Issue
When authenticating with SAML, some errors will appear on the system logs (syslog) and localhost on your instance.
If you have Multiple-provider single sign-on (SSO) active on your instance, the followings are the most common errors found:
Errors in instance localhost or the system logs (syslog)# |
Assertion audience mismatch. Expect: <value on instance>, actual: <value returned by IdP> |
Assertion is expired, now: <now>, notOnOrAfter: <notOnOrAfter> |
Assertion is valid in the future, now: <now>, notBefore: <notBefore> |
Assertion issuer is invalid. Expect: <value on instance>, actual: <value returned by IdP> |
Attachment is missing for certificate from DB: SAML 2.0 SP Keystore. |
AudienceRestriction validation failed. No matching audience found. |
Certificates don't match. Expect: <certStr>, actual: <inboundCert> |
Could not find a digital signature stored in the ServiceNow instance. |
Failure to check the validity of the certificate. |
Failure to validate signature profile. |
Index: 0 Could not validate SAMLResponse SAMLResponse may contain <xenc:CipherData>...</xenc:CipherData> in the XML payload. |
InResponseTo attribute in SubjectConfirmationData mismatch. Expect: <inResponseTo>, actual: <inResponseTo>. |
InvocationTargetException: javax.security.cert.CertificateException: Could not parse certificate: java.io.EOFException: Detect premature EOF. |
InvocationTargetException: javax.security.cert.CertificateException: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big. |
No valid SubjectConfirmation found. |
NotAfter: <Thu Jun 05 22:57:44 PDT 2014> |
org.xml.sax.SAXParseException: Content is not allowed in prolog |
SAML2ValidationError: Signature did not validate against the credential's key. |
SessionIndex value not found: <message>... |
Subject is expired. Now: <now>, NotOnOrAfter: <notOnOrAfter> |
Subject is valid in the future. Now: <now>, NotBefore:<notBefore> |
Unable to locate SAML 2.0 certificate |
Additional Error Messages for which you can contact your IdP with confidence:
Common login or Identity Provider (IdP) Errors when they do not like the SAML request sent |
Authentication fails and the login request generates an infinite loop between the system and the IdP (e.g. when High Security is active on the IdP). |
SAML request are signed with a rsa-sha256 algorithm while the instance is expecting rsa-sha128, or the opposite. Check the IdP Alert Context tab for event details. The signature algorithm looks like http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or http://www.w3.org/2000/09/xmldsig#rsa-sha1. |
The SAML response contains urn:oasis:names:tc:SAML:2.0:status:Responder |
To review the errors on the system logs:
- Enable MultiSSO debug. On sys_properties, create or set the value for record glide.authenticate.multisso.debug to true
- On your instance system logs (syslog), search for records created today and the Source start with SAML.
<instance>/syslog_list.do?sysparm_query=sys_created_onONToday%40javascript%3Ags.beginningOfToday()%40javascript%3Ags.endOfToday()%5EsourceSTARTSWITHSAML%5Elevel!%3D0
Cause
Most of those errors are caused by missed configurations on the instance Multiple-Provider Single sign-on (SSO) components on either the instance or the IdP provider, certificate changes or cookies stored on the browser, etc.
Resolution
Log in to the instance using a local administrator account. Then use the "Test connection" button on the Identity provider (IdP) record for the Multi-Provider SSO records (sso_properties table). Use the login credentials of the user experiencing the problem. This will provide more details of the area of the problem.