Multi-Provider single sign-on (SSO)

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Multi-Provider Single Sign-On (SSO) - Zurich Release

    Multi-Provider Single Sign-On (SSO) in ServiceNow enables organizations to streamline user authentication by allowing multiple external Identity Providers (IdPs) to manage login credentials alongside local database authentication. This method allows users to access multiple applications with a single login, improving security and user convenience. ServiceNow acts as a Service Provider, redirecting users to IdPs for credential validation before granting access.

    Show full answer Show less

    Key Features

    • Support for Multiple IdPs: Configure and list up to 10 SAML 2.0 or OpenID Connect (OIDC) IdPs on the login page, enabling users to select their preferred authentication provider.
    • Local and External Authentication: Combine external SSO with local database authentication to suit diverse organizational roles and requirements.
    • Plugin Activation: Requires installation of the Integration - Multiple Provider Single Sign-On Installer plugin (com.snc.integration.sso.multi.installer) to enable and customize SSO properties, tables, and scripts.
    • Flexible SSO Methods: Supports SAML 2.0, OpenID Connect, and token-based Digest Authentication for versatile authentication strategies.
    • Enhanced User Experience: Both platform and portal login pages now display SAML and OIDC IdPs for easier user selection.
    • Auto-Provisioning Group Selection: Assign users automatically to specific groups during SSO provisioning for better access control.
    • OIDC Configuration Simplification: Allows multiple OIDC records to be configured using the same well-known URL, streamlining setup.
    • Improved Logout Handling and Error Messaging: Enhanced external logout pages display login failure reasons and provide options to log in again; generic error messages ensure security during unsuccessful Single Logout (SLO) attempts.
    • Proactive Security Notifications: Admins receive alerts for expiring SAML certificates and encryption keystores to maintain secure SSO configurations.

    Practical Application for ServiceNow Customers

    By implementing Multi-Provider SSO, organizations can accommodate diverse user groups—such as employees, vendors, and administrators—each potentially requiring different authentication methods. This flexibility supports complex enterprise environments where multiple SSO providers or authentication protocols are needed simultaneously. Customers should proceed by activating the necessary plugin, configuring their IdPs, and customizing SSO properties to fit their specific organizational requirements.

    Important Considerations

    • A maximum of 10 IdPs can be displayed on the login page.
    • If the Domain Support - Domain Extensions Installer plugin (com.glide.domain.mspextensions.installer) is enabled, IdP options will not be visible on the login page.

    External SSO allows organizations to use several SSO identity providers (IdPs) to manage authentication as well as retain local database (basic) authentication.

    Multi-Provider Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials.

    For using SSO, you must understand the following:

    • Service Providers: When users trying to access the ServiceNow instance are redirected to an Identity Providers (IdP) to validate their credentials after successful validation users are allowed to access the instance. Here, ServiceNow acts as a service provider and relies on an Identity Provider (IdP) for handling user authentication and granting access to the instance.
    • Identity Providers: IdPs are external systems that validates the users identity and credentials to access a system.

    To establish an SSO with to access ServiceNow, you must activate Multi-Provider Single sing-on (SSO) you must install the Integration - Multiple Provider Single Sign-On Installer (com.snc.integration.sso.multi.installer) plugin. For more information, see Activate Multi-Provider SSO plugin.

    After successful installation of the plugin, you can customize the SSO properties, access tables and scripts that are shipped along with the plugin. For more information, see Multi-Provider SSO properties, tables, and scripts.

    ServiceNow supports the following SSO methods:

    Choose the SSO method based on your requirement and learn more about how you need to prepare for configuring SSO. You must perform several steps to set up Multi-Provider SSO, including configuring properties, creating identity providers (IdPs), and configuring users to use SSO. For more information, see Multi-Provider SSO configurations.

    After a successful configuration, the active IdPs in the instance are listed on the ServiceNow. You can list various SAML or OIDC Identity Providers (IdPs).
    Note:
    A maximum of 10 IdPs can be listed on the login page. The IdP options won't be visible if the instance has Domain Support - Domain Extensions Installer (com.glide.domain.msp_extensions.installer) plugin installed and enabled.
    The Zurich release of ServiceNow include the following enhancements on SSO:
    • List SAML IdPs on login page: Log in using SAML and OIDC IdPs that are listed on the login experience on both the platform and portal login pages, making it easier for users to select their preferred IdP. Earlier only OIDC IdPs were listed.
    • Select group for Auto-Provisioning: Select specific groups during the auto-provisioning configuration for SAML and OIDC, ensuring users are assigned to the correct groups automatically.
    • Configure multiple OIDC record using the same well-known URL: Simplify OIDC setup by allowing the creation of OIDC records using the same well-known URL, streamlining the configuration process.
    • Enhanced External logout complete page: Display of login failure reason to the user. Provision to log in again to ServiceNow on the external logout complete page in case of successful logout.
    • Enhanced error message: Display of generic error message when Single Logout (SLO) is unsuccessful, ensuring consistent and secure communication.
    • Notification enhancements for SAML Certificate and Encryption Keystore: Receive timely notifications to the admins for SAML certificate and Encryption Keystore updates expiry, ensuring that your SSO configurations remain secure and up-to-date.

    Why organization needs SSO

    A globally dispersed corporation might require one SSO provider for their employees, a different one for their vendors, and local database authentication for their administrators. Alternatively, a company might implement SAML 2.0 and a digest token authentication solutions on the same instance.