More info: Set the audience URL for SAML



You can look through the script include "SAML2_update1" to see where those errors are being generated and trace the code further if you'd like.


In Okta one of the lines had a trailing / at the end on the application url. The actual SN config was working as intended.   Removed the / and all works fine now.