Notifications

2245 views

How to implement Multiple Provider Single Sign-On providing two logins, one via the Edge Encryption Proxy URL and one via the standard instance hostname URL



This article describes how to direct some users to log in to an instance via the Edge Encryption Proxy URL and others to log in via the regular instance hostname URL. It assumes that you have implemented Edge Encryption and the Multiple Provider Single Sign-On plugin.

 

Procedure


  1. Navigate to Multi-Provider SSO > Identity Providers and create two IdP records.

    Although the Identity Provider URL setting for both IdP records has to be the same, by default, a unique constraint prevents duplication of this value. To allow duplication of Identity Provider URL in multiple IdP records:

    1. Log into the instance with a user with an admin role.

    2. Go to sys_dictionary_list.do.

    3. Create the following filter and then click Run:

      [Table] [is] [saml2_update1_properties]
      AND
      [Column name] [is] [idp]

    4. Add the Unique column to the List view, then change the value from true to false and save.

    5. Create the two Identity Providers.

      • For the Edge Proxy login, use the following values:

        Identity Provider URL: <As imported from the IdP Metadata>
        ServiceNow Homepage: https://<edge hostname>:<port>/navpage.do
        Entity ID / Issuer: https://<edge hostname>:<port>
        Audience URI: https://<edge hostname>:<port>

      • For the regular instance hostname:

        Identity Provider URL: <As imported from the IdP Metadata - the same value as the Identity Provider URL for the Edge Proxy IdP record>

        ServiceNow Homepage: https://<instance>.service-now.com/navpage.do
        Entity ID / Issuer: https://<instance>.service-now.com
        Audience URI: https://<instance>.service-now.com

      The other properties for both IdP records are imported from the IdP metadata.

      This requires two separate Relying Party Trusts at the IdP and two separate IdP records in the instance (as covered in step 1), as well as a login page presented to the users to choose to log in using the Edge Encryption route or the non-Edge Encryption route. This is set up on the IdP provider side.

  2. Provide two login URLs, one for the Edge Proxy and one not using the Edge Proxy.

    • Log in via Edge Proxy: https://<edge hostname>:<port>/login_with_sso.do?glide_sso_id=<sys_id of the IdP record for the Edge Proxy access created in step 1>
    • Login via instance name: https://<instance name>.service-now.com/login_with_sso.do?glide_sso_id=<sys_id of IdP record for non-Edge Proxy access created in step 1>

    The user logging in will need to use the appropriate URL to log in, either using the Edge Proxy or not using the Edge Proxy.

  3. Modify the MultiSSO Installation Exit.

    Due to using the same Identity Provider URL value in two different IdP records (not a usual configuration), the IdP identity cannot be pulled from the SAML Response because the Identity Provider URL in both IdPs is the same and the wrong one might be pulled.

    Change the value from:

    var samlResponseTxt = request.getParameter("SAMLResponse");
    if (!GlideSession.get().isLoggedIn() && GlideStringUtil.notNil(samlResponseTxt)) {
       var idpRecord = this.getIdPRecord(request);
       if (idpRecord) {
          SSO_Helper.debug("IdP found based on SAML response: " + idpRecord.getUniqueValue());
          return new SSO_Helper(idpRecord.getUniqueValue(), false, null, true);
          } 
       }

    To:

    var samlResponseTxt = request.getParameter("SAMLResponse");
    if (!GlideSession.get().isLoggedIn() && GlideStringUtil.notNil(samlResponseTxt)) {
       /* // You have two profiles that use the same idp entity id it cannot use
       // the idp issuer / entity id from the response otherwise it may result in the
       // wrong idp profile. idp initiated login will not work
       var idpRecord = this.getIdPRecord(request);
       if (idpRecord) {
          SSO_Helper.debug("IdP found based on SAML response: " + idpRecord.getUniqueValue());
          return new SSO_Helper(idpRecord.getUniqueValue(), false, null, true);
          }*/
       return new SSO_Helper(null, true);
       }
    Note:  Note the comments and that IdP initiated login will not work in this configuration.

     

     

    Note:  Starting with Jakarta, there is a requirement to have the IdP pass the "Test Connection" before you are able to activate the IdP.  In this configuration the "Test Connection" will most likely fail, making it impossible to activate the IdPs.  In order to allow the IdPs to be activated create and set this system property and then activate the IdP records:

    Name = glide.authenticate.multisso.test.connection.mandatory

    Type = true|false

    Value = false

     

Article Information

Last Updated:2017-11-28 09:30:10
Published:2017-11-28