Errors for which to validate your Multiple-Provider single sign-on (SSO) configuration

When authenticating with SAML, some errors will appear on the system logs (syslog) and localhost on your instance.

If you have Multiple-provider single sign-on (SSO) active on your instance, the followings are the most common errors found:

Errors in instance localhost or the system logs (syslog)

Assertion audience mismatch. Expect: <value on instance>, actual: <value returned by IdP>

Assertion is expired, now: <now>, notOnOrAfter: <notOnOrAfter>

Assertion is valid in the future, now: <now>, notBefore: <notBefore>

Assertion issuer is invalid. Expect: <value on instance>, actual: <value returned by IdP>

Attachment is missing for certificate from DB: SAML 2.0 SP Keystore.

AudienceRestriction validation failed. No matching audience found.

Certificates don't match. Expect: <certStr>, actual: <inboundCert>

Could not find a digital signature stored in the ServiceNow instance.

Failure to check the validity of the certificate.

Failure to validate signature profile.

Index: 0 Could not validate SAMLResponse SAMLResponse may contain <xenc:CipherData>...</xenc:CipherData> in the XML payload.

InResponseTo attribute in SubjectConfirmationData mismatch. Expect: <inResponseTo>, actual: <inResponseTo>.

InvocationTargetException: javax.security.cert.CertificateException: Could not parse certificate: java.io.EOFException: Detect premature EOF.

InvocationTargetException: javax.security.cert.CertificateException: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.

No valid SubjectConfirmation found.

NotAfter: <Thu Jun 05 22:57:44 PDT 2014>

org.xml.sax.SAXParseException: Content is not allowed in prolog

SAML2ValidationError: Signature did not validate against the credential's key.

SessionIndex value not found: <message>...

Subject is expired. Now: <now>, NotOnOrAfter: <notOnOrAfter>

Subject is valid in the future. Now: <now>, NotBefore:<notBefore>

Unable to locate SAML 2.0 certificate


Additional Error Messages for which you can contact your IdP with confidence:

Common login or Identity Provider (IdP) Errors when they do not like the SAML request sent

Authentication fails and the login request generates an infinite loop between the system and the IdP (e.g. when High Security is active on the IdP).

SAML request are signed with a rsa-sha256 algorithm while the instance is expecting rsa-sha128, or the opposite. Check the IdP Alert Context tab for event details. The signature algorithm looks like http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or http://www.w3.org/2000/09/xmldsig#rsa-sha1

The SAML response contains urn:oasis:names:tc:SAML:2.0:status:Responder

To review the errors on the system logs:

  1. Enable MultiSSO debug. On sys_properties, create or set the value for record glide.authenticate.multisso.debug to true
  2. On your instance system logs (syslog), search for records created today and the Source start with SAML.

    Note: This is typical search for errors on the logs:


Most of those errors are caused by missed configurations on the instance Multiple-Provider Single sign-on (SSO) components on either the instance or the IdP provider, certificate changes or cookies stored on the browser, etc.

Login into the instance using a local administrator account. Then use the "Test connection" button on the Identity provider (IdP) record for the Multi-Provider SSO records (sso_properties table).  Use the login credentials of the user experiencing the problem. This will provide more details of the area of the problem.

Use the test connection on the idp to validate errors

For a list of possible solutions, login into Hi and search for KB0540617


Note: If you are having authentication problems after a clone, please have a look at KB KB0657100


Article Information

Last Updated:2018-01-02 06:41:07