Notifications

24 views

Description

After upgrading to Orlando version, users are not able to login successfully into instance using Multi SSO, and getting redirected to logout successful page. But in system logs we won't see any errors and can see user is logged in successfully like "NameID:user.user@example.com" and valid SAML Response

Release or Environment

Orlando

Cause

This issue is mostly caused if the SSO Source field in sys_user record is populated with invalid sys_id or valid sys_id or some string even though auto redirect IDP is set to true

we should able to see below error in node logs and these logs are coming from script include "MultiSSOv2_SAML2_custom" line 121 and from line 111 to 123 it is validating if sso Source field is populated, this check is not available in Multisso_SAML2_Update1 script include

2020-07-24 11:19:06 (138) Default-thread-13 5C8A4B441B12501076F84222DD4BCB5C txid=4f4bc3c01b16 SAML2: SAML2 NameID: user.user@example.com
2020-07-24 11:19:06 (139) Default-thread-13 5C8A4B441B12501076F84222DD4BCB5C txid=4f4bc3c01b16 SAML2: SessionIndex: _6284ff94-a993-4b26-b657-7d1f51dc62fc
2020-07-24 11:19:06 (140) Default-thread-13 5C8A4B441B12501076F84222DD4BCB5C txid=4f4bc3c01b16 SAML2: SAML2 SessionIndex: _6284ff94-a993-4b26-b657-7d1f51dc62fc
2020-07-24 11:19:06 (140) Default-thread-13 5C8A4B441B12501076F84222DD4BCB5C txid=4f4bc3c01b16 SAML2: If IdP does not forceAuthn, store the new sessionIndex _6284ff94-a993-4b26-b657-7d1f51dc62fc for logout later.
2020-07-24 11:19:06 (144) Default-thread-13 5C8A4B441B12501076F84222DD4BCB5C txid=4f4bc3c01b16 SEVERE *** ERROR *** *** Script: Ensure that the user you are trying to login is from the correct source, as mentioned in user's sso source field in servicenow instance.

2020-07-24 11:19:06 (866) http-39 New transaction 5C8A4B441B12501076F84222DD4BCB5C #12857 /logout_success.do
2020-07-24 11:19:06 (873) Default-thread-16 5C8A4B441B12501076F84222DD4BCB5C txid=1f4b47c01b52 #12857 /logout_success.do Parameters -------------------------
2020-07-24 11:19:06 (877) Default-thread-16 5C8A4B441B12501076F84222DD4BCB5C txid=1f4b47c01b52 *** End #12857 /logout_success.do, user: guest, total time: 0:00:00.000, processing time: 0:00:00.00-1, total wait: 0:00:00.001, semaphore wait: 0:00:00.001, SQL time: 0:00:00.000 (count: 5), source: 111.11.111.11
2020-07-24 11:19:07 (157) http-31 New transaction 5C8A4B441B12501076F84222DD4BCB5C #12858 /auth_redirect.do
2020-07-24 11:19:07 (164) Default-thread-9 5C8A4B441B12501076F84222DD4BCB5C txid=d34bc3c01b56 #12858 /auth_redirect.do Parameters -------------------------
sysparm_stack=no
sysparm_url=external_logout_complete.do

Resolution

  1. Go to the sys_user record of the user who is facing the logout successful page redirection when trying to log in
  2. Check if the SSO Source field is populated with sys_id, it doesn't matter which sys_id it is, clear out the sys_id from SSO Source field of user record

If the above solution is not feasible you can revert back to Multisso_saml2_update1 by following below steps:

  1. Go to sys_properties.LIST and find the system property "glide.authenticate.multissov2_feature.enabled" and set it to false
  2. Go to identity provider properties page:
    • https://<instance>.service-now.com/nav_to.do?uri=%2Fsystem_properties_ui.do%3Fsysparm_title%3DMultiple%20Provider%20SSO%20Properties%26sysparm_category%3DMultiSSO
  3. Uncheck "Enable multiple provider SSO" and click on Save, again check the checkbox of "Enable multiple provider SSO" and save the record


Article Information

Last Updated:2020-07-31 18:19:13
Published:2020-08-01