Description
SAML SSO Login Fails When Attempted by the Edge Proxy URL
Problem
You have configured authentication to take place by SAML Multi-Provider SSO and have also configured the instance to use Edge Proxy. If you attempt to make SAML logins function by users accessing the system by the Edge Encryption Proxy URL instance of the instance URL, all login attempts fail.
Symptoms
There are two symptoms, one or both of which might occur this scenario.
-
After activating Enable debug logging for the multiple provider SSO integration from Multi-Provider SSO > Properties, the following errors appear in the log when attempting SAML login:
TypeError: Cannot convert null to an object.
SAML2: Could not validate SAMLResponse: no thrown error
Could not validate SAMLResponse
SAML2: TypeError: Cannot convert null to an object.: no thrown error
-
A SAML Request sent by the instance might appear in System Logs > System Log - All and/or in the SAML Tracer login extension available for Firefox. For example:
SAML Request xml: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://<edge_encryption_proxy_host>/navpage.do" Destination="https://ncservicenow.onelogin.com/trust/saml2/http-post/sso/502016" ForceAuthn="false" ID="SNCdfc46977cac7033aa13f79c5190e1be2" IsPassive="false" IssueInstant="2017-02-03T13:26:43.810Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://<edge_encryption_proxy_host>.service-now.com/navpage.do" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<edge_encryption_proxy_host></saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></saml2p:AuthnRequest>
However, no SAML Response is sent back by the Identity Provider (IdP)
The issue indicated by Symptom 1 is caused by a misconfiguration of the IdP record in the ServiceNow instance.
To resolve this issue, configure the IdP record and set the following three IdP properties to the Edge Encryption Proxy hostname or IP address instead of the standard setting of the instance hostname.
Change the property values from:
ServiceNow Homepage -> https://<instance name>.service-now.com/navpage.do
Entity ID / Issuer -> https://<instance name>.service-now.com
Audience URI -> https://<instance name>.service-now.com
To:
ServiceNow Homepage -> https://<edge_encryption_proxy_host>/navpage.do
Entity ID / Issuer -> https://<edge_encryption_proxy_host>
Audience URI -> https://<edge_encryption_proxy_host>
Symptom 2: Cause and Resolution
The issue indicated by Symptom 2 is caused by a misconfiguration of the IdP itself.
To resolve this issue, configure the IdP to accept the Edge Encryption <edge_encryption_proxy_host> value that appears in the SAML Requests. Because all Identity Providers are different and there are many different vendors, determining exactly which value to change is the responsibility of the IdP administrator.