Notifications

518 views

OKTA application does not support consumer.do required by the E-signature plugin

Problem
E-signature Approval/Reject requests do not work as expected when OKTA is configured as an Identity Provider on the instance.


Symptoms


Okta provides a ServiceNow App that allows integration by SAML. However, when configured on an instance on which the E-signature plugin is installed, when users try to approve or reject records, the E-signature dialog will appear. There is then a redirect to OKTA but there is no prompt to log in to OKTA. Additionally, the instance loads with the e-signature dialog on.


Cause

After discussion with OKTA Support, we determined that the current ServiceNow app in OKTA does not support the /consumer.do endpoint required by the e-signature architecture. OKTA is currently working to resolve this issue.


Workaround - (until a new OKTA Application is available that supports e-signature)

In OKTA, to configure it for the first time:
  1. Log in to your respective OKTA tenant as admin.
  2. Navigate to Applications and locate the Create new App button.
    If the Create a New Application Integration dialog does not appear, create an OKTA support ticket noting that you need access.
  3. Select SAML 2.0.
  4. Click Create.
  5. Enter the App name.
    You do not need to change the other fields.
  6. Click Next.
  7. Refer to attached screenshot named okta_doc_newapp.tiff for the OKTA configuration.
    The SAML Issuer ID can be the default value (http://www.okta.com/${org.externalKey}) or you can change it to something similar to https://companyname.okta.com/esig.
  8. Click Next.
  9. Select the following:
    • I'm an Okta customer adding an internal app
    • This is an internal app that we have created
  10. Click Finish.
  11. Click the Sign On tab if you are not already viewing that page.
  12. Click the Identity Provider metadata link to download the associated metadata.
    (You need this XML string to create the new Identity Provider record on the instance in the Instance configuration procedure below.)
  13. Click the People or Group tab to assign this app to users.

 

In your Instance, configure your Multi SSO Identity provider:

Note: This requires that the MultiSSO plugin has been activated on the instance

 

  1. In the Application Navigator, enter Identity Providers into the Filter navigator text box.
  2. Click Identity Providers to open the list view.
  3. Click New.
  4. Click SAML2 Update1.
  5. In the Import Identity Provider Metadata dialog, select XML.
  6. Copy and paste the XML string from the file you downloaded in Step 12 of the OKTA configuration procedure above.
  7. Click Import.
  8. View the new Identity Provider record and confirm that the Assertion Consumer URL for eSignature authentication field is set to: https://<instance_name>.service-now.com/consumer.do.
    Note: You may need to add the field to the form view.
  9. Right-click in the header and select Copy sys_id.

Apply the advanced workaround to make OKTA work with E-signaure:
Two files need to be updated. (locate the following lines in the noted scripts)

  • Processor: eSigSaml2AssertionConsumer
    var ssoHelper = new SSO_Helper(<sys_id of Identity Provider record>, true);
  • Script Include: SAML2_update1_esig
    SAML2_update1_esig.prototype = Object.extend(new SAML2_update1(new SSO_Helper(<sys_id of Identity Provider record>, true)), {
Note: After making these changes, these two scripts will not be updated by patches or upgrades. Please ensure that after Okta support /consumer.do, you return the scripts to their out of the box (OOB) settings by selecting and applying the original version. This ensures that the latest fixes are applied on your scripts when patches and upgrades are applied.

 

Article Information

Last Updated:2018-08-09 11:30:27
Published:2018-08-08
okta_doc_newapp.tiff