Symptoms

Users unable to login via Single Sign-on on a domain separated instance. After successful authentication on the Identity Provider side, the user may see a flash message "User: XYZ not found. Could not validate SAML Response" for a fraction of a second before being redirected to the "Logout Successful" page (external_logout_complete.do). Below error will be thrown in the application node logs:

2019-01-23 14:47:07 (270) Default-thread-13 B6210EB71B472BC00390542D1E4BCB05 txid=86618a3b1b47 SEVERE *** ERROR *** SAML2: User: xyz@example.com not found

Cause

When a user accesses an instance where Multiple Provider Single Sign-on (SSO) is setup, the initial unauthenticated session created is under the 'guest' user account. After the user is successfully authenticated on the Identity Provider end, the SAML response is validated on the ServiceNow instance. The last validation step is finding the user in the sys_user table based on either the email or user_name fields depending on the 'User Field' configured in the Identity Provider record. 

Since the current session is under the 'guest' user, the system looks for the user to login in the guest user's domain. If the guest user is not in the global domain and the user trying to login is not in the same domain as the guest user, he/she would not be able to login. 

If the guest user is in the global domain, the cause might just be that the user with that email or user ID does not exist in the sys_user table or is inactive. 

Resolution

The solution to this issue is to modify the domain of the guest user to the Global domain.