Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
SAML SSO Login Fails When Attempted by the Edge Proxy URL - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • SAML SSO Login Fails When Attempted by the Edge Proxy URL
KB0621210

SAML SSO Login Fails When Attempted by the Edge Proxy URL


14370 Views Last updated : Jul 24, 2025 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

You have configured authentication to take place by SAML Multi-Provider SSO and have also configured the instance to use Edge Proxy. If you attempt to make SAML logins function by users accessing the system by the Edge Encryption Proxy URL instance of the instance URL, all login attempts fail.

Symptoms

There are two symptoms, one or both of which might occur in this scenario.

  1. After activating Enable debug logging for the multiple provider SSO integration from Multi-Provider SSO > Properties, the following errors appear in the log when attempting SAML login:


    • TypeError: Cannot convert null to an object.

    • SAML2: Could not validate SAMLResponse: no thrown error

    • Could not validate SAMLResponse

    • SAML2: TypeError: Cannot convert null to an object.: no thrown error

  2. A SAML Request sent by the instance might appear in System Logs > System Log - All and/or in the SAML Tracer login extension available for Firefox. For example:

    SAML Request xml: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://<edge_encryption_proxy_host>/navpage.do" Destination="https://ncservicenow.onelogin.com/trust/saml2/http-post/sso/502016" ForceAuthn="false" ID="SNCdfc46977cac7033aa13f79c5190e1be2" IsPassive="false" IssueInstant="2017-02-03T13:26:43.810Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://<edge_encryption_proxy_host>.service-now.com/navpage.do" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<edge_encryption_proxy_host></saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></saml2p:AuthnRequest>

    However, no SAML Response is sent back by the Identity Provider (IdP)

     

Symptom 1: Cause and Resolution

The issue indicated by Symptom 1 is caused by a misconfiguration of the IdP record in the ServiceNow instance.

To resolve this issue, configure the IdP record and set the following three IdP properties to the Edge Encryption Proxy hostname or IP address instead of the standard setting of the instance hostname.

Change the property values from:

  • ServiceNow Homepage -> https://<instance name>.service-now.com/navpage.do
  • Entity ID / Issuer -> https://<instance name>.service-now.com
  • Audience URI -> https://<instance name>.service-now.com

To:

  • ServiceNow Homepage -> https://<edge_encryption_proxy_host>/navpage.do
  • Entity ID / Issuer -> https://<edge_encryption_proxy_host>
  • Audience URI -> https://<edge_encryption_proxy_host>


Symptom 2: Cause and Resolution

The issue indicated by Symptom 2 is caused by a misconfiguration of the IdP itself.

To resolve this issue, configure the IdP to accept the Edge Encryption <edge_encryption_proxy_host> value that appears in the SAML Requests. Because all Identity Providers are different and there are many different vendors, determining exactly which value to change is the responsibility of the IdP administrator.


The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.