SPEntryPage script include question

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 07:44 AM
Fellow community members,
I have a customer that has an interesting scenario we have been trying to solve with new users being added into ServiceNow. There are three types of users this instance will have; an employee, a customer and a consumer. The employees have their own unique SSO, and their accounts are all loaded into SN via LDAP jobs, so no issue there. Where it gets tricky is with the customers and consumers. Both use the same SSO client, and the accounts need to be auto-provisioned when the user first attempts to log in to the instance. The auto provisioning is working well, but unfortunately the SSO provider cannot tell us what type of user is logging in (customer or consumer). A REST API call has to be placed after authentication to another system to figure out if this user is a customer or consumer, and after that REST API call, we set the roles for the user to be consumer or customer and also set the class of the user to the proper one. This is being done in a business rule after the auto provisioning has competed. For the end user, there is 5-10 seconds of being in state with no roles, so where do we redirect this user to after they authenticate? What I have done so far, is configure the SPEntryPage script include to take the user to a temporary portal page that says, we are setting up your account, please wait for a few moments until you are redirected. A timeout widget is on this portal page, and after 8 seconds, the user is logged out of ServiceNow, and the original page they were on, has been reloaded. Now they can navigate around the portal page they are on, and access catalog items, etc. This is working well, but here is the caveat we have not solved; Let's say the user went to xyz.servicenow.com/csm and after clicking on a catalog item or the log in link, they get prompted for SSO, and they authenticate. If it is the first time they have authenticated, they should go to the temporary landing page I created. Since this user came from xyz.servicenow.com/csm (customer portal), I need to send them to a specific branded page. If the user came from xyz.servicenow.com/csp (consumer portal) I need to send them to a differently branded temporary landing page. That is where I am stuck...how can I configure the SPEntryPage script to figure out where the end user came from? This is a view of the script and how it is configured right now based on roles and directing to the proper portals:
SPEntryPage.prototype = {
initialize: function() {
this.logVariables = false; // for debugging
//Setting csm or csp portal based on your roles
// This is where we need to figure out what URL the end user came from. Was it /csm or was it /csp? The else at the end would need to direct the user to a csm or csp first login page b/c the verbiage will be different.
var usr = gs.getUser();
var csm = usr.hasRole("sn_customerservice.customer");
var csp = usr.hasRole("sn_customerservice.consumer");
var emp = usr.hasRole('snc_internal');
if (csm || usr.hasRole('snc_external')) {
this.portal = "/csm";
} else if (csp) {
this.portal = "/csp";
} else if (emp){
this.portal = "/sp/"; // The URL suffix specified in the sp_portal record
} else {
this.portal = "csm?id=first_login_csm";//custom page for new users with no roles yet
//the other first login page is csp?id=first_login_csp
}
},
Does anyone have any thoughts on the script or doing something better/more efficient than what I have configured?
Thank you!
Mike
- Labels:
-
Service Portal

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 09:50 AM
Ideally the sso redirectly itself take care of the redirection to the requested page as it is stored on the pageURI itself
for example when i hit the below URL
hrl hit : https://community.servicenow.com/community?id=community_question&sys_id=667458b2db300d10ae81250913961915&anchor=answer_6d5c9c36dbb0c910019ac2230596194d
and if i anit loggedin to sso the i will be redirected to the below sso url that already has the redirect url in it.
sso url :
https://signon.service-now.com/ssologin.do?RelayState=%252Fapp%252Fservicenowexternalprod_communityhi_1%252Fexkipkc9nmwXN8v0v0x7%252Fsso%252Fsaml%253FRelayState%253D%25252Fcommunity%25253Fid%25253Dcommunity_question%252526sys_id%25253D667458b2db300d10ae81250913961915%252526anchor%25253Danswer_6d5c9c36dbb0c910019ac2230596194d%252526anchor%25253Danswer_6d5c9c36dbb0c910019ac2230596194d%252526feedbacktype%25253DanswerEditor1&redirectUri=&email=
So if you can track this url somehow you should be able to redirect it back. I would suggest to check in the entry page script by adding logs what is the current url and if you are able to get any redirect url.
Regards
Vinayak

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 10:02 AM
Hi Vinayak - Thanks for the reply!
Yes...how can I find the RelayState in the URL so I can redirect the new user to the proper temporary page?
Thanks,
Mike

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 10:10 AM
Hi,
Just to state this, it's unfortunate that no one can assist with adjusting the SAML response (for example) with an additional attribute, which would be defined on their end (from AD or whatever), to help in the provisioning so that this is all done up front.
I would recommend circling back on this and double-checking that they aren't able to either pass this in an attribute in the response to your instance or better yet...tighten the user provisioning to be far earlier than when the user is first trying to login. So the SSO would push it to ServiceNow earlier in this entire process.
Otherwise, you can use the SPEntryScript to look at some sort of specific field on the user profile (such as "Unresolved" == true, as an example) and if that field is true and they have an external role, then route them to 'x'.
Then once your REST call returns with all the information, set the "Unresolved" field to false. So it doesn't do that the next time for the user.
Please mark reply as Helpful, if applicable. Thanks!
Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 12:29 PM
Hi,
Thanks for marking my reply above as Helpful.
If it also ends up guiding you Correctly, please also mark it as Correct.
If you need any further assistance and want to update us on the progress, feel free to let us know.
Thanks and take care! 🙂
Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!