Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Checklist before cloning an instance with Digest / SSO / SAML / Multi SSO Integration to prevent denied authentication on clone target - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Checklist before cloning an instance with Digest / SSO / SAML / Multi SSO Integration to prevent denied authentication on clone target
KB0657100

Checklist before cloning an instance with Digest / SSO / SAML / Multi SSO Integration to prevent denied authentication on clone target


13535 Views Last updated : Jun 20, 2023 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

Cloning could cause your target instance to be inaccessible if it is done incorrectly and the source or target instance has SAML setup. We do not recommend to copy the SAML configuration from one system into another.

Symptoms

After a clone, some users will not be able to login into their instance. They could experience either:

  • denied log in with "Username or password not valid"
  • receiving a logout redirection
  • being forwarded to an external system to authenticate incorrectly
  • their instance local password no longer working

Cause

Due to security constraints, most transfers of SAML/SSO or Multi SSO settings will not work as they need to be configured on the Identity Provider (IdP) as well. They are not universal, so they can not be used on multiple systems. Instead, each instance needs to be registered on the final IdP independently.

If you create or overwrite a working setup, it could cause the target instance to fail to authenticate.

Resolution

Before making a clone from one instance to another, ensure the followings:

  1. Preserve SAML properties on sys_properties related to SAML/SSO/Multi SSO. Use the System Clone > Preserve Data on the source instance. If you need them, export them into XML, then manually import them on the target. As a guide, preserve properties starting with:
    • glide.authenticate.
    • glide.security.
    • glide.entry.
    • glide.script.
    • glide.session.
    • glide.saml2.
    • com.glide.communications
    • com.snc.integration.saml_esig
  2. Preserve SAML certificates on sys_certificate related to SAML/SSO/Multi SSO. Use the System Clone > Preserve Data on the source instance. If you need them, export them into XML, then manually import them on the target.
  3. Preserve SAML users on sys_user related to SAML/SSO/Multi SSO. Use the System Clone > Preserve Data on the source instance.
  4. Exclude the Multi SSO tables sso_properties, digest_properties and saml2_update1_properties.
  5. Ensure you have a LOCAL admin account on sys_user (not in LDAP or SAML) record on the target clone manually created and with a sys_id that does not exist on the source instance of the clone.
 Warning: Out the box data preserver (clone_data_preserver) "Core Instance Properties" exclude some SAML/SSO/Multi SSO data on sys_properties

Finally,
DO

  • Manually create the SAML/SSO/Multi SSO records on each instance independently as they need to be set up on their IdP as well independently.
  • If you need to copy some setup information (e.g. sys_properties records), export the records into XML, then on the target import them as XML accordingly or as part of your Update sets.

DO NOT

  • Do not try to clone the SAML/SSO/Multi SSO setup from one system to another.
  • Do not change the sys_id of your Multi SSO provider record as it will force your users to flush their cookies.

 

Reset the MFA on a cloned instance

This video shows how to reset the MFA on a cloned instance. 

Related Links

Data preservation on cloning target instances

Clone an instance with a SAML integration

Users not able  to login in cloned target instance using Multi Factor Authentication (MFA)


The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.