186 views

Description

When using our Multi SSO plugin, if an unauthenticated user makes a request to a URL that contains a Javascript function as part of the query string, it will not be encoded correctly in the relay state parameter for the subsequent auth_redirect.do request, which causes an incorrect redirection.

E.g.: If the multi SSO provider service URL contains java script or characters that cause delays
https://<instance_name>.service-now.com/incident_list.do?sysparm_query=sys_created_onONToday@javascript:gs.beginningOfToday()@javascript:gs.endOfToday()

If unauthenticated, this request will redirect to /not_allowed.do and display the message,

"Security constraints prevent access to requested page"

Steps to Reproduce

  1. Setup your instance with our Multi SSO plugin
  2. Log in using SSO (at least once to allow a cache of the glide_sso_id cookie on your browser)
  3. Log out of the instance.
  4. Open the URL https://<instance_name>.service-now.com/incident_list.do?sysparm_query=sys_created_onONToday@javascript:gs.beginningOfToday()@javascript:gs.endOfToday()

In some cases, you will note the redirection to /not_allowed.do, instead of the IdP login page


Workaround

Set the sys_properties glide.authenticate.external.use_redirect_page to false. Please create if it does not exist.

System Property name: glide.authenticate.external.use_redirect_page
System Property type: true|false
System Property value: false


Related Problem: PRB1265474

Seen In

Jakarta Patch 8

Intended Fix Version

Jakarta Patch 10

Fixed In

Kingston Patch 7
London

Safe Harbor Statement

This "Intended Fix Version" information is meant to outline ServiceNow's general product direction and should not be relied upon in making a purchasing decision. The information provided here is for information purposes only and may not be incorporated into any contract. It is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at ServiceNow's sole discretion.

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2018-08-15 11:15:55
Published:2018-07-19