Notifications

465 views

Symptoms

If customer has Multi SSO enabled, end users are able to access the platform UI "navpage.do" through OKTA login, instead of being redirected to Service Portal. 

Steps to reproduce:

  1. Navigate to an SSO enabled instance.
  2. This will prompt user to the OKTA login.
  3. Login to OKTA with an end-user's credentials (user with snc_internal role).
  4. Once successfully logged, user will get to the OKTA homepage.
  5. From the OKTA homepage, click on the "instance-name" tile.
  6. This will redirect the user to  https://instance-name.service-now.com/sp 
  7. Now close this tab and navigate back to the OKTA homepage.
  8. Click on the same "instance-name" tile again.
  9. User will be redirected to https://instance-name.servicenow-now.com/navpage.do

Expected behavior: 

End users should be navigated to Service Portal https://instance-name.service-now.com/sp  the second time and every time after logging in, when they click on the OKTA tile.

Actual Behavior:

It is redirecting properly to "/sp" portal only at first login.

Release

All releases

Cause

The cause of this behavior is a current limitation. From the nature of the issue, it seems to be limitation of OKTA however PRB1254142 has been created for Service Portal development team and it currently confirmed as "Product Enhancement".

Resolution

A workaround for this type of issue is to create a UI Script. The purpose of the UI Script is to check the roles of the logged in user and redirect them back to Service Portal if they don't have any roles.

Some of the guidelines for the UI Script:

  1. Ensure that it is marked as Global. (Check the 'Global' Checkbox).
  2. This should always be tested on a sub-production first, before implementing in production.
  3. This workaround is not provided by development, so it is not fully supported. It is only created to provided temporary relief until development comes up with a decision.
  4. For the UI Script provided below, the instance-name should be switched with customer's instance name, and "/sp" should be switched with customer's portal name.
  5. Customer will have to create this script for each of their instances, keeping point #4 in mind.

Here is a sample UI Script that can be used:

addLoadEvent(ESSUserRedirect);
function ESSUserRedirect() {
	if (g_user.userName != 'guest' && !g_user.hasRoles()){
		if(document.URL.indexOf('sp')==-1) {
			if(document.URL.indexOf('instance-name.service-now.com')>=0){
			top.location = "https://instance-name.service-now.com/sp";
		}
	}}
}

Additional Information

https://community.servicenow.com/community?id=community_blog&sys_id=cbcda2e9dbd0dbc01dcaf3231f961949

Article Information

Last Updated:2018-12-18 09:24:18
Published:2018-05-23