Details
E-signatures approval is dependent on login either local or SSO
- On a local login, it uses the local authentication on an e-signature approval.
- For the user logged in via SSO, the e-signature approval get authenticated in IDP.
Difference of SAML request with normal login and e-signature:
- On Login request, AssertionConsumerServiceURL attribute ends with navpage.do
- On SAML Response, AssertionConsumerServiceURL attribute will have consumer.do and it was generated by a Processor(sys_processor) - eSigSaml2AssertionConsumer
Sample SAML Request and Response for E-signature:
SAML Request xml:
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://example.service-now.com/consumer.do"
ForceAuthn="true" ID="SNC36b2fa3aca663141897276ca8e0f1bbe"
IsPassive="false"
IssueInstant="2020-01-27T19:13:57.250Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="https://example.service-now.com/navpage.do" Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://example.service-now.com
</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</saml2p:AuthnRequest>SAML Response xml:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://example.service-now.com/consumer.do" ID="id5381307154065787623310946" IssueInstant="2020-01-27T19:13:57.836Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.IDP.com/exktestnkqB90o1C0h7
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id5381307154065787623310946">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>eU/omPLsEutesttestUEQP2G8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
----- Signture -----
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
---- Certificate ----
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="id53813071541381921267742236" IssueInstant="2020-01-27T19:13:57.836Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.IDP.com/exkfetest120o1C0h7</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">342464</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2020-01-27T19:18:57.836Z" Recipient="https://example.service-now.com/consumer.do"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-01-27T19:08:57.836Z" NotOnOrAfter="2020-01-27T19:18:57.836Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://example.service-now.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-01-27T19:13:57.836Z" SessionIndex="id1580152437835.1924273305">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>