Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Errors for which to validate your Multiple-Provider single sign-on configuration - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Errors for which to validate your Multiple-Provider single sign-on configuration
KB0657104

Errors for which to validate your Multiple-Provider single sign-on configuration


20045 Views Last updated : Jul 24, 2025 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

When authenticating with SAML, some errors will appear on the system logs (syslog) and localhost on your instance.

If you have Multiple-provider single sign-on (SSO) active on your instance, the followings are the most common errors found:

Errors in instance localhost or the system logs (syslog)#

Assertion audience mismatch. Expect: <value on instance>, actual: <value returned by IdP>

Assertion is expired, now: <now>, notOnOrAfter: <notOnOrAfter>

Assertion is valid in the future, now: <now>, notBefore: <notBefore>

Assertion issuer is invalid. Expect: <value on instance>, actual: <value returned by IdP>

Attachment is missing for certificate from DB: SAML 2.0 SP Keystore.

AudienceRestriction validation failed. No matching audience found.

Certificates don't match. Expect: <certStr>, actual: <inboundCert>

Could not find a digital signature stored in the ServiceNow instance.

Failure to check the validity of the certificate.

Failure to validate signature profile.

Index: 0 Could not validate SAMLResponse SAMLResponse may contain <xenc:CipherData>...</xenc:CipherData> in the XML payload.

InResponseTo attribute in SubjectConfirmationData mismatch. Expect: <inResponseTo>, actual: <inResponseTo>.

InvocationTargetException: javax.security.cert.CertificateException: Could not parse certificate: java.io.EOFException: Detect premature EOF.

InvocationTargetException: javax.security.cert.CertificateException: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.

No valid SubjectConfirmation found.

NotAfter: <Thu Jun 05 22:57:44 PDT 2014>

org.xml.sax.SAXParseException: Content is not allowed in prolog

SAML2ValidationError: Signature did not validate against the credential's key.

SessionIndex value not found: <message>...

Subject is expired. Now: <now>, NotOnOrAfter: <notOnOrAfter>

Subject is valid in the future. Now: <now>, NotBefore:<notBefore>

Unable to locate SAML 2.0 certificate

 

Additional Error Messages for which you can contact your IdP with confidence:

Common login or Identity Provider (IdP) Errors when they do not like the SAML request sent

Authentication fails and the login request generates an infinite loop between the system and the IdP (e.g. when High Security is active on the IdP).

SAML request are signed with a rsa-sha256 algorithm while the instance is expecting rsa-sha128, or the opposite. Check the IdP Alert Context tab for event details. The signature algorithm looks like http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or http://www.w3.org/2000/09/xmldsig#rsa-sha1. 

The SAML response contains urn:oasis:names:tc:SAML:2.0:status:Responder


To review the errors on the system logs:

  1. Enable MultiSSO debug. On sys_properties, create or set the value for record glide.authenticate.multisso.debug to true
  2. On your instance system logs (syslog), search for records created today and the Source start with SAML.

 Note: This is typical search for errors on the logs:
<instance>/syslog_list.do?sysparm_query=sys_created_onONToday%40javascript%3Ags.beginningOfToday()%40javascript%3Ags.endOfToday()%5EsourceSTARTSWITHSAML%5Elevel!%3D0

Cause

Most of those errors are caused by missed configurations on the instance Multiple-Provider Single sign-on (SSO) components on either the instance or the IdP provider, certificate changes or cookies stored on the browser, etc.

Resolution

Log in to the instance using a local administrator account. Then use the "Test connection" button on the Identity provider (IdP) record for the Multi-Provider SSO records (sso_properties table).  Use the login credentials of the user experiencing the problem. This will provide more details of the area of the problem.

 Note: If you are having authentication problems after a clone, please have a look at KB KB0657100

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

Attachments

Attachments

  • 2017-12-03_1145-test.png

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.