After upgrading to Geneva or Helsinki, SAML stops working when a failed logout_redirect occurs.
Steps to Reproduce
- In a Fuji ServiceNow instance using SAML, set up a whitelisted URL without the Identity Provider (IdP) host name.
- Upgrade to the Geneva release.
Note that SAML stops working since a whitelisted URL does not have an IdP host name. When users try to log in using SSO/SAML, the URL will keep refreshing with /logout_redirect.do. This happens because the user tries to go to the login page, which sends them to the IdP per their SAML configuration. This will then send them back and the user will go to the /logout_redirect.do page.
Symptoms of a problem:
- After upgrade (to Geneva or Helsinki), when trying to log in using SSO/SAML (go to the service-now instance URL), the URL will keep refreshing with /logout_redirect.do
- You will be affected by this if you have the whitelist setup before upgrading to Geneva or Helsinki and the IdP is NOT already whitelisted.
This problem was fixed in Istanbul. On earlier releases add the IdP for the authentication URL to the whitelist:
- Go to https://<instance_name>.service-now.com/sys_properties_list.do?sysparm_query=name%3Dglide.security.url.whitelist
- Add the IdP authentication URL to the whitelist (i.e. if the authentication URL is “mylogin.servicenow.net” you will add it to the comma-separated list of values
Visit this page for more information on this property: https://docs.servicenow.com/bundle/geneva-servicenow-platform/page/integrate/single_sign_on/task/t_ConfigureMultiProviderSSOProps.html
Related Problem: PRB676035