Notifications

14 views

Description

After SAML plugin activation and initial configuration, errors can appear that potentially generate P1 outages.

Release or Environment

Instance is configured with the SAML 2.0 / SAML 2.0 Update 1 plugin (Multiple Provider SSO is not configured/enabled)

Resolution

Error in instance logCorresponding SAML PropertyDiagnosisFix
NotAfter: <Thu Jun 05 22:57:44 PDT 2014>N/AThe current certificate or the SAML assertion has expired.
  • Sync the SNC clock with the Identity Provider (IdP) server clock.
  • Update the "SAML 2.0" certifitcate record.
  • Unable to locate SAML 2.0 certificate.
  • Could not find a digital signature stored in the ServiceNow instance.
The PEM-formatted string should be entered into the PEM Certificate field.The SAML certificate does not exist. It might be inactive.
  • Ensure that the correct PEM-formatted certificate is uploaded to the instance.
  • Verify that the certificate has the name SAML 2.0. No other names are allowed.
Certificates don't match. Expect: <certStr>, actual: <inboundCert>N/AThe available certificate in SNC does not match the certificate in assertion. Causes include:
  • The certificate is update on the IdP but not in the SNC instance.
  • The certificate is in the wrong format.
Confirm that the PEM-formatted string in the SAML 2.0 certificate record matches the X509 Certificate in the SAMLResponse for the user IdP.
Failure to check the validity of the certificate.N/AThe current certificate might have expired.Update the SAML 2.0 certificate record.
Failure to validate signature profile.N/AThe assertion might be signed with a different certificate.Check if the IdP has the same certificate as the SNC instance.
InResponseTo attribute in SubjectConfirmationData mismatch. Expect: <inResponseTo>, actual: <inResponseTo>.N/AThis error appears if either of the following situations occur:
  • The IdP returns a SAMLResponse for a different SAMLRequest.
  • A user bookmarks the URL with the SAMLRequest instead of just the instance URL
  • If a null value is expected, the response might be sent to a different node when the instance has multiple nodes.
The IdP admin should confirm that the expected SAMLResponse is being returned. This situation can be a load balancer or infrastructure issue.
SessionIndex value not found: <message>...N/AThe SessionIndex is required in the SNC instance. The IdP needs to return in in the SAMLResponse, in order to authenticate successfully.IdP admin will need to confirm that the SessionIndex is defined in the SAMLResponse.
No valid SubjectConfirmation found.N/AConditions could be missing due to an error on the IdP.
The StatusCode in the response would contain Responder instead of the expected Success.
Review the SAMLResponse to determine if Conditions is included in the SAMLResponse.
The valid subject confirmation data could be expired or not for the right audience.
Assertion audience mismatch. Expect: <value on instance>, actual: <value returned by IdP>.
OR
AudienceRestriction validation failed. No matching audience found.
The audience URI that accepts the SAML2 token. (Normally, it is your instance URI. For example: https://demo.service-now.com.)The SNC instance configured audience URI must match the value in the IdP.Locate <saml2:Audience> in the SAMLResponse in the logs and verify this value matches the one on the instance.
Assertion issuer is invalid. Expect: <value on instance>, actual: <value returned by IdP>The Identity Provider URL that issues the SAML2 security token with user info.The IdP entity id (issuer) does not match the value defined in the SNC instance.
  • Check if the IdP or SP is not configured properly.
  • Confirm that the SAML property (the Identity Provider URL that issues the SAML2 security token with user info) is set correctly.
Subject is valid in the future. Now: <now>, NotBefore:<notBefore>
OR
Subject is expired. Now: <now>, NotOnOrAfter: <notOnOrAfter>
The number in seconds before notBefore constraint, or after notOnOrAfter constraint, to consider still valid.The IdP clock is not synced with the SP clock.

If SAML 2.0 / SAML 2.0 Update 1 plugin is configured
Update the SAML property glide.authenticate.sso.saml2.clockskew to a larger value. The default is 60 seconds. Some cases require a setting of 180. You may also need to check the time on your IdP server.

If Multiple Provider SSO plugin is configured
Update the 'Clock Skew' field in the respective Identity Provider record that has the reported issue.

Assertion is valid in the future, now: <now>, notBefore: <notBefore>
OR
Assertion is expired, now: <now>, notOnOrAfter: <notOnOrAfter>
The number in seconds before notBefore constraint, or after notOnOrAfter, to consider still valid.The IdP clock is not synced with the SP clock.

If SAML 2.0 / SAML 2.0 Update 1 plugin is configured
Update the SAML property glide.authenticate.sso.saml2.clockskew to a larger value. The default is 60 seconds. Some cases require a setting of 180. You may also need to check the time on your IdP server.

If Multiple Provider SSO plugin is configured
Update the 'Clock Skew' field in the respective Identity Provider record that has the reported issue.

Article Information

Last Updated:2019-11-18 10:11:24
Published:2019-11-18