Redirect single sign-on (SSO) logins

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Redirect Single Sign-On (SSO) Logins

    With SSO enabled in ServiceNow, you can redirect users to specific pages instead of the default login page, enhancing user experience during logins and logouts. This functionality allows for a seamless transition to internal portals or informational pages after login events.

    Show full answer Show less

    Key Features

    • Custom Redirects: Redirect users to specific URLs based on login attempts or logouts using configurable properties.
    • Redirection Properties:
      • glide.authenticate.honor.ssorecord.failedrequirementredirect: URL for redirecting users when they fail to provide SSO credentials.
      • glide.authenticate.failedredirect: URL for redirecting users after a failed SSO authentication attempt.
      • glide.authenticate.external.logoutredirect: URL for redirecting users after they log out.
      • glide.authentication.external.disablelocallogin: When set to true, this property enforces SSO-only logins by restricting local login access.

    Key Outcomes

    By effectively utilizing SSO redirection properties, you can improve user security and streamline the login process. Additionally, assigning random passwords upon user import can further restrict local logins, ensuring that users authenticate solely through your SSO system. This enhances security and compliance with organizational policies.

    When SSO is enabled, you can redirect users to specific pages or direct users to login locally.

    For example, if a user attempts to go to https://customerX.service-now.com, an internal company portal can display instead of the default login page. Or, when a user logs out of an application, the browser can redirect them to a specific internal page. You can set redirection properties within the instance to ensure that users see an SSO login page rather than the default login page.
    Note:
    The following properties do not force SSO. The login.do page is still accessible and users can login to the system if they have a local password set.

    Redirection properties

    When a user logs out, or if there is a failed attempt to sign on using SSO, you can define where the user is taken next, such as a main portal page or a knowledge base article with SSO login information. Use the following properties to specify the URLs. If one of these properties does not exist in your instance, you can create the property.
    glide.authenticate.honor.sso_record.failed_requirement_redirect
    URL to redirect users when they attempt to access a page that is private (for example, to view an incident) and do not provide SSO credentials. The property is typically set to a customer's login portal (for example, http://portal.companya.com/).
    glide.authenticate.failed_redirect
    URL to redirect users after a failed SSO attempt. You can redirect to a public knowledge article that describes the error and has helpful links (for example, http://portal.companya.com/error).
    glide.authenticate.external.logout_redirect
    URL to redirect users after logging out, typically back to the portal that enabled the single sign-on log in (for example, http://portal.companya.com/logout).
    glide.authentication.external.disable_local_login
    When set to true, requires SSO credentials for the main login page. Defaults to false. This property needs to be used in conjunction with the glide.authenticate.honor.sso_record.failed_requirement_redirect property.
    The following table shows the relationship between the Installation Exit return values, the properties, and the expected behavior.
    Table 1. Forcing login using SSO only
    Return value Property Behavior
    failed_missing_requirement glide.authenticate.honor.sso_record.failed_requirement_redirect When this value is returned, it indicates that the required SSO credentials are not present in the session. Login fails and the session is redirected to the URL specified by the property. This is usually the URL for the SSO provider where login is challenged and credentials are collected.
    failed_authentication glide.authenticate.failed_redirect When this value is returned, it indicates that the supplied SSO credentials failed authentication, the user does not exist, or the user is locked out. Login fails and the session is redirected to the URL specified by the property. This is usually the URL for the SSO provider where login is challenged and credentials are collected.
    <user_id> N/A Login authorized for the user specified by <user_id>. This value matches with the field name defined in the SSO property glide.authenticate.header.value ("the instance's field name to match against the incoming header")

    Restricting local login

    As a security precaution, you should do more than rely on redirection properties to prohibit logging in locally. If a user should never log in locally and will always be authenticated by your internal single sign-on system, then a random password should be assigned to each user that is imported into the instance. The random password is most easily set at the time of the user import. If the user data is imported into your system through an import set, you can create an onBefore transform script using the following code .
    var r  = new Packages. java. util. Random ( ) ;

 var str1  = Packages. java. lang. Long. toString (Packages. java. lang.
 Math. abs (r. nextLong ( ) ) , 36 ) ; var str2  = Packages. java. lang.
 Long. toString (Packages. java. lang. Math. abs (r. nextLong ( ) ) , 36
 ) ;

 var newPass  = str1  + str2 ;

target. user_password = newPass ;

 //password now set to a random string like this:
 //qvm81zdrn7cwwylpvw94eebk