Description
ServiceNow session timeout not triggering expected UI warning or message when SAML enabled
Symptoms
The base system uses a default Apache session timeout of 30 minutes. After 30 minutes of inactivity in the application, the platform logs the user out automatically, unless the Remember Me option in the login screen is selected. When a session expires, the users receives the following UI warning
Release
ALL
Cause
Following is the timeout scenario that occurs when ServiceNow is configured with SAML:
- Session timeout terminates the user session on instance - does not affect the IdP.
- Instance attempts to re-establish the session by making a SAMLRequest to the IdP.
- If the user session is not terminated at the IdP, it redirects back to the instance without showing a username/password prompt.
- If the user session is terminated at the IdP, it displays the IdPs login screen.
For the above timeout scenario, setting the IdP timeout property to a value that is slightly less than the ServiceNow timeout, allows users to see the IdP's login screen.
Resolution
In order to see the login page of the IdP when the SN session expires, configure the IdP session to expire *before* the SN session does.
Additional Information
ServiceNow default Apache session timeout can be overwritten by doing either of the following:
- adding the glide.ui.session_timeout system property (for more information, see Modifying Session Timeout)
- Installation Exit customizations for SAM instances (for more information, see Login Modifications in Installations Exits)
After customizing the ServiceNow session timeout on a SAML enabled instance, users do not receive any type of warning. The screen does not respond and there is no change in the UI. In some cases, users receive a blank white page in the main content frame or a browser error about not being able to display the content for that frame.